Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

How to get sensitive data off a corporate network

  • 30-09-2016 10:15am
    #1
    Registered Users, Registered Users 2 Posts: 2,846 ✭✭✭


    Hi all. I'm currently doing a bit of a gap analysis on our ability to prevent sensitive data leaving the business. Other than the following what are potential ways you can see that somebody can do this.
    • Through the web - webmail, cloud storage, torrents, ftp, proxy sites
    • Corporate email
    • USB
    • CD / DVD
    • Printing
    • Photos
    • Faxing

    Any further ways i'm not thinking of?


Comments

  • Registered Users, Registered Users 2 Posts: 1,075 ✭✭✭secondrowgal


    People talking?? Would that not be the first and most common way?


  • Registered Users, Registered Users 2 Posts: 2,846 ✭✭✭discombobulate


    People talking?? Would that not be the first and most common way?
    Ok put it this way, if somebody had a list of 100,000 PII records how could they get it out. It'd take a bit too much memory recall!


  • Registered Users, Registered Users 2 Posts: 4,081 ✭✭✭sheesh


    I know it is the same as usb, but their phones. and video.


  • Registered Users, Registered Users 2 Posts: 2,846 ✭✭✭discombobulate


    sheesh wrote: »
    I know it is the same as usb, but their phones. and video.
    Covered by pictures and USB. More worried about how a large file could be removed than small snippets.


  • Registered Users, Registered Users 2 Posts: 2,846 ✭✭✭discombobulate


    Also any ideas people have in relation to bypassing DLP software such as saving files as images, encrypted or other formats the DLP software may not identify. Bypassing through using a laptop off the network etc.


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 6,393 ✭✭✭AnCatDubh


    Probably less likely to be seen in the wild but non web file transfer (bluetooth/wifi) is a *possibility* if they aren't otherwise restricted.


  • Closed Accounts Posts: 4,042 ✭✭✭zl1whqvjs75cdy


    May be covered by USB but if people have laptops they could save documents locally and bring the computer home. Then there would be no visibility on documents taken. They could pull massive amounts of stuff onto portable hdd etc.


  • Registered Users, Registered Users 2 Posts: 460 ✭✭mcbert


    A variation on the above, that you might not be considering: a USB key can be more than just storage, but a bootable OS too. If someone reboots, or just pulls plug, then boots into a live linux install on a USB key, it can usually access an awful lot on a local corporate disk, without the corporate OS, windows for example knowing anything about except a period of power loss.


  • Banned (with Prison Access) Posts: 47 Smokers and Jokers?


    People taking photos of their computer screens when sensitive data is being displayed.


  • Registered Users, Registered Users 2 Posts: 4,782 ✭✭✭Xterminator


    re phones.

    users phones are on mobile network and you cannot control/monitor their sending and receiving data. they can get scanning apps like text fairy that will allow users to convert pics to text.

    so they can copy from hard copy or display on screen and photo then convert to text and it cannot be detected by standard intrusion detection methods.


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 4,081 ✭✭✭sheesh


    mcbert wrote: »
    A variation on the above, that you might not be considering: a USB key can be more than just storage, but a bootable OS too. If someone reboots, or just pulls plug, then boots into a live linux install on a USB key, it can usually access an awful lot on a local corporate disk, without the corporate OS, windows for example knowing anything about except a period of power loss.

    thats a good one. so force the users only to boot from hard disk?


  • Registered Users, Registered Users 2 Posts: 460 ✭✭mcbert


    Password protect access to BIOS, although not sure how good such protection is. Disable booting from USB in BIOS. But also, you need to block physical access to inside of machine since it is easy to pul plug, take out disk, plug it into a laptop via a SATA to USB cable.

    Maybe use full disk encryption.


  • Registered Users, Registered Users 2 Posts: 2,116 ✭✭✭ItHurtsWhenIP


    Remote access tools (Teamviewer)
    Instant Messaging platforms (Skype for Business)


  • Registered Users, Registered Users 2 Posts: 5,112 ✭✭✭Blowfish


    Dont forget that your non web protocols, SSH, Telnet, DNS, ICMP etc. can all be used, hell even straight up raw packets could be used if you aren't paying attention to your egress.


  • Registered Users, Registered Users 2 Posts: 2,846 ✭✭✭discombobulate


    Thanks guys. Think we have most blocked off or at least only granted on an exception basis and behind our DLP product. We use full disk encryption mcbert but must look into what access users have in the bios.

    Good suggestions there Blowfish


  • Registered Users, Registered Users 2 Posts: 915 ✭✭✭geecee


    Steganography: the practice of concealing messages or information within other non-secret text or data.
    Easy to obfuscate that 100,000 rows of PI data into a 1.4 MB jpg


  • Closed Accounts Posts: 9,764 ✭✭✭my3cents


    What happens if someone turns up with their own laptop and just plugs it into the network? Assuming the user is capable of getting around basic security and has suitable login credentials.

