Attack from Within

So much is written about the events outside your perimeter; those nefarious and shadowy individuals and offshore syndicates who are looking to steal technology or personal data or piggyback on your servers to peddle everything from pirated products to pornography, implant botnets or viruses, or simply to create corporate chaos. With all that weighing on our collective IT asset protection strategies, it is easy to miss what a new Carnegie Melon report is pointing to as one of the fastest growing threats…insider breaches. Even KPMG says this threat has tripled since 2007.

They come in all shapes and sizes, former employees who have an axe to grind, careless users, or outside partners/vendors/suppliers with access to your proprietary information. The key point is that when you spend so much time building a wall of protection around your networks, many enterprises fail to adequately address internal threats. Whether the attack is malicious or unintentional, the threat is real enough to keep any IT security professional up at night.

Even the FBI got defrauded by an insider. In January they finally arrested a man for stealing code he was using for his own side projects. It’s these kinds of breaches that too often go unnoticed. Think about the largest violation in modern times…WikiLeak. That couldn’t have been done without the complicity of an insider. However, it’s not too late close the barn door..or at least make sure it is locked.

From the cloud perspective, you can better manage internal user activity if you employ a strong access management program combined with SIEM and log management initiatives. For many this is an expensive proposition and one that requires a considerable investment in personnel resources. But when migrating these types of functions to the cloud, it quickly becomes not only cost-effective, but much of the time-draining administration is monitored, reported and audited on your behalf based on you unique specifications.

So where do you start with that disgruntled employee or that clueless vendor? With an automated SSO program, you can quickly and decisively deprovision and bar access to any employee the moment they leave your service. For the vendor, you can tighten authentication to limit access to only the specific information they need. You can create restricted roles for anyone that touches your network. You can correlate your log management process to capture and alert if anyone tries to access closed emails, updates their own applications, attempts to delete certain data, uses retired passwords or plugs in a USB device. The benefit of the cloud is that all this can be automated while providing you with the relevant highlights of what you need to take action upon…elsewise you’d spend your entire day chasing after false positives, monitoring innocuous activity and corralling the cows from the proverbial open barn door.

I guess the morale of the story is to audit your internal security as vigorously as you do everything else. Just consider my golden rule: people can’t misuse data to which they don’t have access. It’s natural to want to trust your employees and partners…but create their access based on their responsibilities…and that’s it! There’s no reason for a manager of production to have direct access to AP information. Just because they are a manager doesn’t mean they need or should have that access.

I invite you to share your best practices!

By Kevin Nikkhoo