Documentation | Support

Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Forcepoint DLP Predefined Policies and Classifiers : Data Loss Prevention policies : Data Theft Risk Indicators
Data Theft Risk Indicators
Predefined Policies and Classifiers | Forcepoint DLP | 8.8
Forcepoint DLP includes the following types of Data Theft Risk Indicator policies:
*
Employee Discontent
*
Indicators of Compromise
*
Suspicious User Activity
Suspicious User Activity
Predefined Policies and Classifiers | Forcepoint DLP | 8.8
*
Data Sent During Unusual Hours
Detects data that is sent at an unusual time. You define what is considered an unusual time in the script classifier, Unusual Hours. Each rule in this policy target a different type of data, such as Office or archive files.
Example: If you define working days in the classifier as Monday-Friday and unusual hours as 9pm-5am, then data sent on Saturday, Sunday, or during the working week between 9 p.m. and 5 a.m. triggers this policy.
*
Source Code C family or Java Sent During Unusual Hours
*
Confidential in Header/Footer Sent During Unusual Hours
*
Office Files Sent Over Time During Unusual Hours
*
Archive Files Sent Over Time During Unusual Hours
*
Python Source Code Sent During Unusual Hours
*
Deep Web URLs
Policy for detecting deep web URLs that appear in analyzed content such as textual documents or email messages and end with the pseudo-top-level domains .onion and .i2p. The deep web is a portion of World Wide Web content that is not indexed by standard search engines and that is intentionally hidden from the regular Internet, accessible only with special software, such as Tor. Such URLs are used for anonymous defamation, unauthorized leaks of sensitive information and copyright infringement, distribution of illegal sexual content, selling controlled substances, money laundering, bank fraud, credit card fraud and identity theft, among other things. The rules for this policy are:
*
Deep Web URLs: .i2p (Wide)
*
Deep Web URLs: .i2p (Default)
*
Deep Web URLs: .onion
*
Email to Competitors
A policy for detecting email messages that are being sent from one's corporate email address to his or her personal email address. The rules for this policy are:
*
Email to Competitors
*
Contact Information to Competitors
*
Encrypted Attachment to Competitors
*
Malicious Concealment
Policy for detection of content suspected to be manipulated to avoid detection.This may cause false positives. The rules for this policy are:
*
Manipulated Content - L33T
*
Manipulated Content - Reversed Text
*
Manipulated Content - ROT13
*
Manipulated Content - Upside Down Text
*
Manipulated Content (Default)
*
Manipulated Content (Narrow)
*
Manipulated Content (Wide)
*
Password Dissemination
Detects content suspected to be a password in clear text. The rules for this policy are:
*
Password Dissemination: Email Address and Password (Wide)
*
Password Dissemination: Email Address and Password (Default)
*
Password Dissemination for HTTP Traffic (Wide)
*
Password Dissemination for HTTP Traffic (Default)
*
Password Dissemination for HTTP Traffic (Narrow)
*
Password Dissemination for non-HTTP/S Traffic (Wide)
*
Password Dissemination for non-HTTP/S Traffic (Default)
*
Password Dissemination for non-HTTP/S Traffic (Narrow)
*
Problem Gambling
Detects expressions that are indicative of problem gambling; for example, "I am addicted to gambling", "My gambling is out of control". The rule for this policy is:
*
Problem Gambling
*
Suspected Mail to Self
Policy for detecting email messages that are being sent from one's corporate email address to his or her personal email address. The rules for this policy are:
*
Self CV/Resume Distribution: English (Wide)
*
Self CV/Resume Distribution: English (Default)
*
Archive Files Sent Over Time in Suspected Mail to Self
*
Confidential in Header/Footer in Suspected Mail to Self
*
Database Files in Suspected Mail to Self
*
Encrypted Files of Known Format in Suspected Mail to Self
*
Encrypted Files of Unknown Format in Suspected Mail to Self
*
Office Files Sent Over Time in Suspected Mail to Self
*
C Family or Java Source Code in Suspected Mail to Self
*
Python Source Code in Suspected Mail to Self
*
Suspected Mail to Self
*
Unknown File Formats Over Time
Detects when unencrypted binary files of unknown formats are being sent repeatedly over a period of time. For example, if 50 unencrypted files of an unknown format are sent during 1 hour, this policy is triggered. The rules for this policy are:
*
Unknown file formats over time (Wide)
*
Unknown file formats over time (Default)
*
Unknown file formats over time (Narrow)
*
Unknown file formats over time to uncategorized sites
*
User Traffic Over Time
Policy for detection of suspicious behavior of users by measuring the rate and type of transactions over time. This may cause false positives. The rules for this policy are:
*
User Traffic Over Time: CV and Resume
*
User Traffic Over Time: Source Code
*
User Traffic Over Time: Specific Attachment
*
Files Containing Macros
Policy for detection of files that contain macros.
