How to get sensitive data off a corporate network

discombobulate

Hi all. I'm currently doing a bit of a gap analysis on our ability to prevent sensitive data leaving the business. Other than the following what are potential ways you can see that somebody can do this.

• Through the web - webmail, cloud storage, torrents, ftp, proxy sites
• Corporate email
• USB
• CD / DVD
• Printing
• Photos
• Faxing

Any further ways i'm not thinking of?

secondrowgal

People talking?? Would that not be the first and most common way?

discombobulate

secondrowgal wrote: »

People talking?? Would that not be the first and most common way?

Ok put it this way, if somebody had a list of 100,000 PII records how could they get it out. It'd take a bit too much memory recall!

sheesh

I know it is the same as usb, but their phones. and video.

discombobulate

sheesh wrote: »

I know it is the same as usb, but their phones. and video.

Covered by pictures and USB. More worried about how a large file could be removed than small snippets.

discombobulate

Also any ideas people have in relation to bypassing DLP software such as saving files as images, encrypted or other formats the DLP software may not identify. Bypassing through using a laptop off the network etc.

AnCatDubh

Probably less likely to be seen in the wild but non web file transfer (bluetooth/wifi) is a *possibility* if they aren't otherwise restricted.

zl1whqvjs75cdy

May be covered by USB but if people have laptops they could save documents locally and bring the computer home. Then there would be no visibility on documents taken. They could pull massive amounts of stuff onto portable hdd etc.

mcbert

A variation on the above, that you might not be considering: a USB key can be more than just storage, but a bootable OS too. If someone reboots, or just pulls plug, then boots into a live linux install on a USB key, it can usually access an awful lot on a local corporate disk, without the corporate OS, windows for example knowing anything about except a period of power loss.

Smokers and Jokers?

People taking photos of their computer screens when sensitive data is being displayed.

Xterminator

re phones.

users phones are on mobile network and you cannot control/monitor their sending and receiving data. they can get scanning apps like text fairy that will allow users to convert pics to text.

so they can copy from hard copy or display on screen and photo then convert to text and it cannot be detected by standard intrusion detection methods.

sheesh

mcbert wrote: »

A variation on the above, that you might not be considering: a USB key can be more than just storage, but a bootable OS too. If someone reboots, or just pulls plug, then boots into a live linux install on a USB key, it can usually access an awful lot on a local corporate disk, without the corporate OS, windows for example knowing anything about except a period of power loss.

thats a good one. so force the users only to boot from hard disk?

mcbert

Password protect access to BIOS, although not sure how good such protection is. Disable booting from USB in BIOS. But also, you need to block physical access to inside of machine since it is easy to pul plug, take out disk, plug it into a laptop via a SATA to USB cable.

Maybe use full disk encryption.

ItHurtsWhenIP

Remote access tools (Teamviewer)
Instant Messaging platforms (Skype for Business)

Blowfish

Dont forget that your non web protocols, SSH, Telnet, DNS, ICMP etc. can all be used, hell even straight up raw packets could be used if you aren't paying attention to your egress.

discombobulate

Thanks guys. Think we have most blocked off or at least only granted on an exception basis and behind our DLP product. We use full disk encryption mcbert but must look into what access users have in the bios.

Good suggestions there Blowfish

geecee

Steganography: the practice of concealing messages or information within other non-secret text or data.
Easy to obfuscate that 100,000 rows of PI data into a 1.4 MB jpg

my3cents

What happens if someone turns up with their own laptop and just plugs it into the network? Assuming the user is capable of getting around basic security and has suitable login credentials.

Edit> Would it be going too far to imagine a laptop or any network capable device being plugged into your network and then having data copied to a USB key plugged into that rogue device or directed to the device by one of the methods already suggested?

AnCatDubh

my3cents wrote: »

What happens if someone turns up with their own laptop and just plugs it into the network?

You may be quarantining such connections at the network layer (depends on availability/support via your networking infrastructure). ie. they may not get very much access - or may be provided with limited services, such as guest internet access.

Standard Toaster

Opening the work machine and walking out with harddrive with a copy of the network share on it. Most machines are tool-less too.

discombobulate

my3cents wrote: »

What happens if someone turns up with their own laptop and just plugs it into the network? Assuming the user is capable of getting around basic security and has suitable login credentials.

Edit> Would it be going too far to imagine a laptop or any network capable device being plugged into your network and then having data copied to a USB key plugged into that rogue device or directed to the device by one of the methods already suggested?

Yep that's a current gap here

geecee wrote: »

Steganography: the practice of concealing messages or information within other non-secret text or data.
Easy to obfuscate that 100,000 rows of PI data into a 1.4 MB jpg

Without spending a while on Google any easy way to test this. I know we have a gap in this area already as we haven't implemented the OCR module of our DLP software but i'd be interested to see if this module will also identify hidden data.

