“95% of cybersecurity breaches are caused by human error.” – Cybint
Rapid technology innovations on multiple fronts pose a complex challenge for those tasked with the security and availability of the IT infrastructure. On one hand, new devices such as mobile phones, smart screens, and IoT-enabled devices are deployed alongside computers. At the same time, IT policies allowing BYOD (Bring Your Own Device) and WFH (Work From Home) has now become the norm, which has compounded the security problem
The result is a significant increase in the threat surface along with the number of points from where the IT infrastructure can be compromised. Of all recent developments, the now accepted shift to WFH and the use of personal devices pose the biggest challenge. IT Managers now need to take measures to secure both the device and the access point from where employees connect to the Corporate network. But how can they ensure the identity of the user accessing the system and adherence to security norms while employees work from the comfort of their homes?
Many Enterprises have become soft, yet lucrative targets for hackers as a result of the increased threat surface that is as yet unsecured. Trends indicate:
- Remote workers will be soft targets for cybercriminals
- As a side effect of remote workforces, cloud breaches will increase
- Cybersecurity skills gap, specially in Enterprises, will remain an issue
- Growth of always on, connected devices will increase network vulnerability
The invisible threat to your IT infrastructure
When employees worked in offices, businesses were able to ensure that only authorized staff accessed critical infrastructure, in part through physical security measures. It was easier to ensure that staff complied with the established security norms. But with employees now working from home, businesses have to rely purely on the users’ virtual identity and trust that users comply with security processes
The probability that malicious users can compromise the System, either from within the organization or by taking advantage of unsuspecting employees, is very real. CIOs need to assign equal emphasis on securing the IT infrastructure from external threats and from internal vulnerabilities.
Indicators of Internal Sabotage
Internal Sabotage is when employees have access to the company’s sensitive systems, information and use it for malicious purposes. Most internal saboteurs come in two flavors – Players and Pawns.
Players – Are aware of the crime and have malicious intent. They are typically disgruntled employees or people who have joined the organization with a certain motive. Research has shown that most of these have some kind of personal predisposition and hence get into this.
Pawns – Are typically employees who do not have a motive but unknowingly participate in the act. They are typically people who are helpful and enthusiastic. Their intention to help people or their ignorance gets exploited.
It is important to understand the persona and motivation of the “Players”:
- Most internal attacks are triggered by an unfavourable event or condition at the workplace. The motive generally is revenge.
- Largely the attacks happen after office hours and outside the office premises via remote access. Perpetrators find comfort in not being surrounded by people or physically being present in the workplace.
- Generally, it’s likely that peers are aware of the sabotage, or at least observed a change in behaviour even if they are not aware of the concrete plan.
- Most attacks are carried out through compromised or shared computer accounts.
- In several cases these indicators are observed but ignored by organizations due to work load or carrying on the age-old way of doing things.
Preventive steps / actions
Combating internal vulnerabilities and securing the IT infrastructure requires a coordinated approach on 2 fronts. Organizations need to take advantage of the latest technologies to monitor, analyze and identify threats in advance. Simultaneously, people processes also need to be updated to address security topics for the remote working scenarios
Align all teams who are responsible for data security. This includes HR, IT, Maintenance, and Security. Make them aware and educate them on the increased threats and the latest trends in cyber attacks. Educate employees about internal attacks and encourage them to come up with a collaborative plan.
Clearly document and consistently enforce policies and controls. Ensure all the employees who have access to data are also educated about the new threats and vulnerabilities.
Encourage employees to provide insights on the new policies and take inputs for threats that could potentially come from within.
Incorporate malicious and unintentional insider threat awareness into periodic security training for all employees.
Disgruntled employees are a major source of internal threat. Create an HR plan to identify and track potentially disgruntled employees.
One of the best ways to track personal-level issues and problems is to use peers themselves. Create strong and well-crafted whistleblower policies where the employees feel empowered and responsible for the well-being of the company.
Technology-led Initiatives, Systems, and Approach
The Zero Trust model
Created by John Kindervag back in 2010 based on “never trust, always verify”. It is a concept where organizations should not automatically trust any research or individual inside or outside. It suggests a fresh start by revoking all access and providing access on a case-by-case basis with a clear understanding of the need. Technologies such as Identify and Access Management (IAM) and multi-factor authentication (MFA) are complementary to this approach.
It is just not enough to implement these technologies alone. There should also be a strategy and a clear SOP in place to manage the operations of the organization. However, this strategy is a little aggressive and requires a complete overhaul of the security policies and ongoing work which is not always practical and more often than not, could potentially break the system or make it brittle by holding it together with bandages.
Most traditional security systems are designed and inspired by the castle-and-moat layout where all systems inside the moat are secured. This was an effective strategy in the traditional ecosystem. Over the years though, certain adaptations such as cloud and distributed workforce have created new challenges. Security mesh is one such approach where the focus is on securing every node of the network and not the traditional approach of building a boundary around the entire network.
Identity-first security and Identity Management
Identity management (IdM), also known as identity and access management (IAM) is the security practice that enables the right individuals or machines to access the right resources at the right times and for the right reasons.
Identities are the most vulnerable threat surface of every organization. Identity includes people, machines, IoT devices, and an active device or a group of devices on the network that needs to access a resource or service. Identity Security is one of the primary implementations of the Zero Trust model where all identities used in the organization are secured and managed using technology.
This enables providing fine-grained access to resources and data at an almost individual identity level and prevents Privileged Account Compromise. One example of this is the IAM security provided by AWS. Most solutions in this space span multiple technologies and platforms.
There are several products in the market that cater to this need:
- IBM Security Verify Access
- Cisco Identity Services Engine
- CyberArk – Idaptive
- OneLogin – Access
Remote worker Endpoint Security
With remote work becoming the new normal, securing remote access nodes poses new challenges especially with them being present outside the firewall. This problem is further compounded with infrastructure moving to the Cloud.
Breach and attack simulation
Is a continuous fire drill performed typically by independent vendors where they simulate sophisticated attacks similar to techniques used by cybercriminals to find vulnerabilities and report the same.
Cloud security breaches
Refers to the compromising of data or nodes on cloud infrastructure. With more companies moving to the cloud, this has only snowballed in the past few years. Most of the data breaches can be attributed to configuration errors, IAM permission errors, re-use of identity.
Best practices to reduce these vulnerabilities are
- Encrypt all data that is persistent (databases, logs, backup systems). Build this process in the QA checklist for all releases. Classify systems and data into sensitive and others. Ensure that sensitive data is secured and encrypted
- Prevent re-use of resource identities in the infrastructure and ensure each identity’s permissions are allotted on a need basis. Use tools like Centrify, Okta and CyberArk to manage these permissions.
- Routine audits on identity permissions, firewalls and cloud resources can help prevent these breaches.
Securing your infrastructure
Over the years as companies have moved to the cloud, we have seen only an increase in cyber attacks. With remote working becoming commonplace, the line between internal and external attacks has blurred. It is better to preempt the company’s defenses than be a victim. Get in touch with us for an inside on how you could secure your company’s business and infrastructure.