*
Macro-Enabled Microsoft Office Excel Files
*
Macro-Enabled Microsoft Office PowerPoint Files
*
Macro-Enabled Microsoft Office Visio Files
*
Macro-Enabled Microsoft Office Word Files
Indicators of Compromise
Predefined Policies and Classifiers | Forcepoint DLP | 8.8
*
.REG Files
Policy for detecting .REG files (Windows Registry files). The rule for this policy is:
*
.REG File
*
Database Dumps/Backup Files
Policy for detecting records of SQL table data extracted from a database. The rules for this policy are:
*
Database Dumps/Backup Files: MySQL-Format Database Dump (Wide)
*
Database Dumps/Backup Files: MySQL-Format Database Dump (Default)
*
Database Dumps/Backup Files: Microsoft Tape Format
*
Encrypted Files
Policy for detection of encrypted PGP files, password-protected files of known formats, like Microsoft Word and ZIP, and unknown encrypted files. The rules for this policy are:
*
Encrypted Files: B1 File
*
Encrypted Files: RAR File
*
Encrypted Files: RAR5 File
*
Encrypted Files: ZIP File
*
Encrypted Files: Microsoft Access Database File (Legacy)
*
Encrypted Files: Microsoft Excel Binary File (Legacy)
*
Encrypted Files: Microsoft Office Encrypted File (OOXML)
*
Encrypted Files: Microsoft OneNote Encrypted File
*
Encrypted Files: Microsoft PowerPoint Binary File (Legacy)
*
Encrypted Files: Microsoft Word Binary File (Legacy)
*
Encrypted Files: PDF File
*
Encrypted Files: PGP Encrypted File
*
Encrypted Files: PGP Signed and Encrypted File
*
Encrypted Files: Unknown Encrypted Format
*
Password Files
Searches for outbound password files, such as SAM database and UNIX/Linux password files. The rules for this policy are:
*
Password Files: .htpasswd File (Wide)
*
Password Files: .htpasswd File (Default)
*
Password Files: .htpasswd File (Narrow)
*
Password Files: General File
*
Password Files: Password File (Wide)
*
Password Files: Password File (Default)
*
Password Files: SAM File (Wide)
*
Password Files: SAM File (Default)
*
Password Files: SAM File (Narrow)
*
Password Files: Shadow File (Wide)
*
Password Files: Shadow File (Default)
*
Private Keys
Policy for detecting private keys or file formats that contain them. The rule for this policy is:
*
Private Keys: DSA Private Key
*
Private Keys: Elliptic Curve Private Key
*
Private Keys: JSON Keystore File Private Key
*
Private Keys: OpenSSH Private Key
*
Private Keys: PGP Private Key
*
Private Keys: PKCS #1 Private Key
*
Private Keys: Encrypted PKCS #8 Private Key
*
Private Keys: Unencrypted PKCS #8 Private Key
*
Private Keys: PKCS #12 File
*
Private Keys: SSH2 Private Key
*
Private Keys: Textual PPK Private Key
*
Suspected Malware Communication
