Additionally, the security team could periodically capture wireless traffic from within the borders of a facility and use free and commercial analysis tools to determine whether the wireless traffic was transmitted using weaker protocols or encryption than the organization mandates. When devices that are relying on weak wireless security settings are identified, they should be found within the organization’s asset inventory and either reconfigured more securely or denied access to the agency network.
Critical Control 15: Data Leakage Protection
How do attackers exploit the lack of this control?
Attackers have exfiltrated more than 20 terabytes of often sensitive data from Department of Defense and Defense Industrial Base (i.e., contractors doing business with the DoD) organizations. Yet, in most cases, the victims had no clue that huge amounts of sensitive data were leaving their site – because they were not monitoring data outflows. The movement of data across network boundaries both electronically and physically must be carefully scrutinized to minimize its exposure to attackers.
How can this control be implemented, automated, and its effectiveness measured?
QW: Set up and enforce rules and policies regarding the use of social network sites, posting information on the commercial web sites, and sharing account information, all of which could be useful for an attacker.
QW: Configure firewalls and proxies to enforce limits of file sizes that can be transferred. Allow large file transfers only after prior registration with security personnel.
QW: Deny communications with (or limit data flow to) known malicious IP addresses (black lists) or limit access to trusted sites (white lists). Periodically, test packets from bogon source IP addresses should be sent into the network to verify that they are not transmitted through network perimeters. Lists of bogon addresses (unroutable or otherwise unused IP addreses) are publicly available on the Internet from various sources, and indicate a series of IP addresses that should not be used for legitimate traffic traversing the Internet.