Protecting sensitive data must be a top priority for any business. Unfortunately, the multitude of techniques available to threat actors makes detection and prevention of attacks a full-time job. To help make that job easier this article will teach you how to prevent data exfiltration by addressing the most common techniques used in attempts.
Table of ContentsData exfiltration, also known as data extrusion, data exportation, or data theft, is the unauthorized transfer of data from one computer, network, or server to another without authorization. Data exfiltration most commonly occurs when malware or a malicious actor executes an unauthorized data transfer.
The most desirable data to exfiltrate include passwords, intellectual property, and personally identifiable information (PII). These types of data can be readily sold for financial gain.
When trying to understand how hackers exfiltrate data from a network, it’s important to realize that data exfiltration isn’t exclusive to external threats; employees are just as capable of making unauthorized data transfers.
In fact, malicious insider threats are in the optimal position; they do not need to work as hard to gain access to a device with a connection to system resources as an external attacker would.
For optimal protection, be prepared to mitigate both internal and external attacks. Otherwise, the data of your customers can be readily exfiltrated with far fewer resources and without detection thanks to their trusted access to the network.
Cloud storage makes the transfer of data as simple as dragging and dropping files into a folder. Unfortunately, the very simplicity that makes cloud storage an excellent collaboration tool also makes it a prime tool for data extrusion.
As a part of your cloud data loss prevention strategy, your organization needs web filtering software to restrict access to unsanctioned cloud storage providers.
With new cloud storage vendors regularly emerging, manual URL filtering isn’t enough for organizations to address this exfiltration risk. BrowseControl’s category filtering system is regularly updated with new websites as they emerge, making the blocking of millions of websites as easy as a few clicks. Simply add the File Hosting category to your block list, then add the services you would like to allow in your network to the Allow List.
To help detect other exfiltration threats in the network, organizations must monitor employee internet use; network traffic data could reveal visits to high-risk sites that need to be blocked from the network.
A 2018 study from cyber security software company McAfee found that the overall top three vectors used to exfiltrate data are database leaks, cloud applications, and USB drives.
According to the study, USB drives are the number one data exfiltration vector in European and Asia-Pacific countries.
When you think of it, this is of little surprise. After all, portable storage devices are, well…portable. And thus easy to conceal and hard to detect.
These devices can store terabytes of data, making them capable of storing millions of database records, spreadsheets, and other proprietary information.
So long as there’s an available port, data can be readily exfiltrated, leading to a serious data breach.
Employees are the most prevalent data exfiltration threats here. They’re trusted with physical access to company systems, making data exfiltration attempts laughably simple. All it takes is sneaking in a personal USB flash drive and transferring files from the network before they walk out of the office.
So, how do companies prevent this? Simple: They disable USB ports with device control software such as AccessPatrol.
Naturally, blocking ports entirely also prevents legitimate usage. That’s why AccessPatrol has an Allowed List to grant access to authorized users. To help mitigate the risk that trusted devices will be misused, AccessPatrol allows you to restrict file transfers based on filename and extension.
To assist with detection on target systems, It also has alerts that can notify security teams each time data is exfiltrated to a portable storage device. These real-time alerts are essential for the protection of data; should data be stolen, there will be an auditable record of who is responsible.
“We never have to worry about what may happen when someone plugs a device into one of our machines. AccessPatrol has made our lives easy. We just set it, forget it, and it works!”
CurrentWare Customer Nicholas Scheetz, IT Service Desk Supervisor, First Choice Health
In North America the number one vector for data exportation is email.
The fact that email is one of the top greatest data exfiltration risks is of little surprise. Without security controls in place, insiders can easily send sensitive information to personal email addresses that aren’t managed by the organization.
Email is a data exfiltration issue even outside of malicious insider threats. A data breach could be as simple as a misaddressed email or inadvertently including customer data in an attachment.
These factors are enough of a risk on their own; what about the innumerable amount of phishing emails?
