Endpoint
7/25/2013
02:49 PM
Doug Landoll
Doug Landoll
Commentary
Connect Directly
RSS
E-Mail
50%
50%

SMB Insider Threat: Setting Behavior Boundaries

Two major policies should be in place to guide and restrict user behavior

Small and midsized business (SMB) employees who have made it past any employment screening in place may still pose a threat to the SMB systems and assets. SMB insiders can reveal confidential information, subvert security controls, and introduce malicious code into the network, but these misbehaving employees are not always malicious, and their behavior is not always illegal. Therefore, it is important to implement appropriate security policies to guide the well-meaning employee away from dangerous behavior and to formally document unacceptable behaviors in which sanctions may be applied for those intentionally damaging the company.

This is the second part of a blog series on the SMB insider threat and what to do about it. The first part of the series covered employment screening issues for SMBs; this part covers policy controls.

Two major policies should be in place to guide and restrict user behavior: data classification and acceptable use. Data classification policies protect sensitive data. Acceptable use policies ensure proper use of company systems.

Data Classification Policies: The key to an effective data classification policy is to define confidential data and associate the controls required for its protection. The best approach is to list categories of sensitive data that require different levels of protection. Keep the number of categories low -- two or three. Examples of data classification categories include Public (i.e., releasable), Sensitive (e.g., proprietary), and Highly Sensitive (e.g., protected health information, cardholder data). Now associated required controls for each category of data. Data-handling controls should cover identification and labeling, handling, transmission, processing, and media protection.

Acceptable Use Policies: The key to an effective acceptable use policy is to ensure it is clear and accessible by employees. My test for clarity is to simply ask employees a question regarding the acceptable use of the network and premises, such as, "Are we allowed to bring camera phones into the sensitive areas (e.g., data center, patient room)?" If they are unable to use the acceptable use policy to find the answer, then the policy is unorganized and unclear. Organizing the contents of the acceptable use policy ensures the clarity of the policies to users. For example, all acceptable use policy statements should fall into one of the following four categories: Prohibited Items, Prohibited Behaviors, Expected Behaviors, and Notifications. Our question above can be answered in the "Prohibited Items" section.

General Security Policy Advice

It is tempting to search the Internet for policy examples and simply substitute the company name to make it your own. Please avoid this approach. Each SMB differs from others in its culture, sensitive data, existing controls, and security approach. By all means use found policies as templates or examples, but carefully consider each policy statement prior to adopting it as your standard.

Doug Landoll is the CEO of Assero Security, a firm specializing in SMB Security. You can follow him on Twitter as @douglandoll Doug Landoll is an expert in information security for the SMB market with over 20 years experience securing businesses and government agencies. He has written several information security books and dozens of articles for national publications. He has founded and ran four ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
DilM269
50%
50%
DilM269,
User Rank: Apprentice
7/30/2013 | 5:52:49 AM
re: SMB Insider Threat: Setting Behavior Boundaries
i totally agree with you sir.

http://resultplanet.org
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-7052
Published: 2014-10-19
The sahab-alkher.com (aka com.tapatalk.sahabalkhercomvb) application 2.4.9.7 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2014-7056
Published: 2014-10-19
The Yeast Infection (aka com.wyeastinfectionapp) application 0.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2014-7070
Published: 2014-10-19
The Air War Hero (aka com.dev.airwar) application 3.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2014-7075
Published: 2014-10-19
The HAPPY (aka com.tw.knowhowdesign.sinfonghuei) application 2.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2014-7079
Published: 2014-10-19
The Romeo and Juliet (aka jp.co.cybird.appli.android.rjs) application 1.0.6 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.