Russian Hackers are Using Flaws in Flash and Windows

The Problem:  Your organization is on track for one of its best years in its history, with many of its projects nearing completion and the first of which is scheduled to be announced next week.  All of your data is stored on-site and only authorized users are granted access.  Suddenly however, a press release comes out from your main rival organization that they just completed their own project- and that the results are identical to that which your organization was going to announce.  Security has ruled out an externally-sourced breach, so that leaves a source inside the organization.

“Exfiltration” is the act of getting something out.  The mirror of ‘infiltration’ (breaking in to a secure location), exfiltration means that you have already gained access to what you want- you just need to be able to leave with it.  Exfiltration revolves around using known techniques to get data out of a secure area as if it was anything else- like if you were sneaking financial documents out with the garbage.  The more restrictions in place, the more difficult it is for unauthorized use and transmission of this data.

The solution:  There are a number of ways to attempt to  block exfiltration, the tricky part is balancing hardened security measures versus ease of use for regular users.

Solution the First:  Block USB Ports

See Also ‘Disable USB Mass Storage through GP…‘:

When it comes to being able to get data easily in and out, removable media is at the top of the list for most people.  USB Drives have made it extremely easy to transfer huge amounts of files quickly and painlessly from system to system.  The problem in this case is that it may not be authorized, and in most cases cannot be tracked unless the security on your network has already been setup to do so.  While the act of blocking access to thumb drives may cause an uproar among the user base, it is still one of the easiest and cost-effective measures for blocking data from leaving the facility.

Solution the Second:  Block Non-standard traffic

Image Provided by ‘Any/Any/Deny Security Rule Changes Default Behavior’

If your organization does not use FTP, is there a reason to keep that port open?  What about SSH or other protocols?  When these ports are not a part of day-to-day operations but are left open, they can present a hazard through unauthorized use. Therefore having your firewall set up in a ‘white-list’ mode to only allow what the organization needs to use (and then block everything else) can greatly improve the average security, and thus prevent data leaving through unusual methods.

Solution the Third:  Visitor Escorts

In many organizations, once a visitor gets through the front door- they have free reign to go where they please.  If they are wearing a suit, holding a clipboard, act like they know where they’re going, or seem to be in a hurry- a lot of times the perceived attitude is “don’t interrupt me, I don’t have time for this”.  This also goes for package deliveries as well for instance- people may look like they’re trying to find a specific office or desk, but have actually been roaming around freely for half a hour or more.  When a visitor has somebody with them, they are far more likely to be able to get where they need to go quickly, and exit the building as soon as they are done.  They also have fewer chances to get lost or observe elements that the organization may not wish them to see.

Honorable Mention: Digital Loss Prevention (DLP)
Exfiltration is the last step that can be blocked before a full-on breach.  Its far easier to manage somebody that has gotten stuck with their hand in the cookie jar, than if they have already gotten away with the goodies.  Blocking Exfiltration requires a great deal of proactive measures, but everything required to do so helps out other aspects of security as well- making the overall environment that much safer.

Original Post: