Vulnerabilities / Threats
9/27/2013
04:44 PM
Connect Directly
RSS
E-Mail
50%
50%

Tech Insight: Top 4 Problem Areas That Lead To Internal Data Breaches

Enterprise constantly fail in four areas, which, in turn, can easily cause intentional and unintentional data leaks

External data breaches (think: Anonymous) and internal data leaks (think: Edward Snowden) have enterprises questioning and rethinking their security programs. Are they doing enough to protect their data? Are their security controls effective? Would they be able to respond appropriately to a data breach and contain it quickly?

Many of the questions and much of the confusion has to do with executives not understanding where their critical assets are and how to protect them. Their sense of security is skewed because they passed their compliance requirements, causing them to think they are safe. Most companies, if they were truly targeted by a sophisticated and determined attacker, would fail miserably.

Why would they fail? Traditionally, security was focused on protecting the perimeter. Based on my experience with penetration-testing organizations from all different industries, companies are doing a great job of locking down their externally exposed assets, with the exception of Web servers. Fewer devices exposed and even fewer ports open could provide an avenue for attack.

That sounds great, right? So why would these companies fail at protecting their critically important data and business systems?

The first problem area is not knowing where all of the critical assets are located inside the network and protecting them appropriately. When I ask during a penetration test to point out the critical systems, all too often I get several different answers -- depending on the person answering the question. The CIO will have a different answer than the security team leader, and this will differ from the various business unit owners.

Then once the testing begins, we find little to no true network segmentation between various organizational units, the servers, and general network devices. Most logical network separation is done because of physical separation between holding floors and geographic locations. It is not done from a security standpoint, and there are usually very few, if any, firewall rules between those networks.

To combat the problem, your risk assessment and full inventory of all systems, including the types of data handled by each system, need to be completed. That information can then guide the proper network segmentation. Of course, that can be done completely without looking at the business processes and how users use and access the data. When the previous two processes are then combined, access control for users can be properly architected and implemented -- which leads us to the next problem area.

The second issue that plagues many enterprises is they lack a solid concept of what the "principle of least privilege" and "need to know" mean. Users regularly have a great deal more access and privilege than necessary to complete their jobs -- this goes for secretaries and systems administrators alike (i.e., Snowden, the snooping sysadmin). A company can take the proactive step of removing local administrator rights from its users on their desktops, but it doesn't bother with the level of access in various internal applications and network file shares.

Properly designing those access controls can be difficult without already having the inventory and understanding of the business, as mentioned above.

The third major area is security training and awareness for users. Having developed a security awareness program for a large university and worked with many different enterprise organizations, I've found the best way for traction is to make it personal: Teach users easy and practical concepts that relate between home and work. Many of the same protective behaviors they should do at home can also help protect their corporate desktops and laptops.

The fourth issue, and one that is compounded by several of the ones previously mentioned, is the presence of shared credentials and password reuse. Password reuse across local system accounts is one of the biggest problems we encounter during penetration tests. It allows us, and the bad guys, to easily move laterally within a company's network once we compromise one system.

Or, once we compromise a user's password, it is often the gateway to getting access to other systems and applications because users commonly reuse passwords across multiple company systems. You think single-sign-on sounds great? It's even more useful to an attacker with a valid username and password because he can now get into everything with that one set of credentials.

User education and technical controls are needed to address both of these problems. The education piece needs to explain the problem and impact to help instill a sense of responsibility and ownership. The ability to explain to users exactly what could happen if their usernames and passwords were compromised -- such as theft of corporate trade secrets that could result in their losing their jobs or their companies going out of business -- opens a few eyes.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
NickyHelmkamp
50%
50%
NickyHelmkamp,
User Rank: Apprentice
10/2/2013 | 5:49:14 PM
re: Tech Insight: Top 4 Problem Areas That Lead To Internal Data Breaches
Hey John! We loved your article and included it in our Monthly Round up- http://www.wiredtree.com/blog/... Cheers!
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, September 16, 2014
Malicious software is morphing to be more targeted, stealthy, and destructive. Are you prepared to stop it?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2886
Published: 2014-09-18
GKSu 2.0.2, when sudo-mode is not enabled, uses " (double quote) characters in a gksu-run-helper argument, which allows attackers to execute arbitrary commands in certain situations involving an untrusted substring within this argument, as demonstrated by an untrusted filename encountered during ins...

CVE-2014-4352
Published: 2014-09-18
Address Book in Apple iOS before 8 relies on the hardware UID for its encryption key, which makes it easier for physically proximate attackers to obtain sensitive information by obtaining this UID.

CVE-2014-4353
Published: 2014-09-18
Race condition in iMessage in Apple iOS before 8 allows attackers to obtain sensitive information by leveraging the presence of an attachment after the deletion of its parent (1) iMessage or (2) MMS.

CVE-2014-4354
Published: 2014-09-18
Apple iOS before 8 enables Bluetooth during all upgrade actions, which makes it easier for remote attackers to bypass intended access restrictions via a Bluetooth session.

CVE-2014-4356
Published: 2014-09-18
Apple iOS before 8 does not follow the intended configuration setting for text-message preview on the lock screen, which allows physically proximate attackers to obtain sensitive information by reading this screen.

Best of the Web
Dark Reading Radio