Preventions
- Home
- - Preventions
- -PV003
- ID: PV003
- Created: 25th May 2024
- Updated: 14th June 2024
- Contributor: The ITM Team
Enforce an Acceptable Use Policy
An Acceptable Use Policy (AUP) is a set of rules outlining acceptable and unacceptable uses of an organization's computer systems and network resources. It acts as a deterrent to prevent employees from conducting illegitimate activities by clearly defining expectations, reinforcing legal and ethical standards, establishing accountability, specifying consequences for violations, and promoting education and awareness about security risks.
Sections
ID | Name | Description |
---|---|---|
IF007 | Unlawfully Accessing Copyrighted Material | A subject unlawfully accesses copyrighted material, such as pirated media or illegitimate streaming sites. |
IF008 | Inappropriate Web Browsing | A subject accesses web content that is deemed inappropriate by the organization. |
IF009 | Installing Unapproved Software | A subject installs unapproved software on a corporate device, contravening internal policies on acceptable use of company equipment. |
IF002 | Exfiltration via Physical Medium | A subject may exfiltrate data via a physical medium, such as a removable drive. |
IF003 | Exfiltration via Media Capture | A subject uses an external device, such as a mobile phone or camera, to record audio, photos, or video to capture media. |
IF004 | Exfiltration via Other Network Medium | A subject exfiltrates files through a network. A network can be an Internet Protocol (IP) network or other technology enabling the communication of data between two or more digital devices. |
IF011 | Providing Access to a Unauthorized Third Party | A subject intentionally provides system or data access to a third party that is not authorized to access it. |
ME006 | Web Access | A subject can access the web with an organization device. |
MT008 | Lack of Awareness | A subject is unaware that they are prohibited from accessing and exfiltrating or destroying sensitive data or otherwise contravening internal policies. |
MT011 | Hubris | A subject accesses and exfiltrates or destroys sensitive data or otherwise contravenes internal policies with the aim to successfully defeat controls in order to demonstrate ability and/or skill. |
IF017 | Excessive Personal Use | A subject uses organizational resources, such as internet access, email, or work devices, for personal activities both during and outside work hours, exceeding reasonable personal use. This leads to reduced productivity, increased security risks, and the potential mixing of personal and organizational data, ultimately affecting the organization’s efficiency and overall security. |
IF018 | Sharing on AI Chatbot Platforms | A subject interacts with a public Artificial Intelligence (AI) chatbot (such as ChatGPT and xAI Grok), leading to the intentional or unintentional sharing of sensitive information. |
AF016 | Uninstalling Software | The subject uninstalls software, which may also remove relevant artifacts from the system's disk, such as regsitry keys or files necessary for the software to run, preventing them from being used by investigators to track activity. |
IF007.001 | Downloading Copyrighted Material | A subject uses a website or peer-to-peer (P2P) network (such as BitTorrent) to unlawfully download copyrighted material. |
IF007.002 | Streaming Copyrighted Material | A subject accesses a website that allows for the unauthorized streaming of copyrighted material. |
IF007.003 | Distributing Copyrighted Material | A subject uses a website or peer-to-peer (P2P) network (such as BitTorrent) to unlawfully distribute copyrighted material. |
IF008.001 | Lawful Pornography | A subject accesses lawful pornographic material from an organization device, contravening internal policies on acceptable use of organization equipment. |
IF008.005 | Gambling | A subject accesses or participates in online gambling from a corporate device, contravening internal policies on acceptable use of company equipment. |
IF008.006 | Inappropriate Usage of Social Media | A subject misuses social media platforms to engage in activities that violate organizational policies, compromise security, disclose confidential information, or damage the organization’s reputation. This includes sharing sensitive data, making unauthorized statements, engaging in harassment or bullying, or undertaking any actions that could risk the organization’s digital security or public image. |
IF008.007 | Gaming | A subject accesses or participates in web-based online gaming from a corporate device, contravening internal policies on acceptable use of company equipment. |
IF008.008 | Other Inappropriate Content | A subject accesses other inappropriate web content from a corporate device, contravening internal policies on acceptable use of company equipment. |
PR003.001 | Installing Virtual Machines | A subject installs a hypervisor that allows them to create and access virtual environments on a device. |
PR003.003 | Installing Browsers | A subject can install an unapproved browser with features that frustrate or prevent preventions or detections, such as built-in VPN, Tor access, or automatic browser artifact destruction. |
PR003.002 | Installing VPN Applications | A subject installs a VPN application that allows them to tunnel their traffic. |
PR003.004 | Installing Browser Extensions | A subject can install unapproved browser extensions that provide additional features and functionality to the browser. |
PR003.005 | Installing Cloud Storage Applications | A subject can install an unapproved cloud storage application that has the ability to sync files across the Internet. |
PR003.006 | Installing Note-Taking Applications | A subject installs an unapproved note taking application with the ability to sync notes across the Internet. |
PR003.007 | Installing Messenger Applications | A subject installs an unapproved messenger application with the ability to transmit data and/or files across the Internet. |
PR003.008 | Installing SSH Clients | A subject installs a Secure Shell (SSH) client, which can be used to access SSH servers across a network. |
PR003.009 | Installing FTP Clients | A subject installs a File Transfer Protocol (FTP) client which can be used to access FTP servers across the a network. |
PR003.010 | Installing RDP Clients | A subject installs a Remote Desktop Protocol (RDP) client which can be used to access RDP servers across a network. |
