Preventions
- Home
- - Preventions
- -PV003
- ID: PV003
- Created: 25th May 2024
- Updated: 14th June 2024
- Contributor: The ITM Team
Enforce an Acceptable Use Policy
An Acceptable Use Policy (AUP) is a set of rules outlining acceptable and unacceptable uses of an organization's computer systems and network resources. It acts as a deterrent to prevent employees from conducting illegitimate activities by clearly defining expectations, reinforcing legal and ethical standards, establishing accountability, specifying consequences for violations, and promoting education and awareness about security risks.
Sections
ID | Name | Description |
---|---|---|
IF007 | Unlawfully Accessing Copyrighted Material | A subject unlawfully accesses copyrighted material, such as pirated media or illegitimate streaming sites. |
IF008 | Inappropriate Web Browsing | A subject accesses web content that is deemed inappropriate by the organization. |
IF009 | Installing Unapproved Software | A subject installs unapproved software on a corporate device, contravening internal policies on acceptable use of company equipment. |
IF002 | Exfiltration via Physical Medium | A subject may exfiltrate data via a physical medium, such as a removable drive. |
IF003 | Exfiltration via Media Capture | A subject uses an external device, such as a mobile phone or camera, to record audio, photos, or video to capture media. |
IF004 | Exfiltration via Other Network Medium | A subject exfiltrates files through a network. A network can be an Internet Protocol (IP) network or other technology enabling the communication of data between two or more digital devices. |
IF011 | Providing Access to a Unauthorized Third Party | A subject intentionally provides system or data access to a third party that is not authorized to access it. |
ME006 | Web Access | A subject can access the web with an organization device. |
MT008 | Lack of Awareness | A subject is unaware that they are prohibited from accessing and exfiltrating or destroying sensitive data or otherwise contravening internal policies. |
MT011 | Hubris | A subject accesses and exfiltrates or destroys sensitive data or otherwise contravenes internal policies with the aim to successfully defeat controls in order to demonstrate ability and/or skill. |
IF017 | Excessive Personal Use | A subject uses organizational resources, such as internet access, email, or work devices, for personal activities both during and outside work hours, exceeding reasonable personal use. This leads to reduced productivity, increased security risks, and the potential mixing of personal and organizational data, ultimately affecting the organization’s efficiency and overall security. |
IF018 | Sharing on AI Chatbot Platforms | A subject interacts with a public Artificial Intelligence (AI) chatbot (such as ChatGPT and xAI Grok), leading to the intentional or unintentional sharing of sensitive information. |
AF016 | Uninstalling Software | The subject uninstalls software, which may also remove relevant artifacts from the system's disk, such as regsitry keys or files necessary for the software to run, preventing them from being used by investigators to track activity. |
MT019 | Rogue Nationalism | A subject, driven by excessive pride in their nation, country, or region, undertakes actions that harm an organization. These actions are self-initiated and conducted unilaterally, without instruction or influence from legitimate authorities within their nation, country, region, or any other third party. The subject often perceives their actions as acts of loyalty or as benefiting their homeland.
While the subject may believe they are acting in their nation’s best interest, their actions frequently lack strategic foresight and can result in significant damage to the organization. |
ME018 | Aiding and Abetting | An individual or individuals knowingly assist a subject to gain access to devices, systems, or services that hold sensitive information, or otherwise contravene internal policies. |
ME023 | Sensitivity Label Leakage | Sensitivity label leakage refers to the exposure or misuse of classification metadata—such as Microsoft Purview Information Protection (MIP) sensitivity labels—through which information about the nature, importance, or confidentiality of a file is unintentionally or deliberately disclosed. While the underlying content of the document may remain encrypted or otherwise protected, the presence and visibility of sensitivity labels alone can reveal valuable contextual information to an insider.
