Vulnerabilities / Threats
9/27/2013
04:44 PM
50%
50%

Tech Insight: Top 4 Problem Areas That Lead To Internal Data Breaches

Enterprise constantly fail in four areas, which, in turn, can easily cause intentional and unintentional data leaks

External data breaches (think: Anonymous) and internal data leaks (think: Edward Snowden) have enterprises questioning and rethinking their security programs. Are they doing enough to protect their data? Are their security controls effective? Would they be able to respond appropriately to a data breach and contain it quickly?

Many of the questions and much of the confusion has to do with executives not understanding where their critical assets are and how to protect them. Their sense of security is skewed because they passed their compliance requirements, causing them to think they are safe. Most companies, if they were truly targeted by a sophisticated and determined attacker, would fail miserably.

Why would they fail? Traditionally, security was focused on protecting the perimeter. Based on my experience with penetration-testing organizations from all different industries, companies are doing a great job of locking down their externally exposed assets, with the exception of Web servers. Fewer devices exposed and even fewer ports open could provide an avenue for attack.

That sounds great, right? So why would these companies fail at protecting their critically important data and business systems?

The first problem area is not knowing where all of the critical assets are located inside the network and protecting them appropriately. When I ask during a penetration test to point out the critical systems, all too often I get several different answers -- depending on the person answering the question. The CIO will have a different answer than the security team leader, and this will differ from the various business unit owners.

Then once the testing begins, we find little to no true network segmentation between various organizational units, the servers, and general network devices. Most logical network separation is done because of physical separation between holding floors and geographic locations. It is not done from a security standpoint, and there are usually very few, if any, firewall rules between those networks.

To combat the problem, your risk assessment and full inventory of all systems, including the types of data handled by each system, need to be completed. That information can then guide the proper network segmentation. Of course, that can be done completely without looking at the business processes and how users use and access the data. When the previous two processes are then combined, access control for users can be properly architected and implemented -- which leads us to the next problem area.

The second issue that plagues many enterprises is they lack a solid concept of what the "principle of least privilege" and "need to know" mean. Users regularly have a great deal more access and privilege than necessary to complete their jobs -- this goes for secretaries and systems administrators alike (i.e., Snowden, the snooping sysadmin). A company can take the proactive step of removing local administrator rights from its users on their desktops, but it doesn't bother with the level of access in various internal applications and network file shares.

Properly designing those access controls can be difficult without already having the inventory and understanding of the business, as mentioned above.

The third major area is security training and awareness for users. Having developed a security awareness program for a large university and worked with many different enterprise organizations, I've found the best way for traction is to make it personal: Teach users easy and practical concepts that relate between home and work. Many of the same protective behaviors they should do at home can also help protect their corporate desktops and laptops.

The fourth issue, and one that is compounded by several of the ones previously mentioned, is the presence of shared credentials and password reuse. Password reuse across local system accounts is one of the biggest problems we encounter during penetration tests. It allows us, and the bad guys, to easily move laterally within a company's network once we compromise one system.

Or, once we compromise a user's password, it is often the gateway to getting access to other systems and applications because users commonly reuse passwords across multiple company systems. You think single-sign-on sounds great? It's even more useful to an attacker with a valid username and password because he can now get into everything with that one set of credentials.

User education and technical controls are needed to address both of these problems. The education piece needs to explain the problem and impact to help instill a sense of responsibility and ownership. The ability to explain to users exactly what could happen if their usernames and passwords were compromised -- such as theft of corporate trade secrets that could result in their losing their jobs or their companies going out of business -- opens a few eyes.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
chrisbunn
50%
50%
chrisbunn,
User Rank: Apprentice
10/14/2013 | 2:33:31 PM
re: Tech Insight: Top 4 Problem Areas That Lead To Internal Data Breaches
Despite the increased education and security awareness, shared credentials continue to be a problem as there is no consequence on users own access to the network. Native security controls in Windows Networks are not enough as they don't limit concurrent logins. One unique software, http://www.userlock.com does however prevent concurrent logins, limiting users to only one possible Windows connection at any one instant and stopping rogue users seamlessly using valid credentials at the same time as the legitimate owner.
It also allows the implementation and strict enforcement of a granular user access control policy based on user, groups & OU - across all types of sessions - and permits/denies access to workstation and usage/connection times. Real Time Monitoring and Auditing ensures organizations can get compliant aswell as be alerted by any predetermined access event.
NickyHelmkamp
50%
50%
NickyHelmkamp,
User Rank: Apprentice
10/2/2013 | 5:49:14 PM
re: Tech Insight: Top 4 Problem Areas That Lead To Internal Data Breaches
Hey John! We loved your article and included it in our Monthly Round up- http://www.wiredtree.com/blog/... Cheers!
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-8893
Published: 2015-01-28
Multiple cross-site scripting (XSS) vulnerabilities in (1) mainpage.jsp and (2) GetImageServlet.img in IBM TRIRIGA Application Platform 3.2.1.x, 3.3.2 before 3.3.2.3, and 3.4.1 before 3.4.1.1 allow remote authenticated users to inject arbitrary web script or HTML via a crafted URL.

CVE-2014-8894
Published: 2015-01-28
Open redirect vulnerability in IBM TRIRIGA Application Platform 3.2.1.x, 3.3.2 before 3.3.2.3, and 3.4.1 before 3.4.1.1 allows remote authenticated users to redirect users to arbitrary web sites and conduct phishing attacks via the out parameter.

CVE-2014-8895
Published: 2015-01-28
IBM TRIRIGA Application Platform 3.2.1.x, 3.3.2 before 3.3.2.3, and 3.4.1 before 3.4.1.1 allows remote attackers to bypass intended access restrictions and read the image files of arbitrary users via a crafted URL.

CVE-2014-8917
Published: 2015-01-28
Multiple cross-site scripting (XSS) vulnerabilities in (1) dojox/form/resources/uploader.swf (aka upload.swf), (2) dojox/form/resources/fileuploader.swf (aka fileupload.swf), (3) dojox/av/resources/audio.swf, and (4) dojox/av/resources/video.swf in the IBM Dojo Toolkit, as used in IBM Social Media A...

CVE-2014-8920
Published: 2015-01-28
Buffer overflow in the Data Transfer Program in IBM i Access 5770-XE1 5R4, 6.1, and 7.1 on Windows allows local users to gain privileges via unspecified vectors.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
If youíre a security professional, youíve probably been asked many questions about the December attack on Sony. On Jan. 21 at 1pm eastern, you can join a special, one-hour Dark Reading Radio discussion devoted to the Sony hack and the issues that may arise from it.