Protect Your Data From Internal Attacks

Uploaded on 2016-02-17 in TECHNOLOGY--Hackers, NEWS-Cybersecurity News, FREE TO VIEW

While Hollywood may love the image of the hacker lurking in the shadows, stealthily pillaging from across cyberspace, the reality is that threats from inside your network, whether intentionally malicious or unintentionally hazardous, are by far the greater problem in online security.

An inside threat can be as innocuous as an employee unknowingly clicking on a seemingly secure link in an email, opening up an opportunity for a malicious and soon-to-be-ex contractor to scorch your servers and sell secrets to your competitors.

A Vormetric study reports that 44% of US companies experienced a data breach or failed compliance audit in the last year. In fact, many of the most newsworthy breaches (like Target, Home Depot, and the Office of Personnel Management) came from internal weaknesses.

Anger meets misconfiguration

Innocuous or intentionally malicious, internal threats appear in the form of disgruntled employees, or those who merely seek to bypass security procedures they perceive as onerous. The misconfiguration of web-based applications and cloud-based infrastructure, are all too common. The added insecurity of un-vetted, often un-savvy contractors and consultants and the plethora of mobile devices in the workplace make company data ripe for even unsophisticated hackers.

Using these inside weaknesses in your perimeter security, hackers gain access to your networks and exfiltrate sensitive and valuable data. In the case of the infamous Target breach (which resulted in both the CEO and CIO losing their positions), thieves used credentials from one of the corporation’s refrigeration vendors to steal payment information and data from more than 70 million customers. Who would've thought that the company providing refrigeration would be the way into your entire internal network?

An ongoing battle

Protection from internal threats requires multi-pronged, ever-evolving approaches. Management and IT security professionals need to start by examining and securing internal weaknesses and recognize them as a major threat. This applies to people as well as computer systems.

1. Organisations need to understand the applications accessing their networks and move past the legacy ideology of “safe” and “unsafe” products

Operating systems have long been proven vehicles for attack. But even products built for safety can be vulnerable, like the recently uncovered flaw in Trend Micro’s antivirus software.

Two of the key elements in security are layering and segmenting. Layers of protection start with your firewall, move through your network and end on with individual users. Segmenting your network prevents intruders from getting everywhere once they break in somewhere. This was one of Target’s mistakes. Safety is not a place one reaches, but a state that requires vigilance. Seeing your network as one amorphous blob does nothing to help secure it.

2. Password protection efforts are only as strong as the passwords themselves, and then only if teams and workers don’t share them in an effort to simplify workflow

Ashley Madison reminded us that the most popular passwords are 123456, abc123 and Qwerty. Because passwords are keys to the kingdom in your business, they need complexity. Your systems must note length, content and repetition and should require new passwords at regular intervals.

More than that, companies need to take steps to prevent credential sharing. Single sign-on simplifies logins and cuts down on sharing. Allowing users to login from only one computer at a time also helps. Two-step authentication, especially for access from outside, can significantly reduce hackers’ chances of getting into your network. All this is slightly more inconvenient for employees, but holds exponential benefit for securing your network.

3. Trust contractors (with caveats)

Companies must vet anyone who has access, be it employees or contractors, to ensure that the people using those access points are both ethical and properly trained in how (and why) security protocols are mission-critical. A code of ethics, an acceptable use policy and getting an overview of their company’s IT security are a good place to start. From unidentified USB devices to unsecured WiFi Networks, employees must realize how they can unwittingly become the entry point for external malware. Teach them the ropes in plain English, and your human factor won’t be as vulnerable.

4. Have an eject button

When workers leave, be sure they’re really gone. Create off-boarding lists for what to do about closing accounts and turning in devices to ensure that they don’t take data access with them. When someone enters your network, make sure they’re found before damage is done, through active breach detection or otherwise. Regular security audits are an essential tool to know who is accessing your network. And be sure to keep up on current vulnerabilities so you can plug any new holes.

5. Educate, educate, educate

Rebooting and being on hold with tech support sums up most people’s experience with IT. The average person does not understand the intricacies and threats to network security. IT departments need to continually educate workers with short, 5- to 10-minute presentations on topics from passwords to email attachments to BYOD. Do remember that the Sony hack was only possible because a worker pulling an email out from their junk folder, and then opened the attachment. Securing the human factor is the hardest, but most rewarding part of IT security.

The good news

After years of chaos inside of the perimeter, teams can now access more mature network detection tools. The cloud and data analytics make it possible to identify breaches before any damage done, and remediate them without incident. As breaches continue to infiltrate every facet of business and life, accessing the most modern protections available will continue to be worth its weight in (data) gold.

Net-Security: http://bit.ly/1Q5ayL0

« US Agreement With The UK Allows Data Access To Private Companies
NSA Is Merging Hacker And Anti-Hacker Teams »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Kore Telematics

Kore Telematics

Kore is a leading managed service provider for IoT and M2M applications.

AirCUVE

AirCUVE

AirCUVE provide authentication and access control solutions for networks and mobile security.

Tubitak

Tubitak

Tubitak is the scientific and technological research council of Turkey. Areas of research include information technology and security.

Sintef Digital

Sintef Digital

Sintef Digital carries out research in Information and Communication Technology for industry and the public sector.

Celestya

Celestya

Celestya is dedicated to providing the most advanced and cost effective systems for human behavior education on cybersecurity awareness training.

SEC Consult

SEC Consult

SEC Consult is a leading European consultancy for application security services and information security.

NetSecurity

NetSecurity

NetSecurity is a Brazilian company specializing in Information Security. We provide Managed Security Services (MSS), network security solutions and other specialist services.

HackControl

HackControl

HackControl services include penetration tests, security audits, block chain audits and brand and anti-phishing protection.

Cybersecurity Maturity Model Certification Center of Excellence (CMMC COE)

Cybersecurity Maturity Model Certification Center of Excellence (CMMC COE)

CMMC COE is an IT-AAC sponsored public–private partnership that will be the focal point for entities seeking to achieve Cybersecurity Maturity Model Certification.

Auriga Consulting

Auriga Consulting

Auriga is a center of excellence in Cyber Security, Assurance and Monitoring Services, with a renowned track record of succeeding where others have failed.

SLVA Cybersecurity

SLVA Cybersecurity

SLVA Cybersecurity excel at delivering security-as-a-service, fit-for-purpose, within the constraints of realistic budgets and business expectations.

Nextgen Group

Nextgen Group

Nextgen Group is a pioneering technology services group with innovative and unique services across enterprise software, cloud, data management, and cybersecurity solutions.

KYND

KYND

KYND has created pioneering cyber risk technology that makes assessing, understanding, and managing business cyber risks easier and quicker than ever before.

Vancord

Vancord

Vancord is an information and security technology company that works in collaboration with clients to support their infrastructure and data security needs for today and tomorrow.

DeviQA

DeviQA

DeviQA provide best-in-class quality assurance services to companies of all sizes.

SecureKloud Technologies

SecureKloud Technologies

SecureKloud is a global leader in the Cloud services arena. Our experience in cloud consulting and servicing for highly regulated industries extends more than a decade.