BSides Boston 2016

Since Edward Snowden’s extensive data exfiltration from a high-security NSA environment, there has been heightened focus on data exfiltration - not only from government and defense environments but also from security-conscious industries such as finance, health-care, insurance, etc. While much of Edward Snowden’s exfiltration is thought to have required elevated privileges such as access as a system administrator, today’s industry leaders are also concerned about regular employees and are asking the question ‘how easy would it be for an employee or vendor with only ‘user-level’ privileges and minimal IT training to exfiltrate data?’

In the author’s experience as an IT auditor at dozens of security-conscious environments, the answer to that question is that data can easily be exfiltrated by employees with little or no IT training. Further, and importantly, most organizations have little or no effective detective controls that would alert or detect such data loss.

This presentaion explores the top 10 data exfiltration methods that can be accomplished with only ‘user-level’ privileges and that are routinely overlooked in security-conscious industries.