This form of leakage typically occurs when files labeled with sensitivity metadata are transferred to insecure locations, shared with unauthorized parties, or surfaced in logs, file properties, or collaboration tool interfaces. Labels may also be leaked through misconfigured APIs, email headers, or third-party integrations that inadvertently expose metadata fields. The leakage of sensitivity labels can help a malicious insider identify and prioritize high-value targets or navigate internal systems with greater precision, without needing immediate access to the protected content.
Examples of Use:
|
ME024 | Access | A subject holds access to both physical and digital assets that can enable insider activity. This includes systems such as databases, cloud platforms, and internal applications, as well as physical environments like secure office spaces, data centers, or research facilities. When a subject has access to sensitive data or systems—especially with broad or elevated privileges—they present an increased risk of unauthorized activity.
Subjects in roles with administrative rights, technical responsibilities, or senior authority often have the ability to bypass controls, retrieve restricted information, or operate in areas with limited oversight. Even standard user access, if misused, can facilitate data exfiltration, manipulation, or operational disruption. Weak access controls—such as excessive permissions, lack of segmentation, shared credentials, or infrequent reviews—further compound this risk by enabling subjects to exploit access paths that should otherwise be limited or monitored.
Furthermore, subjects with privileged or strategic access may be more likely to be targeted for recruitment by external parties to exploit their position. This can include coercion, bribery, or social engineering designed to turn a trusted insider into an active participant in malicious activities. |
IF007.001 | Downloading Copyrighted Material | A subject uses a website or peer-to-peer (P2P) network (such as BitTorrent) to unlawfully download copyrighted material. |
IF007.002 | Streaming Copyrighted Material | A subject accesses a website that allows for the unauthorized streaming of copyrighted material. |
IF007.003 | Distributing Copyrighted Material | A subject uses a website or peer-to-peer (P2P) network (such as BitTorrent) to unlawfully distribute copyrighted material. |
IF008.001 | Lawful Pornography | A subject accesses lawful pornographic material from an organization device, contravening internal policies on acceptable use of organization equipment. |
IF008.005 | Gambling | A subject accesses or participates in online gambling from a corporate device, contravening internal policies on acceptable use of company equipment. |
IF008.006 | Inappropriate Usage of Social Media | A subject misuses social media platforms to engage in activities that violate organizational policies, compromise security, disclose confidential information, or damage the organization’s reputation. This includes sharing sensitive data, making unauthorized statements, engaging in harassment or bullying, or undertaking any actions that could risk the organization’s digital security or public image. |
IF008.007 | Gaming | A subject accesses or participates in web-based online gaming from a corporate device, contravening internal policies on acceptable use of company equipment. |
IF008.008 | Other Inappropriate Content | A subject accesses other inappropriate web content from a corporate device, contravening internal policies on acceptable use of company equipment. |
PR003.001 | Installing Virtual Machines | A subject installs a hypervisor that allows them to create and access virtual environments on a device. |
PR003.003 | Installing Browsers | A subject can install an unapproved browser with features that frustrate or prevent preventions or detections, such as built-in VPN, Tor access, or automatic browser artifact destruction. |
PR003.002 | Installing VPN Applications | A subject installs a VPN application that allows them to tunnel their traffic. |
PR003.004 | Installing Browser Extensions | A subject can install unapproved browser extensions that provide additional features and functionality to the browser. |
PR003.005 | Installing Cloud Storage Applications | A subject can install an unapproved cloud storage application that has the ability to sync files across the Internet. |
PR003.006 | Installing Note-Taking Applications | A subject installs an unapproved note taking application with the ability to sync notes across the Internet. |
PR003.007 | Installing Messenger Applications | A subject installs an unapproved messenger application with the ability to transmit data and/or files across the Internet. |
PR003.008 | Installing SSH Clients | A subject installs a Secure Shell (SSH) client, which can be used to access SSH servers across a network. |
