Do You (Un)knowingly Exfiltrate?

Blog Post created by rapidmb Employee on Feb 20, 2013

A few weeks ago, Twitter was buzzing about new and interesting Google Hacks. If you're been visiting this community for more than one day, you'll probably know this already; a Google Hack is a search query that produces some type of unauthorized access to (supposedly) protected data. In this latest iteration, the query is used to disclose private SSH keys stored on Github. Of course, this problem isn't limited to Github.


This begs the question: Do you (un)knowingly exfiltrate sensitive data?


On internal networks, this type of attack is especially effective when a Google search appliance is allowed to catalog file systems using privileged credentials (did you just configure the Google box with Domain Admin creds?). On an assessment, these appliances are spectacular things to find because they inevitably identify the password spreadsheet that everyone swears doesn't exist. As an added bonus to the penetration tester, the search interface is typically configured to not require user authentication.


As a security professional, I'm fascinated by the idea of sensitive information (secret formulae, strategic data, etc.) and the lengths we'll go to protect it. Yes, I'm easily fascinated (I spent 30 minutes chasing a butterfly before finishing this post). At the same time, as a penetration tester I have seen through the veneer of information security goals to the underlying reality of our technical defense strategies. From direct experience then, I can confidently say, "it ain't pretty down there."


Given this, the non-technical (read: boring) elements of defense-in-depth become important.


For example, every organization should understand the scope and value of its data as an asset. In practice, few do. In situations where they do know (law firms, drug companies, etc.) they often don't understand how the data are transmitted or otherwise used in the organization. Additionally, these organizations are unaware that, for example, the finance department engages in a workflow whereby they transmit incredibly sensitive data through public communication channels like email or instant messaging.


I know, I know. Similar to the mythical password spreadsheet; That Never Happens.


But what if it does happen? How are the information owners supposed to know that the information is considered valuable? Further, how can information security professionals detect when these data are leaving our networks? Certainly, technologies such as Data Loss Prevention (DLP) can be deployed. As with IDS/IPS, these systems require a great deal of manual tuning. This tuning means that the tuners need to be aware of all the various forms of sensitive information. In this way, truly understanding the full scope of "sensitive data" requires thoughtful discussion across a variety of your organization's end users. Some other approaches might include having a thorough penetration test performed, or waiting until somebody writes a blog post about your sensitive data.


Do you have a favorite method for discovering exfiltrated data? Please don't hesitate to send them our way.