Data leakage has become a hot topic in information security. But what if you can't afford the tools that are specifically designed to keep employees from intentionally or mistakenly leaking private or valuable corporate data to the outside? It turns out there are some creative ways to use what you have (or can easily get) to tackle the problem.

Data can leak from a network in many ways, and the focus here will be on understanding what exits your network and how it can best be protected. Other leakage issues, such as lost, unencrypted USB drives or laptops, will not be discussed.

The Beginning: browsing

The place to start is with the fundamentals. When was the last time you sat down and had a good look at your network? This sounds like a huge, unorganized waste of time, but you might be surprised.

Open up whatever tool fits your needs (Windows or Mac Explorer, Samba for Linux) and spend some random time checking out what you have out there. You probably have an asset inventory that is always up to date and captures everything, but sometimes it takes looking at the same thing in a different way to truly understand what is out there.

Manual browsing also allows you to do some things that you wouldn't normally pick up in an asset management system, such as finding open file shares or other resources that may provide data. Multi-purpose scan/fax/print machines are one such repository that aren't treated like normal repositories with appropriate permissions and such.

If browsing isn't your thing, then how about nmap? The Network Mapper, written by Gordon "Fyodor" Lyon, has been around for a long time. It has many uses, one of which is literally mapping out what you have on your network. So, for example, say you wanted to see what systems were available on a particular class B subnet using just ping. You might issue the following command:

nmap -v -sP 10.150.1-255.1.255 -oN scan_results

This would then report back the list of hosts, up and down, into a file called "scan_results". The entries would look something like this excerpt:

Host 10.150.9.153 appears to be down.
Host monkey (10.150.9.154) appears to be up.
MAC Address: 00:13:21:60:17:28 (Hewlett Packard)

Any IP address that doesn't have a live host associated with it reports as down. The second entry, monkey, did respond to the probe with the IP address and in this case, since we were on the same subnet as the one scanned, the MAC address with the associated card manufacturer. Already, with just this little scan, we have learned we have a lot more printers than we thought were available, as well as some other interesting responses to investigate later. This is just the start.