Insider Access and Unintended Consequences
Businesses need employees and employees need computer access. What those employees have access to and how they use that access provides IT security staff constant headaches. From user names and passwords posted on sticky notes to employees copying sensitive data to USB sticks, security breaches where insiders are involved grow annually.
Other threats from trusted insiders have significant impact on the number and types of security breaches. Contractors, vendors and even the system administrators themselves have high privilege access to not only the applications a business, but even the hardware itself.
The Insider Threat
According to the Trustwave Global Security Report, 88 percent of investigations involved issues or problems with unsecure remote access applications or default passwords used in third party applications and devices. One can perform a Google search for the default passwords and be presented with thousands of websites listing the passwords of many applications, network devices and other pieces of IT infrastructures.
Social engineering provides another insider threat. Phishing attacks, e-mail Trojans and malware on social networking sites presents a constant threat to the security of an organization. The Verizon Breach Report found that 48 percent of the breaches they investigated stemmed from what they term “Internal Agents.” Of that number, 4 percent was the result of unintentional mistakes, 6 percent the result of inappropriate behavior, and 90 percent of the breaches were the result of deliberate activity.
Dealing with Data Security Breaches that Involve Insiders
Security needs to be a constant part of an employee’s training as much as cultural sensitivity training or other human resources mandates to minimize accidental employee involvement in data loss.
Segregation of duties policies must also be established to limit the roles and responsibilities of users and the activities they perform only to those they have permissions to do.
User activity must be logged and audited on a regular basis to ensure that potentially malicious activity is detected and acted upon on a timely basis. Centralized logging and security event management applications allow security staff to collect data from a large number of sources, correlate the information, and detect events of interest related to insider activity. File integrity monitoring detects changes to permissions or the addition of new files or removal of existing ones permitting security personnel to track potentially malicious system level activities.
Data leak protection software is designed to monitor network activity for the transit of data through media forbidden by company policy. When it detects sensitive data being e-mailed to an external account, or copied to a USB stick, it alerts the security administrators of the activity.
Many security frameworks like the Center for Internet Security or ISO 27001 are not only designed to deal with external threats from hackers but also take into account internal user activity.
_Trustwave.com, 2011 Global Security Report, https://www.trustwave.com/GSR_
Verizonbusiness.com, Verizon Breach Report 2010, https://www.verizonbusiness.com/resources/reports/rp_2010-data-breach-report_en_xg.pdf
Image Credit: jscreationzs / FreeDigitalPhotos.net