PR003.009 | Installing FTP Clients | A subject installs a File Transfer Protocol (FTP) client which can be used to access FTP servers across the a network. |
PR003.010 | Installing RDP Clients | A subject installs a Remote Desktop Protocol (RDP) client which can be used to access RDP servers across a network. |
PR003.011 | Installing Screen Sharing Software | A subject installs screen sharing software which can be used to capture images or other information from a target system. |
IF001.004 | Exfiltration via Webhook | A subject may use an existing, legitimate external Web service to exfiltrate data |
IF001.001 | Exfiltration via Cloud Storage | A subject uses a cloud storage service, such as Dropbox, OneDrive, or Google Drive to exfiltrate data. They will then access that service again on another device to retrieve the data. Examples include (URLs have been sanitized):
|
IF001.002 | Exfiltration via Code Repository | A subject uses a code repository service, such as GitHub, to exfiltrate data. They will then access that service again on another device to retrieve the data. Examples include (URLs have been sanitized):
|
IF001.003 | Exfiltration via Text Storage Sites | A subject uses a text storage service, such as Pastebin, to exfiltrate data. They will then access that service again on another device to retrieve the data. Examples include (URLs have been sanitized):
|
IF002.001 | Exfiltration via USB Mass Storage Device | A subject exfiltrates data using a USB-connected mass storage device, such as a USB flash drive or USB external hard-drive. |
IF002.002 | Exfiltration via Physical Access to System Drive | A subject exfiltrates data by retrieving the physical drive used by a system. |
IF002.003 | Exfiltration via New Internal Drive | A subject exfiltrates data by connecting an additional drive to a system using the Serial Advanced Technology Attachment (SATA) interface on a motherboard, and copying files to the new storage device. |
IF002.004 | Exfiltration via Floppy Disk | A subject exfiltrates data using a floppy disk drive. |
IF003.001 | Exfiltration via Photography | A subject uses a device, such as a mobile phone or camera, to take photos containing sensitive information. |
IF003.002 | Exfiltration via Video Capture | A subject uses an external device, such as a mobile phone or camera, to take video recordings containing sensitive information. |
IF003.003 | Exfiltration via Audio Capture | A subject uses an external device, such as a mobile phone or camera, to take record audio containing sensitive information, such as conversations. |
IF004.001 | Exfiltration via Bluetooth | A subject exfiltrates files using BlueTooth as the transportation medium. |
IF004.002 | Exfiltration via AirDrop | A subject exfiltrates files using AirDrop as the transportation medium. |
IF005.001 | Exfiltration via Installed Messaging Application | A subject exfiltrates information using a messaging application that is already installed on the system. They will access the conversation at a later date to retrieve information on a different system. |
IF005.002 | Exfiltration via Web-Based Messaging Application | A subject exfiltrates information using a web-based messaging application that is accessed through a web browser. They will access the conversation at a later date to retrieve information on a different system. |
ME006.001 | Webmail | A subject can access personal webmail services in a browser. |
ME006.002 | Cloud Storage | A subject can access personal cloud storage in a browser. |
ME006.003 | Inappropriate Websites | A subject can access websites containing inappropriate content. |
ME006.004 | Note-Taking Websites | A subject can access external note-taking websites (Such as Evernote). |
ME006.005 | Messenger Services | A subject can access external messenger web-applications with the ability to transmit data and/or files. |
IF004.003 | Exfiltration via Personal NAS Device | A subject exfiltrates data using an organization-owned device (such as a laptop) by copying the data from the device to a personal Network Attached Storage (NAS) device, which is attached to a network outside of the control of the organization, such as a home network. Later, using a personal device, the subject accesses the NAS to retrieve the exfiltrated data. |
IF002.006 | Exfiltration via USB to USB Data Transfer | A USB to USB data transfer cable is a device designed to connect two computers directly together for the purpose of transferring files between them. These cables are equipped with a small electronic circuit to facilitate data transfer without the need for an intermediate storage device. Typically a USB to USB data transfer cable will require specific software to be installed to facilitate the data transfer. In the context of an insider threat, a USB to USB data transfer cable can be a tool for exfiltrating sensitive data from an organization's environment. |
