After the recent breach at Sage, I was asked to write a piece about insider threat for Professional Security Magazine Online: http://www.professionalsecurity.co.uk/products/cyber/managing-the-keys-to-the-kingdom/
The recent data breach at Sage, in which sensitive customer data was accessed internally, raises a wider question on whether UK companies are doing enough to defend against hacks, writes Andrew Tang, Service Security Director, MTI Technology, pictured.
After all, data breaches have become so commonplace that the widely accepted maxim of ‘Not if, but when’ stands true for most companies. The implication is that every major company is going to be hacked at some point. Of course, some keep it quiet and do their best to roll down the blinds so it stays in-house, while others have no choice but to come clean, usually when the breach is made public. The irony is that it doesn’t have to be like this. Attacks can be defended against. Internal breaches can be stopped. Data can be protected. It’s just a question of refocusing and committing to security as a business priority, rather than an IT need. The problem with internal attacks is that they undermine trust; a finger of doubt is pointed at all employees. People who were once held in high regard are now viewed with narrow-eyed suspicion. Paranoia rules.
In with the new
Traditional security has focused on building the castle, digging a moat and raising a drawbridge. Or in other words, putting in place rigorous and robust network defences that keep hackers out. But today we need a zero-trust model, one in which the enterprise is viewed as a hotel. Access to rooms, for example, are restricted to certain people. You can’t just walk through the front door and roam around unchallenged. You can only gain access to certain rooms according to the authorisations you have been given.
At the technology level it’s about introducing internal controls such as micro segmentation of the network, access controls and reducing administrators’ rights. Admin rights are often available to a wide number of people in any given organisation, but it’s a fact that between 80 and 100 per cent of system compromises have been carried out using admin credentials. For someone who knows what they are doing, and it doesn’t require a lot of technical knowledge, admin rights can be used to erase firewall logs, scrub back-ups, disable antivirus software and even erase CCTV footage if cameras are digitally connected to the network.
Only the few
Securing an organisation internally is about introducing privileged access, so only a small number of people who have the need can move through a company’s systems. It’s about recording these sessions so there is an audit trail and it’s easy to see who has gone where and when. It’s about introducing two factor authentications for internal access so people can’t just roam through the network at will.
In small organisations it’s relatively easy to introduce these controls precisely because the operations are small. As you step up in size, however, analytics engines need to be introduced so you can see what is going on internally and also set rules. Is someone, for example, trying to access Dropbox and have they just visited a corporate database that holds customer payment details? Of course, if this is the case the klaxons should be blaring loudly. While this is an obvious example, it illustrates how with the right technology you can see and stop potentially deviant behaviour and in fact can block it before it happens. For instance, you might want to stop all access to cloud-based storage for some employees while allowing it for others, depending on role-based needs. Data loss prevention (DLP) technologies have been around a while and are a powerful tool for identifying sensitive data and raising alerts if sensitive data suddenly starts moving across the network when it shouldn’t.
This approach to security is transformative for the business because it introduces fundamental changes to the way people work, limiting their ability to roam around networks at will, pick up information from databases, or probe internal servers. But internal security is not just about getting the right technologies in place; it’s about a different mindset. It’s about looking at IT spend through the eyes of a realised IT soul. Do you really need an all singing and all dancing firewall or would a next generation firewall suit you better? Do you want to keep spending on the same technology or should you be looking at two factor authentication? Do you want to put 80 per cent of your budget into traditional security or would an investment in proactive analytics and DLP serve you better?
Ironically, this zero-trust approach engenders greater trust. You know who is doing what, and if someone does try to walk off with a rake of customer credit cards numbers, they will be stopped in their tracks.