Addressing the weakest link in network security

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.securityinfowatch.com/article/12030795/monitoring-the-activity-of-all-authorized-network-users-can-help-organizations-bolster-their-it-security-programs

You’ve done everything in your power to build strong walls around your
company’s critical information but there are still hundreds—if not
thousands—of threats lurking behind your perimeter at any given moment.

Yes, it's the malicious hackers, whistleblowers and privileged Unix users
that have caused some of the most high-profile security breaches to date.
But the inconvenient truth is that all users—from the general business user
to the third-party contractor—represent the single largest security risk to
your organization.

Unfortunately, companies simply don’t have the visibility and control
necessary to identify and manage these new types of threats. What you need
to do is go past access control and provide IT security teams with the
ability to see what your users are doing and how they are behaving once
they have access. Before we look at exactly how you can protect your
organization, let’s first understand this new user-based threat.

Advanced Hacking Techniques

The threat landscape is constantly changing and it’s not about to stop
anytime soon.

Hackers are becoming more sophisticated in their methods of attack, luring
oblivious insiders to click on infected links or malware-ridden websites
using spear phishing attacks that grant them access to an entire wealth of
information. All of this, coupled with the unpredictable nature of a user,
only opens up greater possibilities of a breach.

Therefore, enterprises must be highly strategic when it comes to protecting
against both internal and external threats. There is no singular security
appliance or software that exists to mitigate them all. But there is one
common denominator when it comes to these incidents—it’s users and their
legitimate access that represent the single largest risk to organizations
today.

How Hackers Target Users

Users are the weakest link in the security chain because they have the
potential to turn malicious, be careless or make mistakes. Hackers also
know that the user is the easiest gateway into an organization’s data.

Even if you have strong firewalls, malware protection, and are taking all
the traditional infrastructure measures to secure your organization’s
sensitive information, a critical component is still missing from your
security architecture.

Historically, organizations primarily focused on threats stemming from
administrative and other IT users—and rightfully so. Given the amount of
proprietary knowledge they need to do their jobs, they can leverage a broad
range of IT assets and cause a significant amount of damage from a single
event. These users are also especially high-risk given the generic, shared
admin account log-ins they use. Because their credentials aren’t indicative
of a specific user, a hacker can gain access to these administrative
accounts and leverage it to compromise data without leaving a trace as to
who did it.

So you may be shocked to find out that in fact these accounts are not the
most compromised in an organization. Tight access control and monitoring is
usually placed on these accounts and hackers like to use the principal of
least privilege to compromise accounts with less monitoring. Companies can
no longer afford to only monitor administrator accounts. By adopting user
activity monitoring software, companies can monitor every user across all
systems.

A recent study found that 76 percent of security incidents involve accounts
with legitimate access, and 69 percent of reported security incidents
involved an insider. In this case, an insider is anyone or anything that
operates within the organization using an authorized identity. Therefore,
anyone under a general user classification, which includes people, systems,
and applications, poses a high-risk too.

Unlike administrators, where changes to administrator level accounts and
activities raise alarms when changed, business users and third-party
vendors are a greater cumulative risk.

If an attacker can compromise or create an account that has access to the
targeted resource but does not have administrator level access, the odds of
long-term success and residence in the target environment increase
significantly. In fact, when evaluating the percentage of data breaches
that resulted from an insider, 84 percent involved some trusted insider
that did not have an administrative-level identity.

Unwitting User Risk

Aside from the generic business users being used as bait for malicious
outsiders, security mishaps can stem from mistakes and bad policies
revolving around data management within a company.

Accidental data sharing produces a greater amount of lost data than
software vulnerabilities. The simple act of clicking a bad link or
misplacing a smartphone can put you and your company’s sensitive
information at serious risk. Misconceptions about appropriate ways to
handle data within the office and with employees who are quitting add to
that risk. Many employees transfer data to their personal devices while
others may use it to exploit information to gain a competitive advantage in
a future job, for example.

When all is said and done— when your firewalls are properly configured,
antivirus is up to date, data is encrypted, and access controls are
assigned appropriately— your users remain a significant source of risk. The
ability to analyze, detect and respond is just as important as being able
to prevent.

How to Handle User-Based Risk

Until recently, having a good security architecture meant installing the
latest security software, updating your firewalls, performing security
audits and remaining compliant to keep outside threats from getting inside.
While preventing outside attacks is still a critical part of a
comprehensive security strategy, organizations are now looking for ways to
increase visibility for user based attacks. A recent study by the Ponemon
Institute reported that 56 percent of security executives are looking for
solutions to provide increased visibility into user based risks.

Security executives can no longer think in terms of only preventing
attacks. With these new user based threats, organizations must also focus
on investigating and responding to potential and eventual breaches.

It may seem more important to focus on prevention, but the fact is 66
percent of breaches go undiscovered for over six months. Companies don’t
have the visibility and control necessary to recognize breaches, and a
major missing component is understanding what users are doing with their
access.

The first step to identifying and controlling user-based risk is to ensure
that you add user activity monitoring to your security strategy.  Look for
a solution that provides coverage for all users and access methods,
complete session monitoring, visual forensics of user actions, and
analytics and alerting to provide proactive notification of incidents
stemming from user based threats.

Adding comprehensive user activity monitoring will help organizations
overcome many of the security challenges they face today. By understanding
how users act and behave inside your organization and arming them with
tools to identify potential threats, you can spot the early signs of an
incident and respond rapidly before it becomes a data breach.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!