IF001.005 | Exfiltration via Note-Taking Web Services | A subject uploads confidential organization data to a note-taking web service, such as Evernote. The subject can then access the confidential data outside of the organization from another device. Examples include (URLs have been sanitized):
|
ME006.007 | Text Storage Websites | A subject can access external text storage websites, such as Pastebin. |
IF004.004 | Exfiltration via Screen Sharing Software | A subject exfiltrates data outside of the organization's control using the built-in file transfer capabilities of software such as Teamviewer. |
IF018.001 | Exfiltration via AI Chatbot Platform History | A subject intentionally submits sensitive information when interacting with a public Artificial Intelligence (AI) chatbot (such as ChatGPT and xAI Grok). They will access the conversation at a later date to retrieve information on a different system. |
IF018.002 | Reckless Sharing on AI Chatbot Platforms | A subject recklessly interacts with a public Artificial Intelligence (AI) chatbot (such as ChatGPT and xAI Grok), leading to the inadvertent sharing of sensitive information. The submission of sensitive information to public AI platforms risks exposure due to potential inadequate data handling or security practices. Although some platforms are designed not to retain specific personal data, the reckless disclosure could expose the information to unauthorized access and potential misuse, violating data privacy regulations and leading to a loss of competitive advantage through the exposure of proprietary information. |
IF002.010 | Exfiltration via Bring Your Own Device (BYOD) | A subject connects their personal device, under a Bring Your Own Device (BYOD) policy, to organization resources, such as on-premises systems or cloud-based platforms. By leveraging this access, the subject exfiltrates sensitive or confidential data. This unauthorized data transfer can occur through various means, including copying files to the personal device, sending data via email, or using cloud storage services. |
PR015.004 | Bulk Email Collection | A subject creates an email collection file such as a Personal Storage Table (PST) file or an MBOX file to copy an entire mailbox or subset of a mailbox containing sensitive information. |
IF022.002 | PII Leakage (Personally Identifiable Information) | PII (Personally Identifiable Information) leakage refers to the unauthorized disclosure, exposure, or mishandling of information that can be used to identify an individual, such as names, addresses, phone numbers, national identification numbers, financial data, or biometric records. In the context of insider threat, PII leakage may occur through negligence, misconfiguration, policy violations, or malicious intent.
Insiders may leak PII by sending unencrypted spreadsheets via email, exporting user records from customer databases, misusing access to HR systems, or storing sensitive personal data in unsecured locations (e.g., shared drives or cloud storage without proper access controls). In some cases, PII may be leaked unintentionally through logs, collaboration platforms, or default settings that fail to mask sensitive fields.
The consequences of PII leakage can be severe—impacting individuals through identity theft or financial fraud, and exposing organizations to legal penalties, reputational harm, and regulatory sanctions under frameworks such as GDPR, CCPA, or HIPAA.
Examples of Infringement:
|
IF022.003 | PHI Leakage (Protected Health Information) | PHI Leakage refers to the unauthorized, accidental, or malicious exposure, disclosure, or loss of Protected Health Information (PHI) by a healthcare provider, health plan, healthcare clearinghouse (collectively, "covered entities"), or their business associates. Under the Health Insurance Portability and Accountability Act (HIPAA) in the United States, PHI is defined as any information that pertains to an individual’s physical or mental health, healthcare services, or payment for those services that can be used to identify the individual. This includes medical records, treatment history, diagnosis, test results, and payment details.
HIPAA imposes strict regulations on how PHI must be handled, stored, and transmitted to ensure that individuals' health information remains confidential and secure. The Privacy Rule within HIPAA outlines standards for the protection of PHI, while the Security Rule mandates safeguards for electronic PHI (ePHI), including access controls, encryption, and audit controls. Any unauthorized access, improper sharing, or accidental exposure of PHI constitutes a breach under HIPAA, which can result in significant civil and criminal penalties, depending on the severity and nature of the violation.