Identifies traffic that is thought to be malware "phoning home" or attempting to steal information. Detection is based on the analysis of traffic patterns from known infected machines. Applies only when Forcepoint Web Security is installed. Rules in this policy include:
*
Suspected Malware Communication (Wide)
*
Suspected Malware Communication (Default)
*
Suspected Malicious Dissemination
Policy for the detection of a suspected malicious content dissemination such as: encrypted or manipulated information, passwords files, credit card tracks, suspected applications and dubious content such as information about the network, software license keys, and database files. The rules for this policy are:
*
Suspected Malicious Dissemination: Encrypted File (Known Format)
*
Suspected Malicious Dissemination: Email Address and Password (Wide)
*
Suspected Malicious Dissemination: Email Address and Password (Default)
*
Suspected Malicious Dissemination: Generic Encryption Detection (Wide)
*
Suspected Malicious Dissemination: Generic Encryption Detection (Default)
*
Suspected Malicious Dissemination: IT Asset Information
*
Suspected Malicious Dissemination: Malicious Concealment
*
Suspected Malicious Dissemination: Password Dissemination for non-HTTP/S Traffic (Wide)
*
Suspected Malicious Dissemination: Password Dissemination for non-HTTP/S Traffic (Default)
*
Suspected Malicious Dissemination: Password Dissemination for non-HTTP/S Traffic (Narrow)
*
Suspected Malicious Dissemination: Password Dissemination for HTTP Traffic (Wide)
*
Suspected Malicious Dissemination: Password Dissemination for HTTP Traffic (Default)
*
Suspected Malicious Dissemination: Password Dissemination for HTTP Traffic (Narrow)
*
Counter Malicious: Password File
*
Suspected Malicious Dissemination: Suspected Application (Steganography and Encryption)
Employee Discontent
Predefined Policies and Classifiers | Forcepoint DLP | 8.8
*
CV and Resume in English
Policy for detection of documents comprising resumes and CVs in English.
The rule for this policy is:
*
CV and Resume in English
*
CV and Resume in French
Policy for detection of resumes and CVs in French.
The rules for this policy are:
*
CV and Resume in French (Wide)
*
CV and Resume in French (Default)
*
CV and Resume in French (Narrow)
*
CV and Resume in German
Policy for detection of resumes and CVs in German.
The rules for this policy are:
*
CV and Resume in German (Wide)
*
CV and Resume in German (Default)
*
CV and Resume in German (Narrow)
*
CV and Resume in Spanish
Policy for detection of resumes and CVs in Spanish.
The rules for this policy are:
*
CV and Resume in Spanish (Wide)
*
CV and Resume in Spanish (Default)
*
CV and Resume in Spanish (Narrow)
*
Disgruntled Employee
Detects expressions that are indicative of disgruntled employees. For example: "I hate my boss", "I hate my job".
