After reading Monday's The Washington Post, I see yet again (sigh) that a former NSA contractor may have stolen sensitive information. However, this time it’s 75% of their elite hacking tools that Snowden previously highlighted. Harold T. Martin is accused of carrying out the biggest theft of classified information in the history of the U.S. and will be charged with violating the Espionage Act. Painted as a patriot by his defense team, Martin claimed to be simply ‘taking work home to improve at his job’, and this is something that a lot of employees do in most companies. However, several pieces of this information have shown up on the dark web after recent investigations. While this may remind some of Snowden or Chelsea Manning, what this says to us as security professionals is do we really question or have a handle on “What is going off???”
With the above-mentioned incidents, we have to question what else is going off that we don’t get to know about. Is this the ‘tip of the iceberg’, and are the measures that are in place to protect us good enough? While all of the incidents at the NSA are not as costly or as consequential, we have to remember that reputation is valuable in the security arena and incidents like these will destroy the confidence of our customers.
We have to ask ourselves how to protect our intellectual property, customer and financial data when our trusted employees have access to this valuable data but they aren't thinking about or aware of the consequences of their actions and are sometimes, as mentioned above, just trying to ‘help out’ in their own time.
I can see four ways that we can defend against this insider threat and I would like to share them with you.
1. Role-Based Access
With hundreds and thousands of users on your network, it can be overwhelming to try and provision everyone with the correct access in a timely fashion. With people moving into your system every day, it quickly becomes a game of numbers and/or unique identifiers all sending in requests for access they think they need resulting in a backlog of requests, a long wait for access, and too often unnecessary access rights being granted leaving you vulnerable to a breach.
Rather than dealing with these headaches, you could handle provisioning by role-based access. This way, if you are a member of the development team, once you go online to request access to network systems, you are led to the development applications rather than having to pick and choose from each and every application in the company. If you apply for an application that is within your role then you would be instantly granted access rather than waiting on approval for something as simple as email. Not only does this save time for the user by helping them choose what to ask for but it helps to eliminate the number of excessive access requests giving only the right people access to your critical applications.
2. Access Management
Every organization, no matter how big or small or what industry you are in, has the same three types of users: Joiners, Movers and Leavers. What do each of these have in common?
They need to have their access immediately changed along with their status. Joiners need access to systems such as email, time cards, and internal network files on the day they start. Movers need to have access rights changed as soon as their role changes. While these two users are important to your organization the most important to your security are the Leavers.
In a study by scmagazine.com, 1 in 5 employees still have access to the internal systems of their previous jobs. 1 in 5! When an employee is terminated, regardless of the reason, they need to have their access immediately terminated. Is your system set up to handle this?
3. Segregation of Duties
Wouldn’t it be great to be able to set and approve your own budget? What about requesting and approving a purchase order? While this does sound dreamy, it also sounds like a nightmare for your finance department. In order for your organization to uphold the checks and balances of their systems, from budgeting to systems access, there needs to be segregation between requestors and approvers.
When you assign Segregation of Duties at the beginning of your project you are essentially saying what each user is allowed to do and not do and put in place barriers to keep these issues from happening.
4. Real-Time Monitoring
Auditing is most likely your least favorite time of the year. However, the fact that you only audit once or twice a year means that you are only giving yourself one or two chances to find errors in your system. With real-time monitoring, like the monitoring with an intelligent IAM system, you can see into your system at any time as well as be alerted when things look wrong. If four new users are granted access to a critical application in one week, would you notice? With real-time monitoring, you would be alerted to this event so that you can investigate and mitigate the risk of a breach.
5. Build a Security-Aware Culture
This tip is a freebie. One of the best ways you can protect against a breach in your system is by building a security-aware culture. In Global Accountant’s article, they mentioned that 42% of the accountants knew the IT policy. That means 58% of them didn’t know the policy. Educated users make better decisions. By building a culture that is aware of the risks to themselves and the company, you expand your security team exponentially. When your organization buys into your security strategy they become more aware of risks, take more precautions against them and become a new line of defense against attacks.
Are you currently monitoring these four internal risk factors? Have you experienced a breach by not following one of these? Do you even know what risks are currently in your system?
With an Identity and Access Management solution, you can keep up with all of these risks and more at the same time. Using our solutions, we can perform a quick scan of your system and tell you where your risks lie and how you can protect against cyber-attacks.
Looking for other ways to defend your organization? It starts with culture! For more information on how you can defend your organization from insider threats, download our eBook "How to Build a Culture of Security".