Data theft protection prevents unauthorized disclosure of confidential information. Configuring data theft protection requires two steps:
- Specify any at risk data elements handled by the web application using Security Policy.
- Enable protection of these elements where needed, using URL Policy.
Sensitive data elements may require masking to prevent their unauthorized disclosure, or requests containing sensitive data may be blocked altogether. Using security policies, you can configure any sensitive data elements which may need protection, along with the desired way to handle them. These settings can then be used by any service associated with the security policy. URL policies applied to narrowly defined URL spaces requiring this protection can individually enable it as needed. Other URL spaces operate without unnecessarily incurring the processing hit. To optimize performance, enable data theft protection only for parts of the site known to carry sensitive information.
The SECURITY POLICIES > Data Theft Protection page allows configuration of identity theft data types for a security policy. You can enable protection for specific URLs using the WEBSITES > Advanced Security page. Security policy data theft settings are then enforced only for configured URLs. Barracuda energize updates provides a set of default protected patterns such as credit card and social security numbers. These can be expanded or customized, using ADVANCED > Libraries, to include other web application specific data patterns needing protection from disclosure. Any configured pattern can be masked, or the response blocked altogether, if a protected pattern occurs in the server response.
When Data Theft Protection is enabled, the Barracuda Web Application Firewall intercepts the response from the server and compares it to the pattern listed in the ADVANCED > View Internal Patterns page and ADVANCED > Libraries page (if any custom identity theft patterns). If the response matches any of the defined patterns, it is blocked or cloaked depending on the Action (Block or Cloak) set. If Action is set to Block, the response sent by the server is blocked. If set to Cloak, data is cloaked, that is, partly overwritten with "X"s.
The default identity theft elements provided by the Barracuda Web Application Firewall are:
- Credit Cards
- Directory Indexing
- Social Security Number (SSN)
Credit Cards and SSN
To prevent exposure of personal data such as credit card number and social security number (SSN), select Block to block the response from the server, Cloak to overwrite the characters based on values defined in the Initial Characters to Keep and Trailing Characters to Keep parameters. By default, credit card and ssn are set to Cloak.
Directory Indexing
If a web server is configured to display the list of all files within a requested directory, it may expose sensitive information. The Barracuda Web Application Firewall prevents exposure of valuable data by blocking the response from the server. By default, directory indexing is set to Block.
Steps to Configure Data Theft Protection:
- From the SECURITY POLICIES > Data Theft Protection page, select the policy for which you want to enable data theft protection.
- In the Configure Data Theft Protection section, specify values for the following fields:
- Data Theft Element Name – Enter a name for the data theft element.
- Enabled – Select Yes to use this data element to be matched in the server response pages. This data element is used for matching server response pages only when Enable Data Theft Protection is also set to Yes on the WEBSITES > Advanced Security page.
- Recommended: Yes
- Identity Theft Type – Select the data type from the drop-down list that the element mentioned in Data Theft Element Name belongs to. The default identity theft patterns (Credit Card, SSN, and Directory Indexing) are associated to data types defined under ADVANCED > View Internal Patterns > Identity Theft Patterns. If you want to associate a custom identity theft pattern created on the ADVANCED > Libraries page, select <CUSTOM> from the drop-down list and then select customized identity theft type from the Custom Identity Theft Type field below.
- Default: CUSTOM
- Custom Identity Theft Type – Select the customized identity theft type to be used from the drop-down list.
- Action – If set to Block, the response sent by the server containing this data type is blocked. The Block mode should be used if the server should never expose this information. In the Cloak mode, a part of the data is cloaked, that is, overwritten with X’s based on Initial Characters to Keep and Trailing Characters to Keep.
- Values: Block, Cloak
- Recommended: Block
- Initial Characters to Keep – Enter the number of initial characters to be displayed to the user when the data of this data type is identified in a server page. For example, an online shopping service displays a user’s credit card number 1234 0000 0000 5678. If Initial Characters to Keep is set to 4, the credit card number is displayed as 1234 XXXX XXXX XXXX.
- Values: 0 to 100
- Recommended: 0
- Trailing Characters to Keep – Enter the number of trailing characters to be displayed to the user when the data of this data type is identified in a server page. For example, an online shopping service displays a user’s credit card number as 1234 0000 0000 5678. If Trailing Characters to Keep is set to 4, the credit card number is displayed as XXXX XXXX XXXX 5678.
- Values: 0 to 100
- Recommended: 4
- Click Add to add the above configuration settings.
Custom Identity Theft Patterns
The default data theft types are displayed under Protected Data Types in the SECURITY POLICIES > Data Theft Protection page. You can also create custom identity theft data types on the ADVANCED > Libraries page to use.
Creating a Custom Identity Theft Pattern
- Go to the ADVANCED > Libraries page, Identity Theft section, enter a name in the New Group field and click Add.
- Click Add Pattern next to the created identify theft pattern group. The Identity Theft Patterns window appears. Specify values for the following fields:
- Pattern Name – Enter a name to identify the pattern.
- Status – Set to On if you wish to use this pattern for pattern matching in the responses.
- Pattern Regex – Define the regular expression of the pattern or click the Edit icon to select and insert the pattern.
- Pattern Algorithm – Select the algorithm to associate with the pattern from the drop-down list.
- Case Sensitive – Select Yes if you wish the pattern defined to be treated as case sensitive.
- Pattern Description – (Optional). Enter the description for the pattern defined. Example, Visa credit card pattern. This indicates the pattern used here is the visa credit card pattern.
- Click Add.
Using a Custom Identity Theft Pattern
- Go to the SECURITY POLICIES > Data Theft Protection page.
- Select a policy from the Policy Name drop-down list.
- In the Configure Data Theft Protection section, enter a name in the Data Theft Element Name text field.
- Set Enabled to Yes to use this data element to be matched in the server response pages. This data element is used for matching server response pages only when Enable Data Theft Protection is also set to Yes on the WEBSITES > Advanced Security page.
- Select CUSTOM from the Identity Theft Type drop-down list.
- Select the Identity theft pattern you created from the Custom Identity Theft Type drop-down list.
- Set the Action to Block or Cloak. If set to Block, the response sent by the server containing this data type is blocked. The Block mode should be used if the server is never expected to expose such information. In the Cloak mode, a part of the data is cloaked, that is, overwritten with X’s based on Initial Characters to Keep and Trailing Characters to Keep.
- If required, change the values of Initial Characters to Keep and Trailing Characters to Keep and click Add.
- Now, you should bind this policy to a Service, so that any request coming to that service is matched with the pattern and then processed.
Turning on Data Theft Protection using URL Policy
To use data theft protection for a requested URL, from the WEBSITES > Advanced Security page you must set Enable Data Theft Protection to Yes for the appropriate URL Policy, either a URL policy matching the requested URL, or if the URL has no matching policy, for the default URL Policy. When Enable Data Theft Protection is set to Yes for a requested URL, the Data Theft Protection settings from the service's security policy will be enforced for this request.