Posted on by Software and Information Assurancein
Many organizations allow limited personal use of organizational equipment. To move personal data to or from the organization's devices and network, employees typically use email, removable media, or cloud storage--the same channels a malicious insider would use for data exfiltration. This post explores a new way, based on cross-domain solutions, for employees to safely transfer personal data between an organization's network and their own systems.
Dtex Systems' 2017 Insider Threat Intelligence Report found that 56% of surveyed organizations faced potential data theft from new and departing employees. During the first two weeks of employment, new employees imported large amounts of data; during the final two weeks of employment, departing employees had unusual file aggregations.
A personal data channel provides a legitimate way for non-malicious employees to transfer personal data to and from the organization's network. For example, a user who downloads recipes on a work computer might want to move these recipes to a home system for use. With this approach, the user would submit a request to move the personal data outside the organization's network. The data would be examined and, if acceptable, moved to a separate, permission-controlled directory. The user would then copy the data in this directory to storage outside the network.
This approach makes malicious or unintentional exfiltration of data by traditional channels easier to spot. It also provides intelligence that could later be used to detect malicious activity.
Any approach to moving personal data needs to prioritize confidentiality, data integrity, and availability of the organization's critical assets. Cross domain solutions (CDS) provide a model of information assurance (IA) when transferring data across different security domains. To move data from the secured side to the unsecured side in a CDS, the user must provide the location of the files to IA personnel and affirm that the data is unclassified. The IA team verifies this information, moves the data, and informs the user where to access the data.
Now, let's build a model of personal data movement. The inside of the network is the secured side, where the user's personal data resides. The outside is the unsecured side--the Internet.
Based on the CDS model, events flow through the system as shown in Figure 1.
Figure 1: Personal data movement between an internal network and the Internet
This approach shows how data can move effectively and securely from inside an organization to the outside. A similar approach could be used to move data in the reverse direction. For example, a user might find a work-related article while browsing on a home system and wish to send it to a work system for future reference. In this direction, the scanner should look for malware and search for keywords that could identify documents from a competitor (to avoid insiders from other companies trying to infiltrate information into your company).
Personal data channels help organizations manage the flow of non-malicious personal information into and out of networks. Removing legitimate, personal data from potential exfiltration paths reduces false positive indicators of malicious activity. Personal email addresses can be used in insider threat investigations, if allowable. The names of files rejected by the scanner can be used in the DLP and user activity monitoring (UAM) tools as potential alert triggers.
However, this approach is not without drawbacks. Malicious insiders could hide organizational data within personal data (steganography) and use the organization's own security channel against itself. To combat this, the approval process for personal data channels could incorporate behavioral analysis and a check on the size and number of files being sent. Any requests that surpass a combined threshold for these two mechanisms could trigger an alert.
In addition, if this approach is not properly architected, it could be used as a vector for a denial-of-service attack that is automated to fill disks and cause excessive scanning. To mitigate this risk, the system should be monitored and files removed based on a predetermined timeout.
Using personal data channels to transfer files has benefits for both employees and organizations. Employees have a legitimate path to migrate their personal data. Organizations have better visibility into data flowing into and out of their networks, which facilitates looking for actual insider threats.