The problem of insider threats is becoming increasingly burdensome in information security. You might think of business espionage, competitors who infiltrate a company, or malicious employees who go along with information. This is certainly the case. The reality of insider threats is less spectacular, but unfortunately just as dangerous. It is a delicate issue, which is happily ignored: the misconduct of employees. Most companies now carry out training and education programs. And yet mistakes happen again and again. To err remains human.
1. Renounce global access rights
According to the 2017 Data Breach Investigation Report (DBIR) by Verizon, behind the majority of insider incidents (60 per cent), there are no bad intentions, but simply mistakes. Mistakes that companies cost on average $ 800,000 (bit.ly/23xJBDM).
2. Remove too broad permissions
An example, which is relatively common in practice, are the Copy & Paster. This includes employees who inadvertently scatter confidential or sensitive data in the corporate network where such files are only waiting to be found. Or an employee is on the road in a network that is not intended for his or her eyes. Even if without evil intent. If this employee has access to the relevant data via his user account, a hacker has access in the event of an emergency. Anyone who abuses the user's login data.
3. Set alert notifications
It is in the nature of man to be more afraid of dramatic risks. In reality, however, it is much more commonplace threats, which eventually turn us into disaster. So it is more than time to tackle a deadly problem. The following recommendations help companies to change the focus: no longer focus on the employee, but on something that is easier to control: the data itself.
4. Set traps with Honeypots
Global access rights are a potentially dangerous weapon. Therefore, they should be used exclusively for information that is actually 100% publicly accessible. Many systems provide the option to grant global rights to information through specific groups, such as Anyone or Authenticated Users in Windows. When companies grant permissions on such a global access group, this basically means: "I do not care what happens with this data." Indeed, global access rights have been granted to folders where millions of credit card or social security numbers were stored. Therefore, do not use such global access rights.
In a recent survey conducted by the Ponemon Institute, four out of five IT experts have stated that the principle of minimal granting is not implemented in their organization.
That is, in the vast majority of organizations, employees have significantly more privileges than required. At the same time, the attack area for the abuse of the access rights is much greater than it should actually be. Some of the reasons
With wild growth in access rights, the vast majority of companies are struggling. It is difficult to prevent and even more difficult to eliminate. However, it is not just the users or software applications that have overly generous privileges. If there is a vulnerability in the Web server, and if it runs under a privileged domain user who has access to the file system or, worse, on network shares, the security gap in the web server software is now an insider problem.
Think of software as best as an insider and apply the principle of minimal rights allocation as well. The permissions of temporary employees, suppliers, consultants and project teams should always be assigned an expiration date. These are at least some measures to prevent potential wild growth.
Even if you grant automatic access rights, regular checks are carried out by the users of the respective departments. These users have a big advantage: They know the people who use the data. This may not be the case for IT administrators. Leave decisions to the people who know the context. They should also be those who make changes.
In the group of domain administrators, you should regularly carry out authorization checks to ensure that no unauthorized members have settled. It may also be extremely useful to set up notifications in the event that a user is added to the group. This should be so rare that you get an e-mail or SMS message. Once again, this happens outside of a change time window.
Checking Active Directory is virtually a necessity, because in many companies, this is the core of access control. If someone is given critical information about an Active Directory group, then a company should know who has added the user when and how. You should then use the protocols for file analysis to see how the user uses the newly acquired privileges.
A helpful tool is the analysis of user behavior. Avivah Litan from Gartner goes so far as to say that both the security incident at Target and the Snowden revelations could have been prevented by the analysis of the user behavior. It is by no means sufficient to consider an element detached from the context, as is the case with conventional IPS systems. Rather, it is about seeing events in their respective context. An example: Mr Schmidt has deleted 250 contracts five minutes ago, and he works in the canteen - here all the alarm bells should shrill.
5. Monitor users and high-risk data
Creating profiles for the normal behavior of each user helps to define the required context. To limit the normal activities of each user, and warnings are triggered only when the user behaves abnormally.
A note: This can only be done with a file analysis software that collects and analyzes every event within the file sharing (and email) infrastructure. Once implemented, such software provides additional information
Lesetipp
It is also recommended to monitor the network for significantly increased activities outside the usual working hours, as well as access to information that is not in the memory area of the respective department.
A honeypot is a shared folder with data that is a potentially lucrative target and is freely accessible. It serves solely to determine who is accessing it. The recipe is quite simple. First, set up a shared folder that everyone can access. Something like: X: \ Share \ Salary or X: \ Share \ CEO.
Then sit back and watch who might jump on it. You may find curious employees who are just a bit rummaging, or a malware in action.
Conclusion
It is very important to know where the "crown jewels" of a company are located. This usually requires technology to classify the data. But it is not done with the detection of sensitive data alone. The fact that there are 700,000 unencrypted credit card numbers in one environment is good to know (even if it may trigger a panic attack), but this information alone is not enough. A software of this kind also answers questions such as: Who owns the files (not the attribute author / data owner - but who really owns them)? Who has access to it? Why are these data used? Were these files opened? Copied? From whom? When?
As soon as metadata provides the respective context, the classification results are increasingly relevant to the action. It is then possible to find and prioritize the data with the greatest potential risk, to monitor the authorization structure, to check access rights more frequently, and to set warnings to detect data breaches or data gaps early
In addition to this kind of data, you should also monitor users with a potentially high risk (such as IT administrators). Administrators' control is not quite trivial, since it is inherent in the nature of their access rights. But if a domain administrator reads e-mails in other users' inboxes and then tag them as unread?
Whether companies are now standing or not - some of the biggest and most common threats come from within. And are usually anything but spectacular. Companies are investing enormous amounts of time and money in emergency plans for the next major disaster or the installation of the latest security technology that promises to prevent a second Heartbleed disaster. But many overlook or underestimate the simple but no less important threats of human error or abuse of access rights.
With the above safety recommendations, it is already possible to significantly reduce the number of safety incidents. The focus is on the data, not to encourage users to change their habits.
No comments:
Post a Comment