How to get sensitive data off a corporate network

Standard Toaster

discombobulate wrote: »

Possible but will all controls such as prevention of admin access, DLP endpoint client, blocking of USB access, inability to change proxies etc. not still be applied?

Once there's physical access assume data will be lifted off site.

First thing I can think off, user boots Windows into recovery and replaces sethc.exe with cmd.exe and can now get an elevated system cmd by hitting shift x5 on logon screen. Reset local admin etc etc, disable DLP and so on without even logging in.
I'm not sure if that can me done on win10

Use VDI and the likes to limit these type of attacks.

Feck it, you don't even need physical access..... electromagnetic emanations

engadget.com/2008/10/20/keyboard-eavesdropping-just-got-way-easier-thanks-to-electrom/

ishotjr2

If anyone is half interested avoiding DLP is easy IMO. Most of them work by using the same principle of data-deduplication finding a series of bytes based on a non fixed byte boundary.

I looked at these guys a fair bit https://www.codegreennetworks.com/

So just break up the information into smaller parts (bytes 0-10,20-25,..... in one file) then (bytes 11-20, 26-35, in another file) you do not have to do anything all that fancy usually.

So my 5 cents I would invest in other technologies, as someone suggest VDI even though your use cases may not permit.

Look at the interesting subject of document bugging also but that is only a side project.

Jan_de_Bakker

Intriguing thread, OP mind if I ask what type of business this is where the data is so valuable ?

discombobulate

Jan_de_Bakker wrote: »

Intriguing thread, OP mind if I ask what type of business this is where the data is so valuable ?

Hi Jan. It's less how valuable the data is but more the implications of a breach from a reputational and regulatory point of view. We'd have a lot of PII stored in relation to customers. We'd also have a level of Intellectual Property (code mainly) but that'd be of less concern as i'm not sure anyone else would be able to use it. I'm more in the risk assessment side of the business and not directly working in IT so we're trying to gauge how secure we are currently.

There may not be an appetite for full lockdown and DLP software being extended across the entire network and production servers we have but what i'm doing will relay where potential gaps are and allow management to make a decision based on that.

edanto

Do you have any monitoring to report on suspicious activity? For example, if Bob from accounts is disgruntled and decides to try and get some information out before he leaves. Assume he's aware of the what will set off a DLP alert but starts to move through areas of the file server/repository/customer database that he shouldn't be poking around in.

Does anything alert the right people?

After completing the review/upgrade exercise that this thread is part of, would it be worth tasking someone trusted to try and take some sensitive info out and see if they can?

I don't know much about the area, and have learnt a lot from reading this thread. Someone more knowledgeable may quickly poke holes in what I'm suggesting; happy to learn from that!

CelticRambler

Don't forget to review the security around your backup protocols. Concentrating on locking down the last, tiniest weak point at the primary site might distract from glaring hole in the back-up routine or off-site location.