Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

Tech Insight: Top 4 Problem Areas That Lead To Internal Data Breaches

Enterprise constantly fail in four areas, which, in turn, can easily cause intentional and unintentional data leaks

External data breaches (think: Anonymous) and internal data leaks (think: Edward Snowden) have enterprises questioning and rethinking their security programs. Are they doing enough to protect their data? Are their security controls effective? Would they be able to respond appropriately to a data breach and contain it quickly?

Many of the questions and much of the confusion has to do with executives not understanding where their critical assets are and how to protect them. Their sense of security is skewed because they passed their compliance requirements, causing them to think they are safe. Most companies, if they were truly targeted by a sophisticated and determined attacker, would fail miserably.

Why would they fail? Traditionally, security was focused on protecting the perimeter. Based on my experience with penetration-testing organizations from all different industries, companies are doing a great job of locking down their externally exposed assets, with the exception of Web servers. Fewer devices exposed and even fewer ports open could provide an avenue for attack.

That sounds great, right? So why would these companies fail at protecting their critically important data and business systems?

The first problem area is not knowing where all of the critical assets are located inside the network and protecting them appropriately. When I ask during a penetration test to point out the critical systems, all too often I get several different answers -- depending on the person answering the question. The CIO will have a different answer than the security team leader, and this will differ from the various business unit owners.

Then once the testing begins, we find little to no true network segmentation between various organizational units, the servers, and general network devices. Most logical network separation is done because of physical separation between holding floors and geographic locations. It is not done from a security standpoint, and there are usually very few, if any, firewall rules between those networks.

To combat the problem, your risk assessment and full inventory of all systems, including the types of data handled by each system, need to be completed. That information can then guide the proper network segmentation. Of course, that can be done completely without looking at the business processes and how users use and access the data. When the previous two processes are then combined, access control for users can be properly architected and implemented -- which leads us to the next problem area.

The second issue that plagues many enterprises is they lack a solid concept of what the "principle of least privilege" and "need to know" mean. Users regularly have a great deal more access and privilege than necessary to complete their jobs -- this goes for secretaries and systems administrators alike (i.e., Snowden, the snooping sysadmin). A company can take the proactive step of removing local administrator rights from its users on their desktops, but it doesn't bother with the level of access in various internal applications and network file shares.

Properly designing those access controls can be difficult without already having the inventory and understanding of the business, as mentioned above.

The third major area is security training and awareness for users. Having developed a security awareness program for a large university and worked with many different enterprise organizations, I've found the best way for traction is to make it personal: Teach users easy and practical concepts that relate between home and work. Many of the same protective behaviors they should do at home can also help protect their corporate desktops and laptops.

The fourth issue, and one that is compounded by several of the ones previously mentioned, is the presence of shared credentials and password reuse. Password reuse across local system accounts is one of the biggest problems we encounter during penetration tests. It allows us, and the bad guys, to easily move laterally within a company's network once we compromise one system.

Or, once we compromise a user's password, it is often the gateway to getting access to other systems and applications because users commonly reuse passwords across multiple company systems. You think single-sign-on sounds great? It's even more useful to an attacker with a valid username and password because he can now get into everything with that one set of credentials.

User education and technical controls are needed to address both of these problems. The education piece needs to explain the problem and impact to help instill a sense of responsibility and ownership. The ability to explain to users exactly what could happen if their usernames and passwords were compromised -- such as theft of corporate trade secrets that could result in their losing their jobs or their companies going out of business -- opens a few eyes.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
chrisbunn
50%
50%
chrisbunn,
User Rank: Apprentice
10/14/2013 | 2:33:31 PM
re: Tech Insight: Top 4 Problem Areas That Lead To Internal Data Breaches
Despite the increased education and security awareness, shared credentials continue to be a problem as there is no consequence on users own access to the network. Native security controls in Windows Networks are not enough as they don't limit concurrent logins. One unique software, http://www.userlock.com does however prevent concurrent logins, limiting users to only one possible Windows connection at any one instant and stopping rogue users seamlessly using valid credentials at the same time as the legitimate owner.
It also allows the implementation and strict enforcement of a granular user access control policy based on user, groups & OU - across all types of sessions - and permits/denies access to workstation and usage/connection times. Real Time Monitoring and Auditing ensures organizations can get compliant aswell as be alerted by any predetermined access event.
NickyHelmkamp
50%
50%
NickyHelmkamp,
User Rank: Apprentice
10/2/2013 | 5:49:14 PM
re: Tech Insight: Top 4 Problem Areas That Lead To Internal Data Breaches
Hey John! We loved your article and included it in our Monthly Round up- http://www.wiredtree.com/blog/... Cheers!
Commentary
Cyberattacks Are Tailored to Employees ... Why Isn't Security Training?
Tim Sadler, CEO and co-founder of Tessian,  6/17/2021
Edge-DRsplash-10-edge-articles
7 Powerful Cybersecurity Skills the Energy Sector Needs Most
Pam Baker, Contributing Writer,  6/22/2021
News
Microsoft Disrupts Large-Scale BEC Campaign Across Web Services
Kelly Sheridan, Staff Editor, Dark Reading,  6/15/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-2322
PUBLISHED: 2021-06-23
Vulnerability in OpenGrok (component: Web App). Versions that are affected are 1.6.7 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via HTTPS to compromise OpenGrok. Successful attacks of this vulnerability can result in takeover of OpenGrok. CVSS 3.1 ...
CVE-2021-20019
PUBLISHED: 2021-06-23
A vulnerability in SonicOS where the HTTP server response leaks partial memory by sending a crafted HTTP request, this can potentially lead to an internal sensitive data disclosure vulnerability.
CVE-2021-21809
PUBLISHED: 2021-06-23
A command execution vulnerability exists in the default legacy spellchecker plugin in Moodle 3.10. A specially crafted series of HTTP requests can lead to command execution. An attacker must have administrator privileges to exploit this vulnerabilities.
CVE-2021-34067
PUBLISHED: 2021-06-23
Heap based buffer overflow in tsMuxer 2.6.16 allows attackers to cause a Denial of Service (DoS) by running the application with a crafted file.
CVE-2021-34068
PUBLISHED: 2021-06-23
Heap based buffer overflow in tsMuxer 2.6.16 allows attackers to cause a Denial of Service (DoS) by running the application with a crafted file.