*
Disgruntled Employee (Default)
*
Disgruntled Employee (Narrow)
*
Israel CV and Resume
Policy for detection of documents comprising resumes and CVs in Hebrew and English. The rules for this policy are:
*
Israel CV and Resume: English
*
Israel CV and Resume: Hebrew
*
Russia CV and Resume
Policy for detection of documents comprising resumes and CVs in Russian, Ukrainian, and English. The rules for this policy are:
*
Russia CV and Resume: English
*
Russia CV and Resume: Russian or Ukrainian
*
Self CV/Resume Distribution
Policy for detecting employees who distribute their resume or Curriculum Vitae, indicating they may be searching for a new job. The rules for this policy include:
*
Self CV Distribution: English (Wide)
*
Self CV Distribution: English (Default)
*
Ukraine CV and Resume
Policy for detection of documents comprising resumes and CVs in Ukrainian, Russian, and English. The rules for this policy are:
*
Ukraine CV and Resume: English
*
Ukraine CV and Resume: Russian or Ukrainian
Quick Policies
Predefined Policies and Classifiers | Forcepoint DLP | 8.8
Forcepoint DLP includes the following types of quick policies:
*
Web DLP policy
*
Email DLP policy
*
Mobile DLP policy
Web DLP policy
Predefined Policies and Classifiers | Forcepoint DLP | 8.8
The Web DLP "quick policy" includes the PCI policy, PHI policies, and PII policies listed in this document (including financial policies). In addition, the Web DLP policy includes several policies for the data theft attribute:
*
Common password information
Searches for outbound passwords in plain text. The rules for this policy are:
*
Common password information
*
Common password information (Wide)
*
Common password information (Narrow)
*
Encrypted files - known format
Searches for outbound transactions comprising common encrypted file formats. The rules for this policy are:
*
Encrypted files (known format)
*
Encrypted files - unknown format
Searches for outbound files that were encrypted using unknown encryption formats. The rules for this policy are:
*
Encrypted files - unknown format
*
Encrypted files - unknown format (Wide)
*
IT asset information
Searches for suspicious outbound transactions, such as those containing information about the network, credit card magnetic tracks, and database files. Rules in this policy include:
*
IT asset information (Default)
*
IT asset information (Narrow)
*
IT asset information (Wide)
*
Suspected Malware Communication
*
Identifies traffic that is thought to be malware "phoning home" or attempting to steal information. Detection is based on the analysis of traffic patterns from known infected machines. Applies only when Forcepoint Web Security is installed. Rules in this policy include:
*
Suspected Malware Communication
*
Password files
Searches for outbound password files, such as a SAM database and UNIX / Linux passwords files. Rules in this policy include:
*
Password Files: Shadow Files
*
Password Files: Shadow Files (Wide)
*
Password Files: Password Files
*
Password Files: Password Files (Wide)
*
Password Files: SAM files
*
Password Files: General files
*
Suspicious Behavior Over Time
Accumulates transaction data such as number of HTTP/S posts, post size, and encryption information over a period of time to search for suspicious behavior that could be indicative of malicious activity. Some rules apply only when Forcepoint Web Security is installed. Rules in this policy include:
*
Number of HTTP/S Posts per Time
*
Cumulative Post Size per Time
*
Cumulative Generic Encryption per Time
Email DLP policy
Predefined Policies and Classifiers | Forcepoint DLP | 8.8
The Email DLP "quick policy" includes the PCI policy, PHI policies, and PII policies listed in this document (including financial policies).In addition, the Email DLP policy includes:
*
Questionable images
Detects images that may be objectionable or pose a liability to your organization. There is one rule in this policy:
*
Questionable images
*
Acceptable use
Detects dictionary terms that may be unacceptable in the work place, including adult, drugs, gambling, hate speech, job search, and violent terms. There is one rule in this policy:
*
Acceptable use
This policy includes terms in 12 languages:
*
English
*
French
*
Spanish
*
Italian
*
German
*
Dutch
*
Portuguese
*
Chinese
*
Taiwanese
*
Turkish
*
Japanese
*
Russian
Mobile DLP policy
Predefined Policies and Classifiers | Forcepoint DLP | 8.8
The Mobile DLP "quick policy" includes the PCI policy, PHI policies, and PII policies listed in this document (including financial policies). In addition, the Mobile DLP policy includes:
*
Questionable images
Detects images that may be objectionable or pose a liability to your organization. There is one rule in this policy:
*
Questionable images
*
Acceptable use
Detects dictionary terms that may be unacceptable in the work place, including adult, drugs, gambling, hate speech, job search, and violent terms. There is one rule in this policy:
*
Acceptable use
This policy includes terms in 12 languages:
*
English
*
French
*
Spanish
*
Italian
*
German
*
Dutch
*
Portuguese
*
Chinese
*
Taiwanese
*
Turkish
*
Japanese
*
Russian

Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Forcepoint DLP Predefined Policies and Classifiers : Data Loss Prevention policies : Data Theft Risk Indicators
Copyright 2020 Forcepoint. All rights reserved.