[BreachExchange] While hackers hit the headlines, insider threats should not be forgotten
Audrey McNeil
audrey at riskbasedsecurity.com
Wed Feb 24 19:02:48 EST 2016
http://www.scmagazineuk.com/while-hackers-hit-the-headlines-insider-threats-should-not-be-forgotten/article/472227/
Hardly a month passes without reports of hacker attacks on high profile
firms that destroy business reputations, share prices and executives'
careers. The ensuing "arms race" between businesses and hackers is
consuming valuable resources at Board level. However, greater damage can be
caused by insider threats, which operate in the shadows, bypassing security
and leaking sensitive data.
Businesses are increasingly dependent on data, which makes them more and
more vulnerable to the leakage of sensitive data. Success increasingly
depends on the need to collaborate, sharing sensitive data internally
between teams; and also externally with customers and business partners.
Working practices involved in collaborating at local, national and
international levels make it difficult to control access to and circulation
of data. Therefore, insiders with authorised access to sensitive
information represent credible and growing security threats, which
businesses should ignore at their peril.
What are the common insider threat types?
The insider threat has evolved in recent years. Historically, the insider
was seen as acting with malicious intent, either alone for personal gain or
retribution; or with the direction and support of third parties motivated
by commercial gain; criminal intent; or espionage. However there are also
two groups of insiders who don't have malicious intent: first, those who
accidentally release sensitive data by improper use of IT (eg sending
e-mails to the wrong person); and second, those users whose credentials are
unwittingly stolen and exploited by hackers to mine sensitive documents and
e-mails.
Looking at all these threats, it is possible to use a similar combination
of security controls and monitoring to both reduce the level of data
leakage risk and detect when breaches might have occurred.
Prioritise data leakage prevention activities
Effective data leakage prevention relies on businesses taking steps to
protect their information from creation to deletion, ensuring that it is
used, stored and shared with appropriate levels of security. However,
businesses must also achieve their strategic goals. Given that security is
often an overhead, any data leakage controls and breach detection must be
achieved with careful consideration of their impact on ways of working and
management overheads. Therefore, businesses should classify the sensitivity
of their data so that resources can be focused on where data leakage and
insider risks are the highest.
An integrated set of data leakage prevention tools
IT operating systems have routinely logged data to record changes to system
configurations; user permissions; or specific user activities. Such logs
are often dispersed across the IT landscape and even if combined, would not
present a complete picture for combatting insider threats. The marketplace
has been changing rapidly with a growing range of vendors developing
specialist applications to assist with: data classification; access
management; protection of data at rest and in transit; and data governance.
Whilst these tools are good at what they do, businesses are still left with
the need to integrate these systems to compile monitoring data and better
understand user behaviours.
Use IT to drive the changes needed to prevent data leakage
Whilst data leakage prevention tools can enable businesses to characterise
normal user behaviours, they can also be used to provide alerts based on
deviations from these assessed behaviour norms. However, such alerts are
not infallible as user roles may change over time or behaviour analyses
might not truly reflect the norm. Therefore, the security applications must
be integrated within business processes that enable the whole user context
to be understood. Only then can the reported alerts be dismissed or
confirmed as insider attacks. This approach would also underpin changes in
behaviours that could reduce the risks of data leakage in the first place.
Extend data leakage prevention to their business partners
Business operations are characterised by the growing need to work with
third parties, such as legal advisors or IT service providers. In addition,
more data is being stored in Cloud storage solutions and on mobile devices
that fall outside the direct control of business information owners or
security teams. IT can provide some solutions for information rights
management that can reach into third parties. However, it would be
dangerous for businesses to rely totally on such solutions to secure their
sensitive data. Therefore, businesses must work with their customers and
business partners to ensure appropriate measures are reciprocated to
mutually and appropriately protect each other's sensitive data.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160224/29419354/attachment-0001.html>
More information about the BreachExchange
mailing list