Tag: Data Loss Prevention

Cloud App Security: Masking with File Policy

To be honest, I felt a bit fooled by the “masking” method. Well at first just by looking at the feature at file policy, I thought it has the capability to mask sensitive information on the files but I was wrong until I test it out myself.

Another honesty from me is that I had read 7 times on one of the paragraphs from Microsoft Docs, about masking, then only I notice this feature is just plain masking to prevent from viewing at administration side. #sadme #dummy

*Note:

  • There are administration permission/role settings that you could manage. Will talk about this more on another blog
  • This doesn’t limit to only Office 365 Products.

It was this paragraph;

In addition, you can specify a regular expression to exclude a file from the results. This option is highly useful if you have an inner classification keyword standard that you want to exclude from the policy.
You can decide set the minimum number of content violations that you want to match before the file is considered a violation. For example, you can choose 10 if you want to be alerted on files with at least 10 credit card numbers found within its content.
When content is matched against the selected expression, the violation text is replaced with “X” characters. By default, violations are masked and shown in their context displaying 100 characters before and after the violation. Numbers in the context of the expression are replaced with “#” characters and are never stored within Cloud App Security. You can select the option to Unmask the last four characters of a violation to unmask the last four characters of the violation itself. It’s necessary to set which data types the regular expression searches: content, metadata and/or file name. By default, it searches the content and the metadata. 

So the policy is all the same stage;

  1. Define Condition
  2. Define Actions
  3. Define Exception
  4. Define Notification

Anyway, this blog will elaborate on how the masking works;

So I have created a file policy named “ID Card Masking”, so the purpose of this policy is to identify documents that contain “Malaysian Identification Card” and enable masking to prevent administrator to have the privilege to view full details and prevent having it to store in Cloud App Security.

  1. Go to Control > Policies

cas01

 

2. Expand ID Card Masking policy settings

  • I selected no template
  • Give a policy name
  • Give a level of severity
  • Give a Category type
  • Give some Filtering that this policy will act on (The clearer the better the match)
  • I selected a specific folder in my OneDrive for Business for this policy to act on
  • Next, I selected the Inspection method > Data Classification Service > Malaysian Identification Card
    • This part you can only choose 1 Data Classification for each file policy you created
  •  I checked Unmask last 4 sensitive information

cas02.png

 

3. Next, you will have to define notification and actions

  • So for notification, I leave it as default
  • For action, you have the option to apply AIP  on this document that matches to this policy

cas03.PNG

*The AIP label contain DLP labelling and AIP labelling for you to choose from

4. So after 3 minutes of this policy creation, you will be able to view matching result from Investigation tab or Policy.

  • Click on the Policy name (highligted)

cas04-1.png

 

  • Then it will show you the statement where the sensitive information found in the documents
  • And these sensitive informatino are masked and last 4 value are unmask

cas05

So yeah…that is how the masking works and looks like. If you would like more about what and how, do drop me an email or comment below 😀

 

References:

  1. https://docs.microsoft.com/en-us/cloud-app-security/data-protection-policies

Office 365 Security and Compliance: Data Leak Protection (DLP) & Azure Information Protection (AIP) Integration Unable to delete DLP Policy

Well hello! I’m back, yes I had been very busy last 2 months unable to write any new blog.

So when I was testing and playing with DLP and AIP in my test environment and I had 2 testing integration policy running and I found there was something wrong with my DLP policy and I went to trigger the delete via GUI at Security and Compliance and it basically will change its status to “Deletion pending” state. I know sometime these deletion takes up  to 48 hours. However, it was more than 48 hours and the DLP policy is still showing the status “Deletion pending”.

So its time to use PowerShell to solve this deletion pending problem;

*Take Note;

If you try to run the “Remove-DLPCompliancePolicy” this PowerShell without using the “ForceDeletion” to delete this policy it won’t work and you will return with an error;

#Sample PowerShell
Remove-DlpCompliancePolicy -Identity 58bed0c6-fbf9-41c4-b798-fdec65beae1c

We cannot remove policy ‘TopSecret_policy’ since it is already in pending deletion state.
+ CategoryInfo : InvalidOperation: (:) [Remove-DlpCompliancePolicy], ErrorCannotRemo…PolicyException
+ FullyQualifiedErrorId : [Server=xxxxxxxxxxxxxxx,RequestId=xxxxxxxx-xxxxx-xxxx-xxxxx-xxxxxxxxxxx5,TimeStamp=4/1/2019
8:26:50 AM] [FailureCategory=Cmdlet-ErrorCannotRemovePendingDeletionPolicyException] xxxxxx,Microsoft.Office.Com
pliancePolicy.Tasks.RemoveDlpCompliancePolicy
+ PSComputerName : apc01b.ps.compliance.protection.outlook.com

What to do?

