The data exfiltration threat of connected devices

By on Dec 01, 2015

Businesses are already battling to try and keep up in the fight against well-resourced and sophisticated cybercrime attacks. One of the growing and evolving threats in this security landscape is data exfiltration.

What is data exfiltration? At a basic level it is essentially data loss or data theft but it is more nuanced than that. Data exfiltration attacks can be carried out externally or by malicious insiders and the aim in both cases is usually to copy and transfer sensitive data from inside an organisation without detection.

That’s why we are seeing a growth in advanced persistent threats (APTs) where criminals will quietly hide on a corporate network waiting for the opportunity to steal information, something they might do over a long period of time without being detected. Those data exfiltration techniques used by attackers include compressing data and disassembling it into small undetectable chunks.

But there is another growing data exfiltration threat that many organisations are unaware of and unprepared for. This threat centres on ‘smart’ sensors and devices and the whole Internet of Things (IoT) ecosystem. While these smart devices can revolutionise supply chains and enable huge efficiency savings, among other benefits, they also introduce a significant security risk. The reason is that many of these devices have never been designed to be connected directly to the internet and don’t have enterprise-grade security built into them.

Let’s take an example of a cold drinks vending machine in a staff canteen. Many of these are now IP-enabled and can send an email to their supplier when they need restocking or repairing. As an attacker I could potentially use this vending machine as a jump base to exfiltrate sensitive data as an email attachment out of the organisation without detection. And that’s not in the realms of fantasy. Just last year a botnet was discovered that included internet-connected appliances such as fridges to send out spam emails.

The software for this new wave of smart devices and appliances typically uses old technology. An IP address and network connectivity means they can be added onto the regular corporate network. With a basic operating system there is often no possibility to patch or do software updates to these devices. Yet, worryingly, they are still functional and can be hijacked by an attacker.

We are seeing these kinds of connected devices starting to appear all over an organisation, for functions such as building and facilities management – think lighting, heating and entry systems. Every device in this kind of connected building management setup has intelligence – such as email or a web service that can potentially be used by an attacker to store or exfiltrate data.

It’s also not just about data being stolen for its own intellectual property and value. In some cases the data is useful for planning a physical attack. If a criminal hacks the CCTV pictures from your environment they could be used to work out when the building is empty. Or telemetry data from the facilities management system could also reveal when the cleaners have finished at night and there is no movement in the building.

The crux of the problem with these connected devices and the growing IoT infrastructure is that there is no visibility for organisations when it comes to security. Most of these simple IP-enabled devices and sensors don’t have log files and don’t create the traditional ‘indicators of compromise’ that can raise an alert about suspicious activity. Organisations risk flying blind as they connect more and more devices to their network.

How can enterprises tackle these data exfiltration threats as their infrastructure becomes more connected than ever before?

Increasingly data loss prevention (DLP) software is being used to tackle this but I would argue that the starting point is encryption. If you don’t encrypt sensitive data on an employee’s laptop, for example, then DLP software makes no sense. It’s not just laptops but also internal servers as well.

Sometimes it is not possible to implement DLP on some of these basic connected devices. In those cases one tactic is two-layer authentication control for applications, which can freeze a system to a specific state, meaning no malware can be executed and no other process can take data.

On top of that or in parallel organisations can use a gateway solution – a device physically connected between a network and the device itself, where you are able to monitor the type of data going out.

It’s about a combination of a DLP solution at the endpoint and hardened application or gateway control software to monitor applications and data, and prevent exfiltration.

Over the next decade we will have, by a factor of 10, more IP addresses and things connected to the internet than we have humans on the planet. This is one of the biggest challenges facing security and it requires a different approach to traditional enterprise ‘office’ security.

To find out more about data exfiltration, read our report Grand Theft Data 

About the Author

Rolf Haas

Rolf Haas is a Senior Enterprise Technology Specialist focused on Data and Cloud Protection at McAfee. With more than 20 years of experience in IT Security, Rolf has built up extensive technical knowledge in different ICT Security areas. He provides structured and innovative approaches to solving complex technical issues, as well as solutions and responses ...

Read more posts from Rolf Haas

Subscribe to McAfee Securing Tomorrow Blogs