SEI Insights

Insider Threat Blog

Real-World Work Combating Insider Threats

Common Sense Guide to Mitigating Insider Threats - Best Practice 19 (of 19)

Posted on by in

Hello, this is Derrick Spooner, Cyber Threat Solutions Engineer for the CERT Program, with the last of 19 blog posts that describe the best practices fully documented in the fourth edition of the Common Sense Guide to Mitigating Insider Threats.

The CERT Program announced the public release of the fourth edition of the Common Sense Guide to Mitigating Insider Threats on December 12, 2012. The guide describes 19 practices that organizations should implement across the enterprise to mitigate (prevent, detect, and respond to) insider threats, as well as case studies of organizations that failed to do so. The last of the 19 best practices follows.

Practice 19: Close the doors to unauthorized data exfiltration.

This practice deals with raising awareness of the myriad methods of exfiltrating sensitive organizational data and recommending solutions to combat those methods. The following items represent three high-level categories of data-egress points (an expanded list can be found in the Common Sense Guide to Mitigating Insider Threats):

  • Removable media (e.g., USB flash drives, DVD-RW, smartphones)
  • Network (e.g., cloud storage, webmail, social media, SSH)
  • Physical (e.g., printers, copiers, fax machines)

Removable media is a significant risk due to the prevalence of data transfer volumes, including audio/visual peripherals. Solutions range from physical or software-based disabling of these devices, to monitoring, to organizational required approval of data transfer. Choosing the method used to secure devices is a delicate balance between security and productivity.

The most direct disabling of USB devices, for example, would be to use active directory group policies to completely disable copying to flash drives. Commercial tools can apply finer grained controls, such as allowing file copies but snapshotting a copy of the files for further review. Another method of controlling file copies is to require that a trusted employee perform the actual copy operation after it has been approved.

Network exfiltration can be prevented by storing sensitive information, such as source code, in an air-gapped or heavily restricted and firewalled enclave network that users can only access while physically at the organization or via thoroughly hardened workstations. Connections to trusted business partners should be monitored via full-packet capture or network-flow data, and be scrutinized as much as or even more than the organization's internet service provider (ISP) uplink.

Secure sockets layer (SSL) encrypted traffic poses some of the highest risk because most organizations are unable to collect detailed information about the transmission. Consider proxy solutions that decrypt, inspect, and re-encrypt SSL sessions to allow full evaluation of the traffic for sensitive data or other disguised, malicious action. Cloud-based services have become commonplace and should be restricted or monitored via the aforementioned proxy recommendation. File transfer protocols should also be restricted or monitored.

Finally, the most basic physical exfiltration methods are still commonplace. Organizations should heavily monitor printers, scanners, copiers, and fax machines to ensure that employees are not taking advantage of the ease with which these devices can exfiltrate data. Consider solutions that maintain redundant copies of all jobs submitted and periodically review these copies.

Refer to the complete fourth edition of the Common Sense Guide to Mitigating Insider Threats for a comprehensive understanding of the issues and recommendations mentioned.

If you have questions or want to share experiences you've had with insider threats, send email to

More from CERT Insider Threat Center


View other blog posts by CERT Insider Threat Center.