Don’t assume that employees won’t fall for them. Tessian found that a staggering 1 in 4 employees admitted to clicking on a phishing email at work. Worse yet, a report from PhishMe found that employees who have opened a phishing email in the past are 67% more likely to fall for a future attempt.
Naturally, no amount of data exfiltration prevention solutions are going to completely solve what is fundamentally a human problem. But there are things you can do to reduce the risks associated with email.
Protection techniques to handle this threat:
“In general, any misconfigured or unsecured server operating on a business network on which sensitive data is stored or processed exposes the business to data theft and compromise by cyber criminals who can use the data for criminal purposes such as blackmail, identity theft, or financial fraud.”
The Federal Bureau of Investigation (FBI)
Research conducted by the University of Michigan found that over 1 million FTP servers were configured to allow anonymous access, posing a serious data exfiltration risk.
Naturally, organizations that allow anonymous access to their services are at risk of having their systems compromised and data stolen without the detection of the hackers responsible.
While the nuances of keeping the data in servers safe from attacks is a complex subject, there are a few steps your organization can take to defeat the most common vulnerabilities.
And while we’re on the subject of FTP…use a port filter to close any unused ports in your company, including default FTP ports. This will greatly reduce your attack surface.
Restricting internet access is crucial for preventing data exfiltration but unfortunately, there isn’t a definitive guide on what websites to block at work.
For optimal security, you could only allow access to specific websites, but that can quickly become cumbersome to manage.
If an explicit-deny approach isn’t a feasible data exfiltration prevention measure for your environment, you should block the most common egress points.
Websites most commonly used for data exfiltration
Naturally, this list isn’t exhaustive. There’s also the risk that legitimate domains will become compromised and used as a repository for data exfiltration.
Most external threats will use a combination of phishing and malware to gain remote access to their target system. A search of security industry trends shows that businesses of all sizes are at risk of being the target of a cyber attack.
When it comes to preventing malicious software you need to implement a defense-in-depth approach. Lone antimalware solutions aren’t always going to be enough to stop malware, but you’ll be grateful that it’s there if a malicious program manages to slip past your other security measures.
According to a Quocirca Report, 68% of businesses in the US and Europe suffered a print-related data breach from 2020-2021. The data loss related to these breaches costs companies an average of more than $400K.
The data exfiltration risks associated with printers aren’t exclusive to traditional office buildings, either. In the age of remote work it’s easier than ever for an employee to connect a printer to their computer and print off sensitive documents.
Protection techniques to handle this threat:
In addition to the risk-specific tips I’ve covered above, there are a number of other ways to prevent data exfiltration. This next section will broadly cover best practices for mitigating the risk of data security incidents.
How to Prevent Data Exfiltration
Get started today—Download the FREE template and customize it to fit the needs of your organization.
Concerned about the damage a soon-to-be-ex-employee could cause with access to IP, passwords, and other sensitive data?
Follow this employee offboarding checklist to protect your organization against insider data theft.
Preventing data exfiltration requires a robust mix of data loss prevention tools, security training, user activity monitoring, and deep knowledge of internal vulnerabilities. By following the tips in this article you can mitigate the most common data exfiltration risks.