  1. First of all you need to using PowerShell and connect to Security and compliance
    1. https://docs.microsoft.com/en-us/powershell/exchange/office-365-scc/connect-to-scc-powershell/connect-to-scc-powershell?view=exchange-ps
  2. Next run the command below to get your DLP information

Get-DLPCompliancePolicy | select Name, Guid

3. Than run this command

Remove-DLPCompliancePolicy -Identity “Policyname” -ForceDeletion

OR

Remove-DLPCompliancePolicy -Identity “Policy GUID” -ForceDeletion

4. Select “A” , A is Yes to All

Below is a sample;

 

Capture

 

References:

  1. https://sabrinaksy.com/2020/07/25/powershell-unable-to-delete-stuck-data-leak-policy-using-forcedeletion/

Data Leak Prevention (Azure Rights Management): aOS Kuala Lumpur 2018

Good day, everyone, I’m not here to insult but to raise awareness, so please read this with an open mind.

I had met and chat with a few different people from different companies, asking them to do you know about data security, is your company ready for data security, what do you think about security, and etc..

Most had replied to me that data security is expensive and does impact the end users productivity. When they told me that it is expensive, and I had asked them “why do you think it is expensive? “. Their answers had hesitation in it. Anyway, to the ones that told me that security could only bring impact to users, and I replied them “Plan, organize, and proper implementation, never jump/rush to a conclusion” (Disaster plan is important).

Technology is there, is how you look at it and use it. (A joke: Don’t tell me that you go shopping and you just blindly buy stuff without testing or checking whether that it really suits your needs/wants.)

Yes, whenever most users or companies hear about security, the first thing on their mind was expensive and impact. Had you really asked and research and gather enough information to prove it? (You know references) Had you ever compare the investment of data security vs The cost of Fines from regulators? (GDPR law fines? PDPA fines?)

During my talk about Data Leak Prevention (Rights Management) in aOS KL event, on 23rd October 2018. I was trying to gain awareness to the audience about data security too. However, there was one audience told me that Microsoft enterprise license is expensive.

What I replied to the person, who was asking about the pricing of Microsoft enterprise license was to ask for more information with the licensing companies. I should have added another replied “Are you ready to lose 2% to 10% of your company global revenue (or probably both fine and jailed) to regulators?” but my session period had used up another extra 5 mins (felt panic and guilty to used up the time that is not mine already).

So for the people that were asking/telling about the security license is expensive in a technical session, I kindly advise you to think twice or many times to the statement above, which I’ve highlighted in RED.

Quote;
“Better safe than Sorry”
“Never a technology problem, Is human/attitude problem”
“Never try, never know”
“Plan, Don’t make harsh decision/actions”
“Live till old, learn till old” (Take Malaysia’s latest Prime Minister as an Example)
“Ask more doesn’t do harm, Only Stupidity does harm”
“Stop dreaming, Wake up is reality”

44713511_254650268584098_815480119027040256_n
Speaker for aOS Kuala Lumpur 2018 (IT Pro), Office 365 Security Compliance and Azure Information Protection Demonstration
44703405_2249593058655998_7974614577625169920_n
With Patrick Guimonet

44857196_325676234652877_3635763410328616960_n
Data Breaches since 2000s till 2018

 

Reference:

https://sway.office.com/eQ1CbkS7mOE5dvSi

Office 365 Custom DLP: How to create custom Sensitive Information?

Yes this is interesting topic for me because it involve programming! I will make this topic as simple as learning alphabet, because I will be showing you the importance on how to create your very own DLP sensitive information. DLP templates are come in the form of xml file format.

*Note: You may need to spend some time in this. Practice makes perfect result.

Importance that you must include into your xml are:

  1. Rule
  2. Entity
  3. Pattern
  4. Identity Match/Id Match/Format/RegularExpression

#This is the flow chart

Rule -> Entity -> Pattern -> Identity Match/Format/Regular Expression

Ok, now you know what are the importance, next will be things you need to take note on the “importance” that can have multiple section. That is “Pattern” & “Identity Match”. You can only have 1 rule consist with 1 Entity, where that Entity can have multiple unique pattern types and each pattern can have its own unique ID Match.

Below is a sample of my code on how it looks like in xml;

*Note: You have to change the GUID of the highlighted red parts, as you can see there are 4 GUIDs, but only 2 GUID are the same. To get new GUID, you simple have to open your PowerShell and type the command “[guid]::newguid()”.

