360 Advanced Warns About Insider Threats: Is Your Data Already Out There And You Don’t Know It?
TAMPA, Fla., June 10, 2014 /PRNewswire/ -- Chief information officers cannot underestimate the creativity of online organized criminals to quietly penetrate their IT systems through a growing area of vulnerability: employees and vendors. That's the conclusion of information security compliance specialists at 360 Advanced, Inc. (www.360advanced.com).
"The media normally paints insider threats as one of your employees going rogue," said David James Smith, an information technology security consultant and Certified Ethical Hacker at 360 Advanced. "It has been my experience that a lot more is happening inside a company and inside a network that is just as dangerous. Your information, your data, may already be out there and you don't even know it."
With the growth of APTs (advanced persistent threats), Smith explains there is an expanding community of uber hackers who are intentionally going through small numbers of trusted but lax employees and vendors to get into information systems, and managing to stay there because they have such a small footprint. They work inside, often undetected for months, because they entered through so-called trusted routes.
Smith, a CompTIA Certified Advanced Security Practitioner who worked for the U.S. Department of Defense, offers the following advice:
- Be careful about BYOD. As more and more companies follow the popular trend toward permitting employees to "bring your own device," or BYOD, Smith says allowing company information to be shared over numerous employees' personal devices puts all data at risk because you cannot be sure the machines are safe. "If you don't have the ability to see into them to make sure they are running controls and have the latest virus definitions, all of your corporate secrets could be going out the window," Smith said. Smart phone infections are common and becoming moreso. You should have a corporate policy in writing limiting access to financial information, client contracts and other sensitive (and valuable) data on personal devices.
- Don't think you are too small to be hacked. In fact, a clear trend now is for smaller companies with lax IT security standards and numerous unmanaged permissions to become easy platforms for hackers to hide and wait to enter larger firms with whom the small ones do business. Smith, who conducts penetration tests for 360 Advanced clients, calls small firms today the "low hanging fruit" that cyber thieves are stalking as larger firms become more vigilant and harder to penetrate.
- Renew your dedication to the principle of least privilege. Immediately conduct an audit of permissions of access, and cut back. Over time, through the phenomenon of permission creep, too many people have access to information who should not. "The big problem is awareness. My rule is know thy network, and people don't," said Smith. "On several projects, when we point out the dangers of too many permissions, we're told, 'well, nobody could do anything with that data,' and then we'll show them what could be done with that data using the privileges that they thought were safe."
- Beware vendor access. Smith warns that a vital component of the rule of least privilege is to thoroughly and regularly analyze what access you have allowed for your vendors. As increased use of extranets grows, know your vulnerability, and avoid opening the door to a vendor's access to vital company information without a thorough compliance audit. Obviously, your HVAC vendor should not have access directly to the same set of computers where you store your payroll data. Such routes through vendor sharepoints and extranets are favored by hackers, and Smith says he sees that frequently.
- Consider your liability. If you are a third-party vendor managing information for one or more – or dozens – of clients, be aware of the civil liability of not having the proper controls and allowing unauthorized criminal access to your client's propriety data. While carelessness in this area has not reached the level of criminal negligence at this point, there are indications that governments are moving in that direction. If you unknowingly allow one of your machines to essentially become a bot working for paid hacker, you can be held liable for real and actual civil damages. At the least, you will lose perhaps hundreds or thousands of man hours and participating and supporting the criminal investigation into how it happened.
- Don't just check the boxes. If you manage data for a client, invest the time and money to achieve compliance in one or more of the nine most important information security levels you may need, depending on the type of client information housed. Those levels are compliance with the Health Information Portability and Accountability Act (HIPAA); SOC 1 and SOC 2, which are the AICPA Service Organization Control Reports; Penetration Tested Service Organization (PEN); Payment Card Industry Data Security Standard (PCI); ISO 27001; Standard Information Gathering (SIG); Federal Information Security Management Act (FISMA) and the Experian Independent Third Party Assessment (EI3PA). However, after you earn compliance, the real work begins. You can't just check the boxes and relax. Develop a culture dedicated to information security. Self-test is a continual thing. "Any time there is any structural change to the network, a new server, a new gateway, a new firewall, especially if you bring in a new vendor, or host new client server, consider how these changes can impact overall security," Smith advises. "Avoid complacency at every level."
- Ask for credentials from security assurance contractors. Information security is big business and getting bigger every day. More and more so-called experts are entering the field, and many are providing inadequate examinations/audits that only superficially analyze your vulnerabilities and then certify compliance. Make sure your compliance contractor is a multi-service, licensed Certified Public Accountant (CPA) and Qualified Security Assessor (QSA) firm that specializes in integrated compliance solutions for service providers related to internal controls, security, confidentiality, privacy, processing integrity, availability and other elements critical to information surety.