Re: Privacy Scanning

iluom · ‎04-18-2019

I'm using a MITM Proxy to be able eavesdrop HTTPS communication for malicious content, MITM Proxy pretends to be the server to the client and the client to the server, while positioned in the middle it decodes traffic from both of them.

Additionally, when content containing private information is scanned, the scanning technology itself should not violate any end-user privacy requirements or regulations.

The proxy is a hardened with very tight access control and end point security. It just redirect if any malicious content has been identified.

In this scenario am i violating privacy requirements?

Thanks for suggestion

Chandra Mouli, CISSP, CCSP, CSSLP

Wayne_Evans · ‎04-18-2019

I think the key is communicating to your users and having this documented in your policies.

On the other side of the coin, I think SSL Bumping/inspection is becoming more and more important.

Most malware now buries traffic in SSL encryption to their C2 infrastructures. If you are not breaking SSL at egress and inspecting against common rule sets, then you are not going to be doing everything you can to prevent data leaking.

IANAL - so naturally get advice if you are concerned but I think you need to have inspection and monitoring of activity as part of a policy and maybe employee conditions of employment. Especially when using company-provided assets and networks.

BYOD becomes a bit more of a headache, again policy and communication need to be clear with your intentions and reasons, including any log retentions. You should have already identified any PII (personally identifiable information) from your logging solution anyway to be compliant.

An IP address isn't PII, an IP address linked to a specific username can be PII and would need appropriate protecting.

Kind Regards,
Wayne

CISOScott · ‎04-18-2019

Like Wayne said, the key to avoiding privacy violations is informed consent. By that I mean in order to use our services (and "our" in this connotation means your company's devices) (i.e. network, end-user devices, Internet access devices, etc.) you consent to being monitored or else you don't use our stuff.

We do this through the logon screen prompt and we also cover it in our Rules of Behavior document and security awareness training.

AlecTrevelyan · ‎04-18-2019

I would also add you need to understand the local laws and regulations where you're doing the inspection. If they say you can't do this then it doesn't matter what your own policies say. e.g. This would have been illegal in Germany prior to the GDPR coming into effect.

JoePete · ‎04-18-2019

@iluom wrote:
I'm using a MITM Proxy to be able eavesdrop HTTPS communication for malicious content
[snip]
In this scenario am i violating privacy requirements?

I'd say absolutely. HTTPS implies end-to-end encryption. The user's expectation is that no one (or thing) should be able to read what is sent back and forth - regardless of the intent of the third party.

iluom · ‎04-18-2019

So, the message is..

If you are not supposed to recognize a person in disguise at your entrance gate, and should be allowed in THEN you have to have so many measures, controls, techniques, protections, assumptions, tools.....complicated...which sounds ridiculous

Nitty-gritty is one should be able to anticipate and take measures for all the attacks in the world they could face in their systems.

By allowing the traffic as it is ...and leave the problem(responsibility of securing) to the prowess of network applications, EDR, DB Systems and application software.

Chandra Mouli, CISSP, CCSP, CSSLP

iluom · ‎04-18-2019

Malware packed executables that can lead to malicious file execution attacks, image tag injection with HTML content and scripts that can lead to XSS and clickjacking attacks, unsanitized Mashup content and HTML5 tag abuse attacks are some examples of how the content can be used as an attack vector.

So if content scanning is necessarily restricted for scanning due to privacy, then the software (applications) should be resilient enough to withstand or thwart the above mentioned attacks...seems Defense in Depth principle is being diluted or unevenly distributed

If more security is required ...should shed some privacy... they are never complementary each other..

Chandra Mouli, CISSP, CCSP, CSSLP

charlpl · ‎04-19-2019

Consent first and foremost and remember to configure your proxy to bypass personally sensitive sites such as banking sites etc. ie. you proxy should not inspect these sites at all.

JoePete · ‎04-19-2019

@iluom wrote:
So if content scanning is necessarily restricted for scanning due to privacy, then the software (applications) should be resilient enough to withstand or thwart the above mentioned attacks...seems Defense in Depth principle is being diluted or unevenly distributed

The core issue legally and ethically is a reasonable expectation of privacy. HTTPS is supposed to represent end-to-end encryption. If you want to scan all traffic, disable HTTPS - don't give users a sense that their communications are encrypted from end-to-end. The other way of looking at this is that while there may be a threat in an encrypted channel, it still needs the vulnerability on the target system/network to materialize. I don't think ensuring privacy dilutes defense in depth. As you noted, the scenario you depict is essentially a man in the middle mechanism. If an organization can provide absolute assurance that it won't be abused, then shouldn't it be able to provide absolute assurance that its systems have been hardened (i.e. can withstand an attack via an encrypted channel)? Similarly, if it can't provide the assurance that a system isn't vulnerable to some encrypted attack, then it also can't be assured that its scanning of encrypted traffic can't be abused either.