Protecting sensitive data must be a top priority for any business. Unfortunately, the multitude of techniques available to threat actors makes detection and prevention of attacks a full-time job. To help make that job easier this article will teach you how to prevent data exfiltration by addressing the most common techniques used in attempts.Table of Contents
Data exfiltration, also known as data extrusion, data exportation, or data theft, is the unauthorized transfer of data from one computer, network, or server to another without authorization. Data exfiltration most commonly occurs when malware or a malicious actor executes an unauthorized data transfer.
The most desirable data to exfiltrate include passwords, intellectual property, and personally identifiable information (PII). These types of data can be readily sold for financial gain.
When trying to understand how hackers exfiltrate data from a network, it’s important to realize that data exfiltration isn’t exclusive to external threats; employees are just as capable of making unauthorized data transfers.
In fact, malicious insider threats are in the optimal position; they do not need to work as hard to gain access to a device with a connection to system resources as an external attacker would.
For optimal protection, be prepared to mitigate both internal and external attacks. Otherwise, the data of your customers can be readily exfiltrated with far fewer resources and without detection thanks to their trusted access to the network.
Cloud storage makes the transfer of data as simple as dragging and dropping files into a folder. Unfortunately, the very simplicity that makes cloud storage an excellent collaboration tool also makes it a prime tool for data extrusion.
As a part of your cloud data loss prevention strategy, your organization needs web filtering software to restrict access to unsanctioned cloud storage providers.
With new cloud storage vendors regularly emerging, manual URL filtering isn’t enough for organizations to address this exfiltration risk. BrowseControl’s category filtering system is regularly updated with new websites as they emerge, making the blocking of millions of websites as easy as a few clicks. Simply add the File Hosting category to your block list, then add the services you would like to allow in your network to the Allow List.
To help detect other exfiltration threats in the network, organizations must monitor employee internet use; network traffic data could reveal visits to high-risk sites that need to be blocked from the network.
A 2018 study from cyber security software company McAfee found that the overall top three vectors used to exfiltrate data are database leaks, cloud applications, and USB drives.
According to the study, USB drives are the number one data exfiltration vector in European and Asia-Pacific countries.
When you think of it, this is of little surprise. After all, portable storage devices are, well…portable. And thus easy to conceal and hard to detect.
These devices can store terabytes of data, making them capable of storing millions of database records, spreadsheets, and other proprietary information.
So long as there’s an available port, data can be readily exfiltrated, leading to a serious data breach.
Employees are the most prevalent data exfiltration threats here. They’re trusted with physical access to company systems, making data exfiltration attempts laughably simple. All it takes is sneaking in a personal USB flash drive and transferring files from the network before they walk out of the office.
So, how do companies prevent this? Simple: They disable USB ports with device control software such as AccessPatrol.
Naturally, blocking ports entirely also prevents legitimate usage. That’s why AccessPatrol has an Allowed List to grant access to authorized users. To help mitigate the risk that trusted devices will be misused, AccessPatrol allows you to restrict file transfers based on filename and extension.
To assist with detection on target systems, It also has alerts that can notify security teams each time data is exfiltrated to a portable storage device. These real-time alerts are essential for the protection of data; should data be stolen, there will be an auditable record of who is responsible.
“We never have to worry about what may happen when someone plugs a device into one of our machines. AccessPatrol has made our lives easy. We just set it, forget it, and it works!”CurrentWare Customer Nicholas Scheetz, IT Service Desk Supervisor, First Choice Health
In North America the number one vector for data exportation is email.
The fact that email is one of the top greatest data exfiltration risks is of little surprise. Without security controls in place, insiders can easily send sensitive information to personal email addresses that aren’t managed by the organization.
Email is a data exfiltration issue even outside of malicious insider threats. A data breach could be as simple as a misaddressed email or inadvertently including customer data in an attachment.
These factors are enough of a risk on their own; what about the innumerable amount of phishing emails?
Don’t assume that employees won’t fall for them. Tessian found that a staggering 1 in 4 employees admitted to clicking on a phishing email at work. Worse yet, a report from PhishMe found that employees who have opened a phishing email in the past are 67% more likely to fall for a future attempt.
Naturally, no amount of data exfiltration prevention solutions are going to completely solve what is fundamentally a human problem. But there are things you can do to reduce the risks associated with email.
Protection techniques to handle this threat:
“In general, any misconfigured or unsecured server operating on a business network on which sensitive data is stored or processed exposes the business to data theft and compromise by cyber criminals who can use the data for criminal purposes such as blackmail, identity theft, or financial fraud.”The Federal Bureau of Investigation (FBI)
Research conducted by the University of Michigan found that over 1 million FTP servers were configured to allow anonymous access, posing a serious data exfiltration risk.
Naturally, organizations that allow anonymous access to their services are at risk of having their systems compromised and data stolen without the detection of the hackers responsible.
While the nuances of keeping the data in servers safe from attacks is a complex subject, there are a few steps your organization can take to defeat the most common vulnerabilities.
And while we’re on the subject of FTP…use a port filter to close any unused ports in your company, including default FTP ports. This will greatly reduce your attack surface.
Restricting internet access is crucial for preventing data exfiltration but unfortunately, there isn’t a definitive guide on what websites to block at work.
For optimal security, you could only allow access to specific websites, but that can quickly become cumbersome to manage.
If an explicit-deny approach isn’t a feasible data exfiltration prevention measure for your environment, you should block the most common egress points.
Websites most commonly used for data exfiltration
Naturally, this list isn’t exhaustive. There’s also the risk that legitimate domains will become compromised and used as a repository for data exfiltration.
Most external threats will use a combination of phishing and malware to gain remote access to their target system. A search of security industry trends shows that businesses of all sizes are at risk of being the target of a cyber attack.
When it comes to preventing malicious software you need to implement a defense-in-depth approach. Lone antimalware solutions aren’t always going to be enough to stop malware, but you’ll be grateful that it’s there if a malicious program manages to slip past your other security measures.
According to a Quocirca Report, 60% of businesses in the UK, US, France, and Germany suffered a print-related data breach from 2018-2019. The data loss related to these breaches costs companies an average of more than $400K.
The data exfiltration risks associated with printers aren’t exclusive to traditional office buildings, either. In the age of remote work it’s easier than ever for an employee to connect a printer to their computer and print off sensitive documents.
Protection techniques to handle this threat:
In addition to the risk-specific tips I’ve covered above, there are a number of other ways to prevent data exfiltration. This next section will broadly cover best practices for mitigating the risk of data security incidents.
How to Prevent Data Exfiltration
Concerned about the damage a terminated employee could cause with access to sensitive corporate information, account passwords, and other sensitive data?
Follow this employee offboarding checklist to protect your network following a termination
Preventing data exfiltration requires a robust mix of data loss prevention tools, security training, user activity monitoring, and deep knowledge of internal vulnerabilities. By following the tips in this article you can mitigate the most common data exfiltration risks.