Tech Insight: Top 4 Problem Areas that Lead to Internal Data Breaches

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.darkreading.com/insider-threat/tech-insight-top-4-problem-areas-that-le/240161952

External data breaches from groups like Anonymous and internal data leaks
from insiders such as Edward Snowden have enterprises questioning and
rethinking their security programs. Are they doing enough to protect their
data? Are there security controls effective? Would they be able to respond
appropriately to a data breach and contain it quickly?

Much of the questions and confusion has to do with executives not
understanding where their critical assets are and how they need to be
protected. Their sense of security is skewed by the fact that they've
passed their compliance requirements causing them to think they are safe.
For most companies, if they were truly targeted by a sophisticated and
determined attacker, they would fail miserably.

Why would they fail? Traditionally, security was focused on protecting the
perimeter. Based on my experience with penetration testing organizations
from all different industries, companies are doing a great job of locking
down there externally exposed assets, with the exception of Web servers.
There are fewer devices exposed and even less ports open that could provide
an avenue for attack.

That sounds great, right? So, why would these companies fail at protecting
their critically important data and business systems?

The first problem area is not knowing where all the critical assets are
located inside the network and protecting them appropriately. All to often,
when I ask during a penetration test what are the critical systems, I get
several different answers depending on the person answering the question.
The CIO will have a different answer than the security team leader and this
will differ from the various business unit owners.

Then once the testing begins, we find that there is little to no true
network segmentation between various organizational units, the servers, and
general network devices. Most logical network separation is done because of
physical separation between holding floors and geographic locations. It is
not done from a security standpoint and there are usually very few, if any,
firewall rules between those networks.

In order to combat the problem, you risk assessment and full inventory of
all systems including the types of data handled by each system need to be
completed. That information can then guide the proper network segmentation.
Of course it can be done completely without looking at the business
processes and how users use and access the data. When the previous 2
processes are then combined, access control for users can then be properly
architected and implemented, which leads us to the next problem area.

The second issue that plagues many enterprises is that they don't have a
solid concept of what the "principle of least privilege" and "need to know"
mean. Users regularly have a great deal more access and privilege than
necessary to complete their job -- this goes for secretaries and systems
administrators alike (i.e. like Snowden the snooping sysadmin). A company
may take the proactive step of removing local administrator rights from
their users on their desktops, but they don't bother with the level of
access in various internal applications and network file shares.

Properly designing those access controls can be difficult without already
having the inventory and understanding of the business as mentioned above.

The third major area is security training and awareness for users. Having
developed a security awareness program for a large university and working
with many different enterprise organizations, I've found the best way for
traction is to make it personal. Teach users easy and practical concepts
that relate between home and work. Many of the same protective behaviors
they should be doing at home can also help protect their corporate desktops
and laptops.

The fourth issue, and one that is compounded by several of the others, is
the presence of shared credentials and password reuse. Password reuse
across local system accounts is one of the biggest problems we encounter
during penetration tests. It allows us, and the bad guys, to easily move
laterally within a company's network once we compromise one system.

Or, once we compromise a user's password, it is often the gateway to
getting access to other systems and applications because users commonly
reuse passwords across multiple company systems. You think single-sign-on
sounds great? It's even more useful to an attacker with a valid username
and password because they can now get into everything with that one set of
credentials.

User education and technical controls are needed to address both of these
problems. The education piece needs to explain the problem and the impact
to help instill a sense of responsibility and ownership. Being able to
explain to a user exactly what could happen if their username and password
were compromised, such as theft of corporate trade secrets that could
result in their losing their job or the company going out of business,
opens a few eyes.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

# OWASP http://www.appsecusa.org
# Builders, Breakers and Defenders
# Time Square, NYC 20-21 Nov
o()xxxx[{::::::::::::::::::::::::::::::::::::::::>

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.