    Edit> Would it be going too far to imagine a laptop or any network capable device being plugged into your network and then having data copied to a USB key plugged into that rogue device or directed to the device by one of the methods already suggested?


  • Registered Users, Registered Users 2 Posts: 6,393 ✭✭✭AnCatDubh


    my3cents wrote: »
    What happens if someone turns up with their own laptop and just plugs it into the network?

    You may be quarantining such connections at the network layer (depends on availability/support via your networking infrastructure). ie. they may not get very much access - or may be provided with limited services, such as guest internet access.


  • Registered Users, Registered Users 2 Posts: 10,288 ✭✭✭✭Standard Toaster


    Opening the work machine and walking out with harddrive with a copy of the network share on it. Most machines are tool-less too.


  • Registered Users, Registered Users 2 Posts: 2,846 ✭✭✭discombobulate


    my3cents wrote: »
    What happens if someone turns up with their own laptop and just plugs it into the network? Assuming the user is capable of getting around basic security and has suitable login credentials.

    Edit> Would it be going too far to imagine a laptop or any network capable device being plugged into your network and then having data copied to a USB key plugged into that rogue device or directed to the device by one of the methods already suggested?
    Yep that's a current gap here
    geecee wrote: »
    Steganography: the practice of concealing messages or information within other non-secret text or data.
    Easy to obfuscate that 100,000 rows of PI data into a 1.4 MB jpg
    Without spending a while on Google any easy way to test this. I know we have a gap in this area already as we haven't implemented the OCR module of our DLP software but i'd be interested to see if this module will also identify hidden data.

    Also it'd need to be without requiring local admin access.
    Opening the work machine and walking out with harddrive with a copy of the network share on it. Most machines are tool-less too.
    Possible but will all controls such as prevention of admin access, DLP endpoint client, blocking of USB access, inability to change proxies etc. not still be applied?


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 149 ✭✭golfcaptain


    I'd recommend professional pen testing if it's feasible for your company. To add another to your list, what physical security is in place to stop someone walking in off the street and sitting down at left logged in computer, or going into say accounts dept "Hi I'm from IT...." . Don't forget your backups too, how are they protected.


  • Registered Users, Registered Users 2 Posts: 2,846 ✭✭✭discombobulate


    I'd recommend professional pen testing if it's feasible for your company. To add another to your list, what physical security is in place to stop someone walking in off the street and sitting down at left logged in computer, or going into say accounts dept "Hi I'm from IT...." . Don't forget your backups too, how are they protected.
    Thanks for your suggestions. We have done external pen testing in the past have more scheduled. For the purposes of what i'm looking at though it's simply how an internal person could bypass controls we currently have in place. Physical sec has issues we are aware of and backups are fine.


  • Registered Users, Registered Users 2 Posts: 4,331 ✭✭✭Keyzer


    I know you mentioned you have DLP installed. Is it a host based or network based DLP solution?

    I've managed DLP programs in the past and I mean this in all seriousness, the ways in which people discover how to bypass it is truly impressive.


  • Registered Users, Registered Users 2 Posts: 4,331 ✭✭✭Keyzer


    Opening the work machine and walking out with harddrive with a copy of the network share on it. Most machines are tool-less too.

    A TPM chip and full disk encryption would combat that.

    Think the OP mentioned they have full disk encryption setup.


  • Registered Users, Registered Users 2 Posts: 149 ✭✭golfcaptain


    Keyzer wrote: »
    I know you mentioned you have DLP installed. Is it a host based or network based DLP solution?

    I've managed DLP programs in the past and I mean this in all seriousness, the ways in which people discover how to bypass it is truly impressive.

    I've never seen this:
    services.msc - YourDLPService - Stop - Disabled


  • Registered Users, Registered Users 2 Posts: 149 ✭✭golfcaptain


    Thanks for your suggestions. We have done external pen testing in the past have more scheduled. For the purposes of what i'm looking at though it's simply how an internal person could bypass controls we currently have in place.
    External pen tester gains access to internal network, external pen tester is now same as internal person effectively. I know what you mean but I often find easier thinking not how data can get out, rather, how would I get 'in'. Pen testing should include physical vulnerabilities also, it shouldn't be addressed separately.

    Handheld scanning devices are another method if someone hasn't already mentioned and drive duplicators.


  • Registered Users, Registered Users 2 Posts: 2,846 ✭✭✭discombobulate


    Keyzer wrote: »
    I know you mentioned you have DLP installed. Is it a host based or network based DLP solution?

    I've managed DLP programs in the past and I mean this in all seriousness, the ways in which people discover how to bypass it is truly impressive.
    Network based with a client installed on all machines so that it can't be bypassed off network. I'm not involved with the management of the product but more risk and assurance in trying to independently identify weaknesses with it.

    Quite a few gaps at the moment but trying to ensure I give as much coverage and think of as many additional scenarios as possible. Some good suggestions in here so far some of which I hadn't thought of. Any further you would suggest?
    Keyzer wrote: »
    A TPM chip and full disk encryption would combat that.

