Internal threats

AttributionNoncommercialShare Alike Some rights reserved
by Jordan Bracco
Threats to computer systems can come from outside or inside the corporate network. And whilst most of the measures tends to focus on external threats the behaviour of employees, intentional or not, represents a major risk as well.

Employees

Symantec recently published a study (What's Yours is Mine: How Employees are Putting Your Intellectual Property at Risk) showing that a majority of employees are copying corporate data in and out of the network, either on personal devices and cloud-based storage like Google Drive or Dropbox. The finding of the study are as follows:
  • Employees are moving IP outside the company in all directions
  • When employees change jobs, sensitive business documents often travel with them
  • Employees are not aware they are putting themselves and their companies at risk
  • They attribute ownership of IP to the person who created it
  • Organizations are failing to create a culture of security
This creates many potential leakage points. 

Solutions

Symantec recommend three mitigation measures:
  • Education and awareness
  • Enforcement of NDAs
  • Implementation of monitoring technologies
I would also add that the access to sensitive information should be on a need-to-know basis.

These are all passive solutions. I would suggest a few active solutions as well:
  • Control the usage of USB ports, from company approved USB keys only, which come with a usage policy (education), to a flat-out no-USB-storage policy
  • Use IRM solutions to protect confidential files 
Active solutions often come with a operational cost, and these need to be compared against the cost of a leak. They may not be worth their cost to protect not sensitive data, but may prove cheap compared fo the loss of critical IP or classified information. Some countries make it a requirement for some levels of classification.

There are more ways the data can go out of a company's network because of employees.

Operational mistakes

There has been many example in the past of administrator doing mistakes which exposed data to the outside world. Yale University recently exposed the social security numbers of 43'000 of its students when they made them accessible via an unprotected FTP server. Another example is MSD (Ministry of Social Development) in New Zealand which allowed access to the whole ministry's network via publicly accessible kiosks. Some pretty important stuff got found there, like information about Care & Protection homes, fraud investigation, debt collection and various admin password in clear text...

Solutions

Mistakes can happen. Here again education and awareness is really important, as well as the implementation of monitoring technologies. Another concept is really important here: Defence-in-depth. In MSD case above several layers of protections were missing:
  • Network: Publicly accessible kiosks should not have been able to access the Ministry's network
  • Shares: The Ministry's shares should not have been accessible by the user used by the kiosks
  • Folders: The access to the content of such sensitive folders should be limited to specific groups only
  • Files: Finally an IRM would have helped protecting these sensitive files
For the same reason we use multiple-tier architecture, forbidding direct access to databases and other data repositories to users. The database will control the user has access. The application will control have access. The network will control that the user has access. This way if one protection layer fails we always have additional measures to ensure the data is safe, 

Attackers

Attackers can try to access data in many different ways. The closer the entry point is from the information they want, the easier. The firewalls and other border network security may be strong, but an attacker can use other ways to get in: Social engineeringphishing, malware, etc. There are many 0day exploits out there, and companies are often slow to patch their systems. A smartly worded e-mail will catch a lot of people off guard. A USB key inserted in a computer on a false pretext can easily infect a network if the workstation is poorly protected.

Solutions

As for the other cases education is paramount. Companies could test their employees by sending phishing e-mails for education purposes. Someone clicking on the link would have to go through an eduction program again.
  • Protect the information at the information layer, as close as possible from the data. So even if an attacker gets access to you internal network it's not a free-for-all access
  • Ensure antivirus on desktops and servers in always recent and the signatures are up-to-date
  • Monitor failed connection attempts, as once inside an attacker may try to brute-force his way in more protected areas
  • Make sure you have IDS/IPS inside the network as well, not just at the border
  • Finally review the logs! It's useless to have a fancy alarm system if you set it on silent.

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)