All HowTo's Cyber-Security

Dealing with Data Exfiltrate in Business

We go to great lengths to protect company data with backups, access controls and staff training but what if someone with access tries to take intellectual property from the business computer systems for their own gain? What can you do about it? That’s the topic of this article.

It’s not just governments and military that care about data exfiltration. It’s also businesses with a reputation to protect.

This article focuses on staff behavior and not viruses and hackers. Most of what we’re doing here effects both but we’ve got a focus on staff.

Let’s jump right into it. How many ways can staff take IP out of the business?

  • Print documents and take them off-site.
  • Email documented to an external email account.
  • Copy documents onto USB disks or other portable storage devices.
  • Upload documents to cloud storage such as iCloud, Dropbox and Google Drive.

Each must be tackled separately.

Combining Windows Group Policies with web surfing access controls will allow for mitigating most avenues for data exfiltration but not all. You’d be able to block the use of USB disks, block non-work related websites and online services and even limit printing.

But the problem is that staff may be allowed to do these things. Staff often need to be able to print, send emails with attachments and share documents with DropBox.

Limiting which staff have access to critical data and which staff have access to print, copy and share data will go a long way to solving the data exfiltration problem.

And here’s the big problem. Staff that have access to the most critical information are also those who need to be able to print and share the information. The executives and management. Limiting their access is usually not an option as they are the people responsible for setting the rules in the first place. If you disagree on this then consider how 27k policies are structured.

We find ourselves in the situation where the very people who have access to the critical information are also those who set the rules.

The solution are to use “deterrents”, “prevention” and “detection”:

  • Ensure you have IT policies signed by staff. This ensures staff know what they can and can’t do. It also means staff can expect to be “tracked”.
  • Tell staff that logging occurs on all levels to ensure systems are used in compliance with the company information technology policies. This will install doubt into the mind of the would-be wrong-doer.
  • Implement as much logging as possible. It’s only with logging that action can be taken with confidence.
  • Put in access controls to prevent printing large numbers of pages, copying files to portable storage devices, large email attachment and attachment types and unnecessary online storage services.
  • Limit the use of BYO devices. For example, prevent the use unauthorized computers on the network.
  • Limit VPN (and remote access in general) to only those that need it.
  • Limit activities to times of days. For example, workstation logins are only permitted during work hours.

There is one major section we haven’t covered so far. How to prevent uploading documents to online storage services such as DropBox, Google Drive and iCloud. When uploading files to the Internet (to a website), the browser will use the POST method with the payload being the information that we care about in this context. The payload will force the POST packets to be large. These large packets can be detected by DPE (deep packet inspection) capable firewalls. More specifically, you’ll need a web proxy that can intercept the SSL session between the staff member’s web browser and the online service (web server). The proxy then inspects the packet and then establishes another session between its self and the web server. The packet inspection should identify and block repeated large packets outbound.

Why use SSL interception? Because most online services these days use only SSL to ensure good security.

With the above as a foundation for your data exfiltration strategy, you should be able to accommodate most (if not all) avenues a staff member might use to move data out of the business and into the hands of those who’d do harm to the business.

The bottom line is that if someone has access to the source data and access to the destination location (online storage, etc) then they can copy the data. You may not be able to stop it but you may be able to detect it and respond. Once sensible measures have been taken, the solution moves from being technical to a business function. Legal.

Leave a Reply

Your email address will not be published. Required fields are marked *