Anti-malware, EDR, XDR, MDR, firewalls and more are constant product words we hear; however, they do not generally focus on data protection. To many data protection is GDPR and getting a solicitor to draft a privacy policy no one ever reads and no it does not “physically” protect data. Guess what, if you are hacked or if you have insider threats, a piece of paper (policy) does not do anything to protect data.
How can data can be exfiltrated?
- CD/DVD: less likely now since most endpoints do not have an optical drive. External USB writers maybe a concern still though
- SD card: some laptops & desktops have a slot or USB adapters can be used
- USB drives or external hard drives: super common and easy to smuggle in
- Email: mostly Outlook app though webmail as below is another method
- Websites: all sorts. Chat apps, file sharing sites, webmail, personal websites etc.
- Smartphones: most people do not know that smartphones via USB are classed as MTP (Media Transfer Protocol)
- Bluetooth: to phones, tablets, laptops and more
- Local apps: great, you have blocked OneDrive web but what about the app installed?
- And more sneaky ways
- Accidental internal threat: people who do not know emailing data to their personal accounts is risky or do not know storing data on an unprotected USB stick has its risks
- Internal threat: staff which have been planted in a company to steal data or have become disgruntled as time goes on
- External hacker: someone who has infiltrated the network from the outside and wants to exfiltrate data
- Endpoint: an installed agent on your phone, tablet, laptop, desktop or server which monitors and/or blocks. Often these are at the kernel level for increased visibility and blocking capabilities. Can also offer classification of data by user or policies
- Network: watches emails, web traffic, shares and mores. Can also go out and scan network shares
- Cloud: present in OneDrive, SharePoint, Exchange as an addon
- Compliance: ticking the box of HIPAA, PCI-DSS, GDPR, CCPA etc. Perhaps just enabled for the sake of it to please an outside audit firm
- IP: imagine working on the next vaccine and spending billions then another pharma firm pinches the recipe
- Beef up your general defences. Firewalls, anti-malware, IPS are great but they are aimed more at stopping external attacks
- Block pastes into ChatGPT
- Block emails which contain classified documents going outside of the domain
- Block mount of USB
- Force file encryption to USBs
- Block MTP outright
- Block files being uploaded to webmail
- Block classified data being uploaded to local Slack, Discord or Teams apps
- Block domains of WhatsApp Web and Telegram Web since it is hard to intercept traffic due to encryption used
- Block based on content, i.e. credit card, SSN, national insurance no., email address, zip/post code etc.
- ATP like functionality: with possible kernel level run, DLP products can act somewhat like anti malware by blocking known ransomware attacks or detecting unknown malware