SC-7 (10) - Prevent Unauthorized Exfiltration

Control requirements

SC-7 (10) - 0

The organization prevents the unauthorized exfiltration of information across managed interfaces.

Implementation guidance

See the resources that follow to learn more about how to implement this control.

• Accessing the public internet
• Connecting application provider to the management VPC
• Connectivity to IBM Cloud services with private endpoints
• Consumer connectivity to workload VPC
• Creating and connecting the management and workload VPCs

IBM Cloud for Financial Services profile

The rules related to this control that follow are part of the IBM Cloud for Financial Services v1.2.0 profile in IBM Cloud® Security and Compliance Center.

• Check whether Security Groups for VPC contains no outbound rules in security groups that specify source IP 8.8.8.8/32 to DNS port
• Check whether Virtual Private Cloud (VPC) has no public gateways attached
• Check whether all virtual server instances have at least one Virtual Private Cloud (VPC) security group attached
• Check whether Virtual Private Cloud (VPC) has no public gateways attached at the time of provisioning
• Check whether account has at least one VPN or Direct Link configured
• Check whether Virtual Private Cloud (VPC) classic access is disabled
• Check whether Virtual Private Cloud (VPC) has no rules in the default security group
• Check whether all network interfaces of a virtual server instance have at least one Virtual Private Cloud (VPC) security group attached
• Check whether Virtual Servers for VPC instance has the minimum # interfaces
• Check whether Virtual Private Cloud (VPC) has no subnet with public gateway attached
• Check whether Virtual Private Cloud (VPC) security groups have outbound ports that are open only to permitted IP addresses
• Check whether Virtual Private Cloud (VPC) is configured with public gateways that are provisionable only within permitted zones
• Check whether Virtual Private Cloud (VPC) network access control lists don't allow egress from 0.0.0.0/0 to any port

NIST supplemental guidance

Safeguards implemented by organizations to prevent unauthorized exfiltration of information from information systems include, for example: (i) strict adherence to protocol formats; (ii) monitoring for beaconing from information systems; (iii) monitoring for steganography; (iv) disconnecting external network interfaces except when explicitly needed; (v) disassembling and reassembling packet headers; and (vi) employing traffic profile analysis to detect deviations from the volume/types of traffic expected within organizations or call backs to command and control centers. Devices enforcing strict adherence to protocol formats include, for example, deep packet inspection firewalls and XML gateways. These devices verify adherence to protocol formats and specification at the application layer and serve to identify vulnerabilities that cannot be detected by devices operating at the network or transport layers. This control enhancement is closely associated with cross-domain solutions and system guards enforcing information flow requirements.