My buddy Aamir Lakhani posted about a really cool metadata tool called FOCA. The original post can be found HERE. Below is Aamir’s post about FOCA.
I would like to introduce you to one of my favorite network reconnaissance tools. It is called FOCA.
Did you know every time you create a document such as PowerPoint presentation, Microsoft Word document, or PDFs, metadata is left in the document?
What is metadata? metadata is data about data. It is descriptive information about a particular data set, object, or resource, including how it is formatted, and when and by whom it was collected. metadata can be useful to attackers because it contains useful information about the system where the file was created such as:
Name of user logged into the system
Software that created the document
OS of the system that created the document
FOCA is a security audit tool that will examine metadata from domains. It uses search engines to find files on domains, or you can use your own local files.
You will need to give your email address at the bottom of the screen. You will receive an email with the download link. You will also receive updates on when FOCA is updated.
Using FOCA
FOCA is a Windows only tool. When you install FOCA you may be asked to install .NET Framework or other decencies. Continue reading →
Data Loss Prevention (DLP) is a topic that keeps IT up at night due to a lack of knowing how vulnerable they are as well as how to remediate. In many cases, data loss is a people problem caused by users unknowing violating policy. Violations can cause your agency to end up in the headlines with huge fines. Leading DLP vendors aim to reduce risk through technologies that fall into four DLP categories. The standard DLP categories are endpoint, network, data center and email-based products that work together as one solution.
Everybody uses email, which is a very common means to leak data. A strong email solution should have an unsecure and secure way to transfer data. DLP should be used as a gateway to either move emails with sensitive data to a secure transfer method or deny based on a violation of policy. Leaders in this space have built in libraries for keywords and popular compliance standards. Best practice not only denies or auto encrypts sensitive emails but includes a return email to the sender explaining what policy was violated.
People may attempt to get around email security solutions by sending data using web based email platforms such as Gmail, instant messaging or online file sharing. Network based DLP solutions sit on the wire and look for sensitive data either inline or passively. Many content security proxies offer the ability to filter online usage and leverage DLP as an additional means to enforce policy. Without a proxy or end-point enforcement component, network based DLP solutions are typically passive meaning they can only notify after a policy has been violated.
End user devices are very hard to control regarding DLP. Typical DLP solutions use an agent to enforce policies while users are on and off the network. The agent controls what can be printed, sent to an external drive, instant messaged and permitted in email applications. The difficult part is developing a policy that doesn’t trigger multiple false positives, which will quickly blowup your helpdesk. Some DLP solutions focus on the data rather than endpoint by using encryption to follow the data and leverage an agent or online login to gain access to the files. This makes it a little easier on endpoint management however is more of a pinpoint approach to identifying what should be considered sensitive rather than enforcing general policies for DLP on endpoints.
A key area for protecting data is securing the data center. Strong DLP solutions can define sensitive data, determine where the data resides and assign policies for controlling access. Reports can showcase who are the data owners and match violations to specific policies. Encryption can be added to follow the data once it leaves a folder to ensure proper use and eventually expire access. Regardless if its Symantec, RSA or whoever, its best practice to kickoff a DLP project with an audit to better understand the data and risk associated with losing that information. DLP is not a set and forget solution. Consulting expertise is highly recommended.
Continue reading 
