Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

11/12/2009
06:16 PM
Eric Cole
Eric Cole
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Stopping Insider Attacks

There is no single thing you can do to prevent an attack from the inside. The concept of defense-in-depth applies here as it does to all areas of security. No single solution is going to make you secure. Only by putting many defense measures together will you be secure, and those measures must encompass both preventive and detective measures.

There is no single thing you can do to prevent an attack from the inside. The concept of defense-in-depth applies here as it does to all areas of security. No single solution is going to make you secure. Only by putting many defense measures together will you be secure, and those measures must encompass both preventive and detective measures.Some of the key things that can be done to prevent or minimize the damage of the insider threat are the following:

  • Security awareness. Employees, contractors, and any other insiders need to be educated on how to protect corporate assets. They need to understand the dangers and methods of social engineering and be careful what information they give out. They also have to be cognizant that insiders could exist at their companies and not only do their part to protect corporate assets (for example, locking their workstations), but they also have to look for indications of insider threats and report them to the correct parties.

  • Separation of duties. Any critical job function or access to critical information should involve two or more people. This prevents a single person from committing an inside attack.

  • Rotation of duties. All critical jobs should have multiple people who perform the roles, and those people should be rotated through periodically. If a person knows that someone else is going to be performing a given role in two months, then it will be much harder for them to commit fraud or other insider attacks because there is a good chance someone might catch it later.

  • Least privilege. Any additional access that someone has can be used against the company. Although access is needed for people to perform their jobs, this access should be carefully controlled. People should be given only the access they need to do their jobs -- and nothing else.

  • Controlled access. Access is what someone is going to use to compromise an organization. The more a company knows what access people have, the better they can control it.

  • Logging and auditing. Organizations must know what is happening on their networks, and this information must be reviewed on a regular basis. If someone's actions are not logged, then a company will have no idea who did what and will not be able to detect the insider. Even if this information is logged, if it is not reviewed on a regular basis, then an organization will not be able to catch an attacker in a timely manner.

  • Policies. A policy states what a company's stance is on security and what is expected of anyone with inside access. A policy is a mandatory document that is clear and concise and that everyone must follow. If a policy does not exist, then how do insiders know what is expected of them? I once knew an employee who bragged about making copies of software when he left a company. When I questioned his concern of legality and theft, he replied simply by saying, "I never signed anything." This information must be presented to them in a way they understand, and it must be made clear they have to follow it.

  • Defense-in-depth. When it comes to network security, there is no silver bullet. No single solution is going to make you sure. Organizations must deploy a layered security model, with checks and balances across each layer.

  • Look beyond technology. Many inside attacks are not technology-driven. Organizations must realize that nontechnology-based solutions need to be implemented across the company.

  • Archive critical data. Any critical information must be properly archived and protected. This way all the IP is not in one place should a system gets destroyed or compromised.

  • Complete solution. Any solution that is implemented must include all aspects of the company: people, data, technology, procedures, and policies.

    Dr. Eric Cole, Ph.D., is a security expert with more than 15 years of hands-on experience. Cole has experience in information technology with a focus on perimeter defense, secure network design, vulnerability discovery, penetration testing, and intrusion detection systems. He is the author of several books, including Hackers Beware, Hiding in Plain Site, Network Security Bible, and Insider Threat. He is the inventor of more than 20 patents, and is a researcher, writer, and speaker. Cole is a member of the Commission on Cyber Security for the 44th President and several executive advisory boards, and is CTO of the Americas for McAfee. Cole is involved with the SANS Technology Institute (STI) and SANS working with students, teaching, and maintaining and developing courseware. He is a SANS fellow, instructor, and course author. Dr. Cole has 20 years of hands-on experience in information technology with a focus on building out dynamic defense solutions that protect organizations from advanced threats. He has a Master's degree in computer science from NYIT and a Doctorate from Pace University, with a ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    A Realistic Threat Model for the Masses
    Lysa Myers, Security Researcher, ESET,  10/9/2019
    USB Drive Security Still Lags
    Dark Reading Staff 10/9/2019
    Virginia a Hot Spot For Cybersecurity Jobs
    Jai Vijayan, Contributing Writer,  10/9/2019
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon Contest
    Current Issue
    7 Threats & Disruptive Forces Changing the Face of Cybersecurity
    This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
    Flash Poll
    2019 Online Malware and Threats
    2019 Online Malware and Threats
    As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2019-17612
    PUBLISHED: 2019-10-15
    An issue was discovered in 74CMS v5.2.8. There is a SQL Injection generated by the _list method in the Common/Controller/BackendController.class.php file via the index.php?m=Admin&c=Ad&a=category sort parameter.
    CVE-2019-17613
    PUBLISHED: 2019-10-15
    qibosoft 7 allows remote code execution because do/jf.php makes eval calls. The attacker can use the Point Introduction Management feature to supply PHP code to be evaluated. Alternatively, the attacker can access admin/index.php?lfj=jfadmin&action=addjf via CSRF, as demonstrated by a payload in...
    CVE-2019-17395
    PUBLISHED: 2019-10-15
    In the Rapid Gator application 0.7.1 for Android, the username and password are stored in the log during authentication, and may be available to attackers via logcat.
    CVE-2019-17602
    PUBLISHED: 2019-10-15
    An issue was discovered in Zoho ManageEngine OpManager before 12.4 build 124089. The OPMDeviceDetailsServlet servlet is prone to SQL injection. Depending on the configuration, this vulnerability could be exploited unauthenticated or authenticated.
    CVE-2019-17394
    PUBLISHED: 2019-10-15
    In the Seesaw Parent and Family application 6.2.5 for Android, the username and password are stored in the log during authentication, and may be available to attackers via logcat.