In addition to HIPAA, other countries have established similar protections for PHI. For example, the General Data Protection Regulation (GDPR) in the European Union protects personal health data as part of its broader data protection laws. Similarly, Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) governs the collection, use, and disclosure of personal health information by private-sector organizations. Australia also has regulations under the Privacy Act 1988 and the Health Records Act 2001, which enforce stringent rules for the handling of health-related personal data.
This infringement occurs when an insider—whether maliciously or through negligence—exposes PHI in violation of privacy laws, organizational policies, or security protocols. Such breaches can involve unauthorized access to health records, improper sharing of medical information, or accidental exposure of sensitive health data. These breaches may result in severe legal, financial, and reputational consequences for the healthcare organization, including penalties, lawsuits, and loss of trust.
Examples of Infringement:
|
IF023.002 | Sanction Violations | Sanction violations involve the direct or indirect engagement in transactions with individuals, entities, or jurisdictions that are subject to government-imposed sanctions. These restrictions are typically enforced by regulatory bodies such as the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC), the United Nations, the European Union, and equivalent authorities in other jurisdictions.
Unlike export violations, which focus on the control of goods and technical data, sanction violations concern the status of the receiving party. A breach occurs when a subject facilitates, authorizes, or executes transactions that provide economic or material support to a sanctioned target—this includes sending payments, delivering services, providing access to infrastructure, or sharing non-controlled information with a restricted party.
Insiders may contribute to sanction violations by bypassing compliance checks, falsifying documentation, failing to screen third-party recipients, or deliberately concealing the sanctioned status of a partner or entity. Such conduct can occur knowingly or as a result of negligence, but in either case, it exposes the organization to serious legal and financial consequences.
Regulatory enforcement for sanctions breaches may result in significant penalties, asset freezes, criminal prosecution, and reputational damage. Organizations are required to maintain robust compliance programs to monitor and prevent insider-driven violations of international sanctions regimes. |
IF023.003 | Anti-Trust or Anti-Competition | Anti-trust or anti-competition violations occur when a subject engages in practices that unfairly restrict or distort market competition, violating laws designed to protect free market competition. These violations can involve a range of prohibited actions, such as price-fixing, market division, bid-rigging, or the abuse of dominant market position. Such behavior typically aims to reduce competition, manipulate pricing, or create unfair advantages for certain businesses or individuals.
Anti-competition violations may involve insiders leveraging their position to engage in anti-competitive practices, often for personal or corporate gain. These violations can result in significant legal and financial penalties, including fines and sanctions, as well as severe reputational damage to the organization involved.
Examples of Anti-Trust or Anti-Competition Violations:
Regulatory Framework:
Anti-trust or anti-competition laws are enforced globally by various regulatory bodies. In the United States, the Federal Trade Commission (FTC) and the Department of Justice (DOJ) regulate anti-competitive behavior under the Sherman Act, the Clayton Act, and the Federal Trade Commission Act. In the European Union, the European Commission enforces anti-trust laws under the Treaty on the Functioning of the European Union (TFEU) and the Competition Act. |
ME024.003 | Access to Critical Environments (Production and Pre-Production) | Subjects with access to production and pre-production environments—whether as users, developers, or administrators—hold the potential to exploit or compromise highly sensitive organizational assets. Production environments, which host live applications and databases, are critical to business operations and often contain real-time data, including proprietary business information and personally identifiable information (PII). A subject with access to these systems can manipulate operational processes, exfiltrate sensitive data, introduce malicious code, or degrade system performance.
Pre-production environments, used for testing, staging, and development, often replicate production systems, though they may contain anonymized or less protected data. Despite this, pre-production environments can still house sensitive configurations, APIs, and testing data that can be exploited. A subject with access to these environments may uncover system vulnerabilities, access sensitive credentials, or introduce code that could be escalated into the production environment.
In both environments, privileged access provides a direct pathway to the underlying infrastructure, system configurations, logs, and application code. For example, administrative access allows manipulation of security policies, user permissions, and system-level access controls. Similarly, access to development environments can provide insights into source code, configuration management, and test data—all of which could be leveraged to further insider activity.
