Guarding against insider misuse
Track and audit changes on the network, especially by privileged users, and make it known that monitoring happens in order to reduce misuse says Michael Fimin.
Guarding against insider misuse
The idea of insider threats is not new and existed long before computers were around. The weakest link for any organisation is not its physical or electronic security systems; it's always the human factor. But while insider threats are often assumed to be from rogue employees or planted ‘moles', a greater risk can be posed by IT administrators and managers who already have privileged access to sensitive information, resources and controls. They have the ability to stop and start systems, make critical changes such as granting access rights and can even delete security logs without trace.
This threat is clearly illustrated in the latest 2014 Verizon Data Breach Investigations Report. One of its chapters, ‘Insider and Privilege Misuse', is devoted to describing the mechanisms used for compromising organisational intellectual property from within. It also revealed that 88 percent of security incidents reported were caused by insider misuse – either accidental or malicious. “We saw more insider espionage targeting internal organisational data and trade secrets than ever before,” says the Report. Moreover, it appears that that 71 percent of data breaches happened during business hours, with violators operating right in front of their colleagues while using corporate LANs.
The truth is that most insider misuse occurs within boundaries of trust necessary to perform normal duties. But preventing privilege misuse is difficult, and the only way to stay secure is to grant access rights only to those with a business need and to keep an eye on their activities.
The problem is that the majority of organisations have very limited capabilities to trace specific IT events to specific users, with any certainty. Very few IT teams really know what is happening in their infrastructures at any given time and even some of the largest organisations still have to trawl manually through files of native logs to get the answers. The Verizon report shows that only 9 percent of data leaks were discovered due to continuous auditing of IT systems and it can take days or even weeks to find out that sensitive information has been compromised.
There are three tips every company should be aware of that will help ensure the protection of sensitive data against insider threats:
Regularly monitor user accounts' activity – This is critical for companies where the number of user accounts is changing constantly or where, as a result of internal shifts, user permissions are frequently updated. The risks often hide in the active accounts of former employees and in accounts with redundant permissions. If you monitor changes across the entire IT infrastructure, you have complete visibility into who made a change, as well as when and where the changes were made; therefore, you can track any malicious activity.
Know your data and who has access to it – Many companies are unaware not only of who has access to its data, but also of places where this data is stored, uploaded, and shared. Monitoring your IT infrastructure and tracking changes made to sensitive data will help you to minimise security violations.
Your employees should be aware that their activity is being monitored - This practice should definitely become a part of any company's security policy. Publishing anonymous reports and sharing them among employees explains better than words that everybody is responsible for data security, and it forces employees to control their actions.
Even with the understanding of the necessity to protect sensitive data, few companies realise that IT infrastructures should be taken under control and far fewer of them track changes and monitor access rights. The Verizon report shows that change auditing should be taken seriously and not just to meet compliance requirements or to keep the auditors satisfied. By the time you have identified an abuse of privilege or insider error and got to the source by trawling through native logs – it is probably too late.
Contributed by Michael Fimin, CEO and co-founder of Netwrix www.netwrix.com