Also it'd need to be without requiring local admin access.

Standard Toaster wrote: »

Opening the work machine and walking out with harddrive with a copy of the network share on it. Most machines are tool-less too.

Possible but will all controls such as prevention of admin access, DLP endpoint client, blocking of USB access, inability to change proxies etc. not still be applied?

golfcaptain

I'd recommend professional pen testing if it's feasible for your company. To add another to your list, what physical security is in place to stop someone walking in off the street and sitting down at left logged in computer, or going into say accounts dept "Hi I'm from IT...." . Don't forget your backups too, how are they protected.

discombobulate

golfcaptain wrote: »

I'd recommend professional pen testing if it's feasible for your company. To add another to your list, what physical security is in place to stop someone walking in off the street and sitting down at left logged in computer, or going into say accounts dept "Hi I'm from IT...." . Don't forget your backups too, how are they protected.

Thanks for your suggestions. We have done external pen testing in the past have more scheduled. For the purposes of what i'm looking at though it's simply how an internal person could bypass controls we currently have in place. Physical sec has issues we are aware of and backups are fine.

Keyzer

I know you mentioned you have DLP installed. Is it a host based or network based DLP solution?

I've managed DLP programs in the past and I mean this in all seriousness, the ways in which people discover how to bypass it is truly impressive.

Keyzer

Standard Toaster wrote: »

Opening the work machine and walking out with harddrive with a copy of the network share on it. Most machines are tool-less too.

A TPM chip and full disk encryption would combat that.

Think the OP mentioned they have full disk encryption setup.

golfcaptain

Keyzer wrote: »

I know you mentioned you have DLP installed. Is it a host based or network based DLP solution?

I've managed DLP programs in the past and I mean this in all seriousness, the ways in which people discover how to bypass it is truly impressive.

I've never seen this:
services.msc - YourDLPService - Stop - Disabled

golfcaptain

discombobulate wrote: »

Thanks for your suggestions. We have done external pen testing in the past have more scheduled. For the purposes of what i'm looking at though it's simply how an internal person could bypass controls we currently have in place.

External pen tester gains access to internal network, external pen tester is now same as internal person effectively. I know what you mean but I often find easier thinking not how data can get out, rather, how would I get 'in'. Pen testing should include physical vulnerabilities also, it shouldn't be addressed separately.

Handheld scanning devices are another method if someone hasn't already mentioned and drive duplicators.

discombobulate

Keyzer wrote: »

I know you mentioned you have DLP installed. Is it a host based or network based DLP solution?

I've managed DLP programs in the past and I mean this in all seriousness, the ways in which people discover how to bypass it is truly impressive.

Network based with a client installed on all machines so that it can't be bypassed off network. I'm not involved with the management of the product but more risk and assurance in trying to independently identify weaknesses with it.

Quite a few gaps at the moment but trying to ensure I give as much coverage and think of as many additional scenarios as possible. Some good suggestions in here so far some of which I hadn't thought of. Any further you would suggest?

Keyzer wrote: »

A TPM chip and full disk encryption would combat that.

Think the OP mentioned they have full disk encryption setup.

TPM chips not currently in place. Full disk on laptops but not desktops. Still a risk of course.

golfcaptain wrote: »

I've never seen this:
services.msc - YourDLPService - Stop - Disabled

Access to disable is resticted but hadn't thought of disabling just uninstalling the local client.

golfcaptain wrote: »

External pen tester gains access to internal network, external pen tester is now same as internal person effectively. I know what you mean but I often find easier thinking not how data can get out, rather, how would I get 'in'. Pen testing should include physical vulnerabilities also, it shouldn't be addressed separately.

I agree a full on pen test would review a lot more and we do intend to get another pen test done soon but that will be more a capture the flag exercise to identify vulnerabilities in how we are protecting our network and infrastructure rather than purely how the data if obtained could be taken out which we are looking at here.

Keyzer

golfcaptain wrote: »

I've never seen this:
services.msc - YourDLPService - Stop - Disabled

Doesn't even require techy expertise in some cases. We had a DLP solution which had plugins for MSFT Office other than OneNote. Which became an issue when a particular person configured it to sync to his personal one drive account.

mach1982

USB Rubber Ducky as shown in Mr Robot . It's a HID ( human interface device ) ie keyborad , mice etc emulator. Plug it in, and with the right payload it can copy all the credentials stored on the machine.

my3cents

Anything to stop someone just plugging in a wireless access point under a desk and hiding it in all the mess of cables that seems to accumulate under desks then hacking away at the data from out in the car park?