Subjects with privileged access to critical environments are positioned not only to exploit system vulnerabilities or bypass security controls but also to become targets for recruitment by external actors seeking unauthorized access to sensitive information. These individuals may be approached or coerced to intentionally compromise the environment, escalate privileges, or exfiltrate data on behalf of malicious third parties.
Given the sensitivity of these environments, subjects with privileged access represent a significant insider threat to the integrity of the organization's systems and data. Their position allows them to manipulate or exfiltrate sensitive information, either independently or in collaboration with external actors. The risk is further amplified as these individuals may be vulnerable to recruitment or coercion, making them potential participants in malicious activities that compromise organizational security. As insiders, their knowledge and access make them a critical point of concern for both data protection and operational security. |
ME024.004 | Access to Physical Hardware | Subjects with physical access to critical hardware—such as data center infrastructure, on-premises servers, network appliances, storage arrays, or specialized equipment like CCTV and alarm systems—represent a significant insider threat due to their ability to bypass logical controls and interact directly with systems. This level of access can facilitate a wide range of security compromises, many of which are difficult to detect through conventional digital monitoring.
Physical access may also include proximity to sensitive areas such as network closets, on-premises server racks, backup repositories, or control systems in operational technology (OT) environments. In high-security settings, even brief unsupervised access can be exploited to compromise system integrity or enable ongoing unauthorized access.
With this type of access, a subject can:
In operational environments, subjects with access to physical control systems (e.g., ICS/SCADA components, industrial HMIs, or IoT gateways) may alter processes, cause service disruptions, or create safety hazards. Similarly, access to CCTV or badge systems may allow them to erase footage, monitor employee movements, or manipulate access control logs.
Subjects with this form of access represent an elevated risk, especially when combined with technical knowledge or administrative privileges. The risk is compounded in environments with limited physical security controls, inadequate logging of physical entry, or weak segmentation between physical and digital assets. |
ME024.005 | Access to Physical Spaces | Subjects with authorized access to sensitive physical spaces—such as secure offices, executive areas, data centers, SCIFs (Sensitive Compartmented Information Facilities), R&D labs, or restricted zones in critical infrastructure—pose an increased insider threat due to their physical proximity to sensitive assets, systems, and information.
Such spaces often contain high-value materials or information, including printed sensitive documents, whiteboard plans, authentication devices (e.g., smartcards or tokens), and unattended workstations. A subject with physical presence in these locations may observe confidential conversations, access sensitive output, or physically interact with devices outside of typical security monitoring.
This type of access can be leveraged to:
Subjects in roles that involve frequent presence in sensitive locations—such as cleaning staff, security personnel, on-site engineers, or facility contractors—may operate outside the scope of standard digital access control and may not be fully visible to security teams focused on network activity.
Importantly, individuals with this kind of access are also potential targets for recruitment or coercion by external threat actors seeking insider assistance. The ability to physically access secure environments and passively gather high-value information makes them attractive assets in coordinated attempts to obtain or compromise protected information.
The risk is magnified in organizations lacking comprehensive physical access policies, surveillance, or cross-referencing of physical and digital access activity. When unmonitored, physical access can provide a silent pathway to support insider operations without leaving traditional digital footprints. |
ME025.002 | Leadership and Influence Over Direct Reports | A subject with a people management role holds significant influence over their direct reports, which can be leveraged to conduct insider activities. As a leader, the subject is in a unique position to shape team dynamics, direct tasks, and control the flow of information within their team. This authority presents several risks, as the subject may:
In addition to these immediate risks, subjects in people management roles may also have the ability to recruit individuals from their team for insider activities, subtly influencing them to support illicit actions or help cover up their activities. By fostering a sense of loyalty or manipulating interpersonal relationships, the subject may encourage compliance with unethical actions, making it more difficult for others to detect or challenge the behavior.
Given the central role that managers play in shaping team culture and operational practices, the risks posed by a subject in a management position are compounded by their ability to both directly influence the behavior of others and manipulate processes for personal or malicious gain. |