Means
Ability to Modify Cloud Resources
Access
Aiding and Abetting
Asset Control
Bluetooth
Bring Your Own Device (BYOD)
Clipboard
Delegated Access via Managed Service Providers
FTP Servers
Installed Software
Media Capture
Network Attached Storage
Physical Disk Access
Placement
Printing
Privileged Access
Removable Media
Screenshots and Screen Recording
Sensitivity Label Leakage
SMB File Sharing
SSH Servers
System Startup Firmware Access
Unmanaged Credential Storage
Unrestricted Software Installation
Unrevoked Access
Web Access
- ID: ME008
- Created: 25th May 2024
- Updated: 01st August 2025
- Contributor: The ITM Team
Network Attached Storage
A subject can write to a Network Attached Storage (NAS) device outside the organization’s control. In remote or hybrid settings, the subject’s ability to access NAS devices on their personal LAN — from a corporate-managed endpoint — introduces a persistent and often unmonitored risk vector.
These consumer-grade platforms (e.g., Synology, QNAP, WD My Cloud) fall outside the scope of organizational governance, yet remain fully accessible when the subject is working from home. If reachable, they provide a standing means to stage, duplicate, or transfer sensitive enterprise data.
This capability is particularly dangerous when VPN configurations permit split tunneling, unintentionally allowing local subnet access alongside corporate resources. Even in the absence of deliberate misuse, the continued accessibility of these unmanaged file-sharing services expands the subject’s technical means and circumvention potential.
Prevention
ID | Name | Description |
---|---|---|
PV058 | Consistent Enforcement of Minor Violations | Establish and maintain processes where all policy violations, including those perceived as minor or low-impact, are addressed consistently, proportionately, and promptly. By reinforcing that even small infractions matter, organizations deter boundary testing behaviors and reduce the risk of escalation into more serious incidents.
Implementation Approaches
Operational Principles
|
PV020 | Data Loss Prevention Solution | A Data Loss Prevention (DLP) solution refers to policies, technologies, and controls that prevent the accidental and/or deliberate loss, misuse, or theft of data by members of an organization. Typically, DLP technology would take the form of a software agent installed on organization endpoints (such as laptops and servers).
Typical DLP technology will alert on the potential loss of data, or activity which might indicate the potential for data loss. A DLP technology may also provide automated responses to prevent data loss on a device. |
PV001 | No Ready System-Level Mitigation | This section cannot be readily mitigated at a system level with preventive controls since it is based on the abuse of fundamental features of the system. |
Detection
ID | Name | Description |
---|---|---|
DT045 | Agent Capable of User Activity Monitoring | An agent capable of User Activity Monitoring (UAM) is a software agent installed on organization endpoints (such as laptops); typically, User Activity Monitoring agents are only deployed on endpoints where a human user Is expected to conduct the activity.
The User Activity Monitoring agent will typically record Operating System, application, and network activity occurring on an endpoint, with a focus on activity that is or can be conducted by a human user. The purpose of this monitoring is to identify undesirable and/or malicious activity being conducted by a human user (in this context, an Insider Threat).
Typical User Activity Monitoring platforms operate in an agent/server model where activity logs are sent to a server for automatic correlation against a rule set. This rule set is used to surface activity that may represent Insider Threat related activity such as capturing screenshots, copying data, compressing files or installing risky software.
Other platforms providing related functionality are frequently referred to as User Behaviour Analytics (UBA) platforms. |
DT047 | Agent Capable of User Behaviour Analytics | An agent capable of User Behaviour Analytics (UBA) is a software agent installed on organizational endpoints (such as laptops). Typically, User Activity Monitoring agents are only deployed on endpoints where a human user is expected to conduct the activity.
The User Behaviour Analytics agent will typically record Operating System, application, and network activity occurring on an endpoint, focusing on activity that is or can be conducted by a human user. Typically, User Behaviour Analytics platforms operate in an agent/server model where activity logs are sent to a server for automatic analysis. In the case of User Behaviour Analytics, this analysis will typically be conducted against a baseline that has previously been established.
A User Behaviour Analytic platform will typically conduct a period of ‘baselining’ when the platform is first installed. This baselining period establishes the normal behavior parameters for an organization’s users, which are used to train a Machine Learning (ML) model. This ML model can then be later used to automatically identify activity that is predicted to be an anomaly, which is hoped to surface user behavior that is undesirable, risky, or malicious.
Other platforms providing related functionality are frequently referred to as User Activity Monitoring (UAM) platforms. |
DT048 | Data Loss Prevention Solution | A Data Loss Prevention (DLP) solution refers to policies, technologies, and controls that prevent the accidental and/or deliberate loss, misuse, or theft of data by members of an organization. Typically, DLP technology would take the form of a software agent installed on organization endpoints (such as laptops and servers).
Typical DLP technology will alert on the potential loss of data, or activity which might indicate the potential for data loss. A DLP technology may also provide automated responses to prevent data loss on a device. |