    Think the OP mentioned they have full disk encryption setup.
    TPM chips not currently in place. Full disk on laptops but not desktops. Still a risk of course.
    I've never seen this:
    services.msc - YourDLPService - Stop - Disabled
    Access to disable is resticted but hadn't thought of disabling just uninstalling the local client.
    External pen tester gains access to internal network, external pen tester is now same as internal person effectively. I know what you mean but I often find easier thinking not how data can get out, rather, how would I get 'in'. Pen testing should include physical vulnerabilities also, it shouldn't be addressed separately.
    I agree a full on pen test would review a lot more and we do intend to get another pen test done soon but that will be more a capture the flag exercise to identify vulnerabilities in how we are protecting our network and infrastructure rather than purely how the data if obtained could be taken out which we are looking at here.


  • Registered Users, Registered Users 2 Posts: 4,331 ✭✭✭Keyzer


    I've never seen this:
    services.msc - YourDLPService - Stop - Disabled

    Doesn't even require techy expertise in some cases. We had a DLP solution which had plugins for MSFT Office other than OneNote. Which became an issue when a particular person configured it to sync to his personal one drive account.


  • Registered Users, Registered Users 2 Posts: 760 ✭✭✭mach1982


    USB Rubber Ducky as shown in Mr Robot . It's a HID ( human interface device ) ie keyborad , mice etc emulator. Plug it in, and with the right payload it can copy all the credentials stored on the machine.


  • Advertisement
  • Closed Accounts Posts: 9,764 ✭✭✭my3cents


    Anything to stop someone just plugging in a wireless access point under a desk and hiding it in all the mess of cables that seems to accumulate under desks then hacking away at the data from out in the car park?


  • Registered Users, Registered Users 2 Posts: 10,288 ✭✭✭✭Standard Toaster


    Possible but will all controls such as prevention of admin access, DLP endpoint client, blocking of USB access, inability to change proxies etc. not still be applied?

    Once there's physical access assume data will be lifted off site.

    First thing I can think off, user boots Windows into recovery and replaces sethc.exe with cmd.exe and can now get an elevated system cmd by hitting shift x5 on logon screen. Reset local admin etc etc, disable DLP and so on without even logging in.
    I'm not sure if that can me done on win10

    Use VDI and the likes to limit these type of attacks.

    Feck it, you don't even need physical access..... electromagnetic emanations

    engadget.com/2008/10/20/keyboard-eavesdropping-just-got-way-easier-thanks-to-electrom/


  • Registered Users, Registered Users 2 Posts: 134 ✭✭ishotjr2


    If anyone is half interested avoiding DLP is easy IMO. Most of them work by using the same principle of data-deduplication finding a series of bytes based on a non fixed byte boundary.

    I looked at these guys a fair bit https://www.codegreennetworks.com/

    So just break up the information into smaller parts (bytes 0-10,20-25,..... in one file) then (bytes 11-20, 26-35, in another file) you do not have to do anything all that fancy usually.

    So my 5 cents I would invest in other technologies, as someone suggest VDI even though your use cases may not permit.

    Look at the interesting subject of document bugging also but that is only a side project.


  • Closed Accounts Posts: 1,403 ✭✭✭Jan_de_Bakker


    Intriguing thread, OP mind if I ask what type of business this is where the data is so valuable ?


  • Registered Users, Registered Users 2 Posts: 2,846 ✭✭✭discombobulate


    Intriguing thread, OP mind if I ask what type of business this is where the data is so valuable ?
    Hi Jan. It's less how valuable the data is but more the implications of a breach from a reputational and regulatory point of view. We'd have a lot of PII stored in relation to customers. We'd also have a level of Intellectual Property (code mainly) but that'd be of less concern as i'm not sure anyone else would be able to use it. I'm more in the risk assessment side of the business and not directly working in IT so we're trying to gauge how secure we are currently.

    There may not be an appetite for full lockdown and DLP software being extended across the entire network and production servers we have but what i'm doing will relay where potential gaps are and allow management to make a decision based on that.


  • Registered Users, Registered Users 2 Posts: 2,809 ✭✭✭edanto


    Do you have any monitoring to report on suspicious activity? For example, if Bob from accounts is disgruntled and decides to try and get some information out before he leaves. Assume he's aware of the what will set off a DLP alert but starts to move through areas of the file server/repository/customer database that he shouldn't be poking around in.

    Does anything alert the right people?

    After completing the review/upgrade exercise that this thread is part of, would it be worth tasking someone trusted to try and take some sensitive info out and see if they can?

    I don't know much about the area, and have learnt a lot from reading this thread. Someone more knowledgeable may quickly poke holes in what I'm suggesting; happy to learn from that!


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 6,965 ✭✭✭CelticRambler


    Don't forget to review the security around your backup protocols. Concentrating on locking down the last, tiniest weak point at the primary site might distract from glaring hole in the back-up routine or off-site location.


Advertisement