Cookie | Duration | Description |
---|---|---|
__cfruid | session | Cloudflare sets this cookie to identify trusted web traffic. |
cookielawinfo-checkbox-advertisement | 1 year | Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category . |
cookielawinfo-checkbox-analytics | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics". |
cookielawinfo-checkbox-functional | 11 months | The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional". |
cookielawinfo-checkbox-necessary | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary". |
cookielawinfo-checkbox-others | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other. |
cookielawinfo-checkbox-performance | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance". |
JSESSIONID | session | The JSESSIONID cookie is used by New Relic to store a session identifier so that New Relic can monitor session counts for an application. |
LS_CSRF_TOKEN | session | Cloudflare sets this cookie to track users’ activities across multiple websites. It expires once the browser is closed. |
OptanonConsent | 1 year | OneTrust sets this cookie to store details about the site's cookie category and check whether visitors have given or withdrawn consent from the use of each category. |
viewed_cookie_policy | 11 months | The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data. |
Cookie | Duration | Description |
---|---|---|
__cf_bm | 30 minutes | This cookie, set by Cloudflare, is used to support Cloudflare Bot Management. |
_zcsr_tmp | session | Zoho sets this cookie for the login function on the website. |
Cookie | Duration | Description |
---|---|---|
_calendly_session | 21 days | Calendly, a Meeting Schedulers, sets this cookie to allow the meeting scheduler to function within the website and to add events into the visitor’s calendar. |
_gaexp | 2 months 11 days 7 hours 3 minutes | Google Analytics installs this cookie to determine a user's inclusion in an experiment and the expiry of experiments a user has been included in. |
Cookie | Duration | Description |
---|---|---|
_ga | 2 years | The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors. |
_ga_GY6RPLBZG0 | 2 years | This cookie is installed by Google Analytics. |
_gcl_au | 3 months | Provided by Google Tag Manager to experiment advertisement efficiency of websites using their services. |
_gid | 1 day | Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously. |
CONSENT | 2 years | YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data. |
Cookie | Duration | Description |
---|---|---|
_opt_expid | past | Set by Google Analytics, this cookie is created when running a redirect experiment. It stores the experiment ID, the variant ID and the referrer to the page that is being redirected. |
IDE | 1 year 24 days | Google DoubleClick IDE cookies are used to store information about how the user uses the website to present them with relevant ads and according to the user profile. |
NID | 6 months | NID cookie, set by Google, is used for advertising purposes; to limit the number of times the user sees an ad, to mute unwanted ads, and to measure the effectiveness of ads. |
test_cookie | 15 minutes | The test_cookie is set by doubleclick.net and is used to determine if the user's browser supports cookies. |
VISITOR_INFO1_LIVE | 5 months 27 days | A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface. |
YSC | session | YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages. |
yt-remote-connected-devices | never | YouTube sets this cookie to store the video preferences of the user using embedded YouTube video. |
yt-remote-device-id | never | YouTube sets this cookie to store the video preferences of the user using embedded YouTube video. |
yt.innertube::nextId | never | This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen. |
yt.innertube::requests | never | This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen. |
Cookie | Duration | Description |
---|---|---|
_dc_gtm_UA-6494714-6 | 1 minute | No description |
_gaexp_rc | past | No description available. |
34f6831605 | session | No description |
383aeadb58 | session | No description available. |
663a60c55d | session | No description available. |
6e4b8efee4 | session | No description available. |
c72887300d | session | No description available. |
cookielawinfo-checkbox-tracking | 1 year | No description |
crmcsr | session | No description available. |
currentware-_zldp | 2 years | No description |
currentware-_zldt | 1 day | No description |
et_pb_ab_view_page_26104 | session | No description |
gaclientid | 1 month | No description |
gclid | 1 month | No description |
handl_ip | 1 month | No description available. |
handl_landing_page | 1 month | No description available. |
handl_original_ref | 1 month | No description available. |
handl_ref | 1 month | No description available. |
handl_ref_domain | 1 month | No description |
handl_url | 1 month | No description available. |
handl_url_base | 1 month | No description |
handlID | 1 month | No description |
HandLtestDomainName | session | No description |
HandLtestDomainNameServer | 1 day | No description |
isiframeenabled | 1 day | No description available. |
m | 2 years | No description available. |
nitroCachedPage | session | No description |
organic_source | 1 month | No description |
organic_source_str | 1 month | No description |
traffic_source | 1 month | No description available. |
uesign | 1 month | No description |
user_agent | 1 month | No description available. |
ZCAMPAIGN_CSRF_TOKEN | session | No description available. |
zld685336000000002056state | 5 minutes | No description |