Simple Data Exfiltration in a Secure Industry Environment
Phil Cronin at BSides Boston 2016
Since Edward Snowden’s extensive data exfiltration from a high-security NSA environment, there has been heightened focus on data exfiltration - not only from government and defense environments but also from security-conscious industries such as finance, health-care, insurance, etc. While much of Edward Snowden’s exfiltration is thought to have required elevated privileges such as access as a system administrator, today’s industry leaders are also concerned about regular employees and are asking the question ‘how easy would it be for an employee or vendor with only ‘user-level’ privileges and minimal IT training to exfiltrate data?’
In the author’s experience as an IT auditor at dozens of security-conscious environments, the answer to that question is that data can easily be exfiltrated by employees with little or no IT training. Further, and importantly, most organizations have little or no effective detective controls that would alert or detect such data loss.
This presentaion explores the top 10 data exfiltration methods that can be accomplished with only ‘user-level’ privileges and that are routinely overlooked in security-conscious industries.
Phil Cronin started DataSec LLC to provide risk management and data security services for security-conscious industries. Phil has partnered with senior management and audit committees in improving management oversight and control and ensuring IT regulatory compliance. He has over 15 years of experience in Information Technology with the last 10 years dedicated to infrastructure and network security. He has served over 100 security-conscious institutions in finance, health-care, etc. Previously, he spent much of his career at Bell Labs (Lucent Technologies and AT&T) where he was responsible for IT infrastructure design, operations and network security in the Optical Networking R&D Division. He holds a Master’s Degree in Electrical Engineering from the Massachusetts Institute of Technology (MIT). He is a certified information systems security professional (CISSP) and a certified information systems auditor (CISA).
In the author’s experience as an IT auditor at dozens of security-conscious environments, the answer to that question is that data can easily be exfiltrated by employees with little or no IT training. Further, and importantly, most organizations have little or no effective detective controls that would alert or detect such data loss.
This presentaion explores the top 10 data exfiltration methods that can be accomplished with only ‘user-level’ privileges and that are routinely overlooked in security-conscious industries.
Phil Cronin started DataSec LLC to provide risk management and data security services for security-conscious industries. Phil has partnered with senior management and audit committees in improving management oversight and control and ensuring IT regulatory compliance. He has over 15 years of experience in Information Technology with the last 10 years dedicated to infrastructure and network security. He has served over 100 security-conscious institutions in finance, health-care, etc. Previously, he spent much of his career at Bell Labs (Lucent Technologies and AT&T) where he was responsible for IT infrastructure design, operations and network security in the Optical Networking R&D Division. He holds a Master’s Degree in Electrical Engineering from the Massachusetts Institute of Technology (MIT). He is a certified information systems security professional (CISSP) and a certified information systems auditor (CISA).