0

I have found myself with the need to block online conversion tools for pdf files and such, but I can't think of a nice catch-all (or even catch most) solution (without blocking all file uploads in browsers). Does anybody have any ideas on how to block such sites company-wide without disabling all file uploads?

At first I figured I would just block the sites at DNS level but there seem to be too many of them to count.

schroeder
  • 129,372
  • 55
  • 299
  • 340
Mattey
  • 57
  • 4
  • 1
    I think you need to refine what your actual security question is and what technologies you have available to solve it. Online conversation is probably not the security issue but uploading sensitive documents to third party sites is. In this case you need to specify what a sensitive document is, i.e. what kind of documents should be allowed in upload forms and what not. Also, what you can actually filter depends on the technology you can use - which is unknown. – Steffen Ullrich Sep 02 '21 at 10:22
  • I agree that the problem is uploading sensitive documents to third party sites, I think that is a better way of thinking of it. The reason I am explicitly mentioning third party conversion tools is that they seem to be the largest problem.

    However with the way you pose your question I am starting to think this might be a pretty good idea. Something that disallows fileuploads based on content/classification with a whitelist in place for certain exceptions.

    However as you probably have guessed I am not well versed , got any direction/technology i should be searching in?

     – Mattey Sep 02 '21 at 11:55
  • As asked, I'm reminded of the start of the movie "How To Train Your Dragon" Where the protagonist's father says, "From now on you walk like us, you talk like us, and you think like us. No more of ... this." points to all of the Internet – schroeder Sep 02 '21 at 14:30
  • For anyone else looking into this, i think i found a relevant question about the larger problem

    https://security.stackexchange.com/questions/97520/preventing-information-from-leaving-corporate-network

     – Mattey Sep 16 '21 at 13:10

2 Answers2

5

You're looking for a technical solution for a human problem.

And that won't work.

The problem you're facing is that using online tools for sensitive files is prohibited, yet people use them. Ask yourself: Why?

Two main reasons:

  1. They don't know it's wrong. People have no inhibitions of doing something if they don't believe they're doing anything wrong. After all, they just need to convert something to a PDF for their job, right?

    The best thing to do here is to remind people about the IT policy, and that using such tools is strictly prohibited.

  2. They're convenient. Even if it's wrong, these tools are most likely much more convenient than the way their IT prescribes. So, the solution is quite obvious: Offer better tools. If your company provides an internal page to convert things to PDF, and it's just as easy-to-use as the prohibited tools, then people will use the internal tool.

  • 2
    Good point. I am working the human angle in parallel, instructing people no to do this and prepping support to take calls about these kind of issues. However I think that would still lack the convenience you are describing. Creating a small portal for this is a good idea. – Mattey Sep 03 '21 at 08:14
1

It sounds like what you're looking for is a Data Loss Prevention (DLP) system, which can identify sensitive internal data or documented (based on various factors), and then prevent people from sending them outside of the organisation unless they're doing so via an approved channel.

Gh0stFish
  • 10,932
  • 2
  • 35
  • 36
  • 1
    This does seem to fit the description! I will work the human angle a bit more but I am definitely looking into this for the long term! – Mattey Sep 03 '21 at 08:18