<?xml version="1.0" encoding="UTF-8"?>
<RulePackage xmlns="http://schemas.microsoft.com/office/2011/mce">
<!-- Need to change guid, rule package guid, [guid]::newguid()-->
<RulePack id="872155dc-1234-4e3e-a10d-x"> 
<Version build="0" major="1" minor="0" revision="0"/> 
<!-- Need to change guid, publisher guid --> 
<Publisher id="6907d14a-1234-4023-87cd-x"/> 
<Details defaultLangCode="en-us"> <LocalizedDetails langcode="en-us"> <PublisherName>Company Group</PublisherName> 
<Name>ID Custom Rule Pack</Name>
<Description> This rule package contains the custom ID entity. </Description> </LocalizedDetails> 
</Details>
</RulePack>

<!--This orange part, is your rule type-->
<Rules>
<!-- ID --> 
<!--This blue part, is your entity-->
<!-- need to change guid, entity guid--> 
<Entity id="b660289d-189e-1234-9e0a-x" patternsProximity="300" recommendedConfidence="70">
<!--This green part, is your pattern type-->
<Pattern confidenceLevel="80"> 
<!--This purple part, is your Identity match name-->
<IdMatch idRef="Regex_id1"/> 
</Pattern>
<Pattern confidenceLevel="80">
<IdMatch idRef="Regex_id2"/> 
</Pattern> 
</Entity>

<!--This pink part is your Regular Expression-->
<!--Format: AB-C-DE-FGH--> 
<Regex id="Regex_id1">(\d{2})[-](\d{1})[-](\d{2})[-](\d{3})</Regex> 
<!--Format: ABCDEFGMANNN -->
<Regex id="Regex_id2">(\d{7})[mM][a-zA-Z](\d{3})</Regex> 

<LocalizedStrings> 
<!-- Resource guid same as rule guid --> 
<Resource idRef="b660289d-189e-1234-9e0a-x">
<Name default="true" langcode="en-us">ID</Name>
<Description default="true" langcode="en-us"> A custom classification for detecting IDs. </Description> 
</Resource> 
</LocalizedStrings>

</Rules>

</RulePackage>

The above xml consist of 2 patterns both are set with accuracy of 80%, means if DLP scanned your mail/sharepoint/onedrive consist what is inside the pattern and has 80% match percentage will trigger the rule. Inside each pattern consist unique identity which name “Regex_id1”  and “Regex_id2”. After that, is comes to setting the format for each unique identities. As you can see above, the format i had state in the comment.

*Note: The code above doesn’t limit your needs, you could play around with what you wish to include, such as keywords, false positive, or etc.. You could learn more about twerking around the codes by reading below references. You can also use any online tester site to test out regex of your code .

References:

  1. https://support.office.com/en-us/article/Create-a-custom-sensitive-information-type-82c382a5-b6db-44fd-995d-b333b3c7fc30
  2. https://docs.microsoft.com/en-us/dotnet/standard/base-types/regular-expression-language-quick-reference
  3. https://justaucguy.wordpress.com/2014/11/21/adventures-in-custom-dlp-rules-part-one/

Outlook: How to hide “Do Not Forward”

There some customers who are very particular with security and compliance or rights management service. They also would wish to hide all default RMS templates such as, contoso.com – confidential, contoso.com – confidential (View Only) and Do Not Forward, and have their own. Thus, it is easy to hide the contoso.com – confidential and contoso.com – confidential (View Only) templates using the Azure classic portal. However, based on many article I researched on hiding or disable the “Do Not Forward” permission in the Outlook have said “You cannot hide or remove Do Not Forward because it is based on the Office”. So, I came by this article (Reference: https://support.microsoft.com/en-gb/help/2458423/the-message-classification-feature-is-unavailable-when-you-disable-the) to resolve this hiding of “Do Not Forward” feature by modifying the registry of the Office. This method applies to version of Outlook 2010 to Outlook 2016 and can also done via GPO.

Modify using registry;

  1. Open Registry edit (regedit.exe) > HKEY_CURRENT_USER > Software > Microsoft > Office > 16.0 > Common > DRM
  2. Create a new > DWORD(32bit)
  3. Name the registry: DisableDNF
  4. Double click on the registry > enter value ‘1’
  5. Close the registry
  6. Close and relaunch the Outlook

After relaunch the Outlook, you could see whether the given method works is creating a new email > options > permission toggle, the “Do Not Forward” has grey out or disable.

registry
Create a new registry
DisableDNF
Do Not Forward is grey out