search menu icon-carat-right cmu-wordmark

Blocking Data Exfiltration (Part 19 of 20: CERT Best Practices to Mitigate Insider Threats Series)

Jonathan P. Costa
• Insider Threat Blog
Jonathan P. Costa

The 19th practice described in the newly released edition of the Common Sense Guide to Mitigating Insider Threats is Practice 19: Close the doors to unauthorized data exfiltration. In this post, I discuss how organizations are vulnerable to data exfiltration and offer potential mitigation strategies.

The CERT Division announced the public release of the fifth edition of the Common Sense Guide to Mitigating Insider Threats in December 2016. The guide describes 20 practices that organizations should implement across the enterprise to mitigate (prevent, detect, and respond to) insider threats, as well as case studies of organizations that failed to do so. The 19th of the 20 best practices follows.

Practice 19: Close the doors to unauthorized data exfiltration.

There are countless means of exfiltrating organizational data and multiple ways to combat them. Data exfiltration is when a person extracts data or information from an organization's systems and either (1) shares it with an unauthorized third party or (2) moves it to an unsecured system. Data exfiltration can be unintentional or malicious. For example, an employee can send an email that contains confidential information to someone outside of the organization (unintentional) or an employee can send an email to an outside entity for financial gain (malicious).

Exfiltrating data requires points of egress where data or information can be transferred to outside entities. Three popular types of data-egress points include network (e.g., cloud storage, webmail, social media, and SSH); removable media (e.g., USB flash drives, DVD-RW, and smartphones); and physical (e.g., printers, copiers, and fax machines). (An expanded list of data egress points can be found in the Common Sense Guide to Mitigating Insider Threats.)


Although not the most frequent type of exfiltration, cloud storage is a rapidly emerging route for extracting an organization's data or information. Preventing this type of exfiltration is complicated since organizations typically do not control the physical network infrastructure that their services use. Organizations should carefully monitor and restrict access to cloud services, for example, by proxying all network traffic and implementing block lists.

A potential mitigation strategy for this type of exfiltration can be implemented using virtual machines and specialized agents that can be deployed to measure user activity. The right cloud infrastructure can help minimize the window of opportunity for exfiltration and promptly detect it if it happens.

Removable Media

Using removable media is one of the most popular mechanisms used for data exfiltration. Since these media devices can store so much data on such a small piece of hardware, it is no surprise that data exfiltration using them is so common. To mitigate this type of exfiltration, organizations should use tracking information in their operating system to piece together removable media activity on a system.

Organizations should develop and disseminate a bring-your-own-device (BYOD) policy to establish guidelines for their employees. The first step is to educate employees on the risks of data exfiltration and how easy it can be to mismanage company data. To directly disable removable media or USB devices, for example, organizations can use active directory group policies to completely disable the capacity to copy data or information to flash drives. Commercial tools can apply more fine-grained controls, such as allowing file copies but requiring further review when snapshotting a file. Another method of controlling file copies is to require that a trusted employee perform the actual copy operation only after it has been approved and is on a provisioned USB device.


The most basic physical exfiltration methods are still commonplace and easy to use. Organizations should closely monitor printers, scanners, copiers, and fax machines to ensure that employees are not using them to exfiltrate data. Logs of printed documents should be retained, and these logs should be audited to closely monitor activity. To better control authorized devices for storing company data, organizations should have a policy that requires employees to use only company-owned media devices for transferring files.

Refer to the complete fifth edition of the Common Sense Guide to Mitigating Insider Threats for a comprehensive understanding of the issues and recommendations mentioned in this post.

Check back next week to read Practice 20: Develop a comprehensive employee termination procedure, or subscribe to a feed of the Insider Threat blog to be alerted when a new post is available.

For more information about the CERT Insider Threat Center, see, or contact us at

About the Author