PR003.011 | Installing Screen Sharing Software | A subject installs screen sharing software which can be used to capture images or other information from a target system. |
IF001.004 | Exfiltration via Webhook | A subject may use an existing, legitimate external Web service to exfiltrate data |
IF001.001 | Exfiltration via Cloud Storage | A subject uses a cloud storage service, such as Dropbox, OneDrive, or Google Drive to exfiltrate data. They will then access that service again on another device to retrieve the data. |
IF001.002 | Exfiltration via Code Repository | A subject uses a code repository service, such as GitHub, to exfiltrate data. They will then access that service again on another device to retrieve the data. |
IF001.003 | Exfiltration via Text Storage Sites | A subject uses a text storage service, such as Pastebin, to exfiltrate data. They will then access that service again on another device to retrieve the data. |
IF002.001 | Exfiltration via USB Mass Storage Device | A subject exfiltrates data using a USB-connected mass storage device, such as a USB flash drive or USB external hard-drive. |
IF002.002 | Exfiltration via Physical Access to System Drive | A subject exfiltrates data by retrieving the physical drive used by a system. |
IF002.003 | Exfiltration via New Internal Drive | A subject exfiltrates data by connecting an additional drive to a system using the Serial Advanced Technology Attachment (SATA) interface on a motherboard, and copying files to the new storage device. |
IF002.004 | Exfiltration via Floppy Disk | A subject exfiltrates data using a floppy disk drive. |
IF003.001 | Exfiltration via Photography | A subject uses a device, such as a mobile phone or camera, to take photos containing sensitive information. |
IF003.002 | Exfiltration via Video Capture | A subject uses an external device, such as a mobile phone or camera, to take video recordings containing sensitive information. |
IF003.003 | Exfiltration via Audio Capture | A subject uses an external device, such as a mobile phone or camera, to take record audio containing sensitive information, such as conversations. |
IF004.001 | Exfiltration via Bluetooth | A subject exfiltrates files using BlueTooth as the transportation medium. |
IF004.002 | Exfiltration via AirDrop | A subject exfiltrates files using AirDrop as the transportation medium. |
IF005.001 | Exfiltration via Installed Messaging Application | A subject exfiltrates information using a messaging application that is already installed on the system. They will access the conversation at a later date to retrieve information on a different system. |
IF005.002 | Exfiltration via Web-Based Messaging Application | A subject exfiltrates information using a web-based messaging application that is accessed through a web browser. They will access the conversation at a later date to retrieve information on a different system. |
ME006.001 | Webmail | A subject can access personal webmail services in a browser. |
ME006.002 | Cloud Storage | A subject can access personal cloud storage in a browser. |
ME006.003 | Inappropriate Websites | A subject can access websites containing inappropriate content. |
ME006.004 | Note-Taking Websites | A subject can access external note-taking websites (Such as Evernote). |
ME006.005 | Messenger Services | A subject can access external messenger web-applications with the ability to transmit data and/or files. |
IF004.003 | Exfiltration via Personal NAS Device | A subject exfiltrates data using an organization-owned device (such as a laptop) by copying the data from the device to a personal Network Attached Storage (NAS) device, which is attached to a network outside of the control of the organization, such as a home network. Later, using a personal device, the subject accesses the NAS to retrieve the exfiltrated data. |
IF002.006 | Exfiltration via USB to USB Data Transfer | A USB to USB data transfer cable is a device designed to connect two computers directly together for the purpose of transferring files between them. These cables are equipped with a small electronic circuit to facilitate data transfer without the need for an intermediate storage device. Typically a USB to USB data transfer cable will require specific software to be installed to facilitate the data transfer. In the context of an insider threat, a USB to USB data transfer cable can be a tool for exfiltrating sensitive data from an organization's environment. |
IF001.005 | Exfiltration via Note-Taking Web Services | A subject uploads confidential organization data to a note-taking web service, such as Evernote. The subject can then access the confidential data outside of the organization from another device. |
ME006.007 | Text Storage Websites | A subject can access external text storage websites, such as Pastebin. |
IF004.004 | Exfiltration via Screen Sharing Software | A subject exfiltrates data outside of the organization's control using the built-in file transfer capabilities of software such as Teamviewer. |
IF018.001 | Exfiltration via AI Chatbot Platform History | A subject intentionally submits sensitive information when interacting with a public Artificial Intelligence (AI) chatbot (such as ChatGPT and xAI Grok). They will access the conversation at a later date to retrieve information on a different system. |
IF018.002 | Reckless Sharing on AI Chatbot Platforms | A subject recklessly interacts with a public Artificial Intelligence (AI) chatbot (such as ChatGPT and xAI Grok), leading to the inadvertent sharing of sensitive information. The submission of sensitive information to public AI platforms risks exposure due to potential inadequate data handling or security practices. Although some platforms are designed not to retain specific personal data, the reckless disclosure could expose the information to unauthorized access and potential misuse, violating data privacy regulations and leading to a loss of competitive advantage through the exposure of proprietary information. |
IF002.010 | Exfiltration via Bring Your Own Device (BYOD) | A subject connects their personal device, under a Bring Your Own Device (BYOD) policy, to organization resources, such as on-premises systems or cloud-based platforms. By leveraging this access, the subject exfiltrates sensitive or confidential data. This unauthorized data transfer can occur through various means, including copying files to the personal device, sending data via email, or using cloud storage services. |