All Threats Are Internal

January 28, 2015

Every day there is another story in the news about a data breach. It’s not really news anymore – what is newsworthy is the aftermath of the breach. Everyone in security knows that intrusions are inevitable. You’ve been breached or you will be breached in some form or another – it’s not a matter of if, but when. Once you accept this you realize that it doesn’t matter what your external facing defenses are – what is more important is what you’ve done to protect your infrastructure from the inside.

Most companies have numerous defenses with the idea that the threat is external, but their internal defenses are practically non-existent. The view of the evil hacker in his mom’s basement attacking you for the LOLs is not as large a threat these days as the system administrator who hates his boss or the clever employee that searches and finds your salaries.xls file. (You really shouldn’t have a salaries.xls file).

Almost every company we talk to have no idea of exactly what they have; where it is located; who has access; who should have access; what applications they have; what licenses they own; what servers are being used; who has inappropriate access and what the risk rating is for all privileged and non-privileged access. Also, there is no understanding of what are baseline “business as usual” levels of usage for employees, nor any way to track what is being done within their environment.

Knowing all of these things will limit the effect of a security breach. By having a full understanding and comprehensive view of your environment – you can identify anomalous behavior; track the activity; audit performance and then resolve any issues.

Insiders are the biggest threat – whether malicious or not, your employees probably have more access to information than they need. And whether they know it or not, if someone has access, they are a risk. This report from PWC goes into detail about lack of access controls. (PWC Report)

Not to pick on Sony (they did so many things wrong) but, they should have known that their intellectual property was walking out the door. How is it possible that so much data could be removed without anyone noticing? Just the size of one movie, and more than one leaked, should have raised concerns. If so much information is being accessed, moved, downloaded within your environment – would you know? Maybe you don’t have files as large as a typical movie file, but if a large amount of your intellectual property were being accessed and moved by someone who should have access, would you know?  In this scenario, you need to track the unusual behavior; not whether or not the individual is authorized.

Most companies see investment in infrastructure and security as a cost – but counter that with the cost of a breach; loss of IP; reputational costs and the investment is really a savings. You are going to be hacked; how do you limit the cost. That takes investment in time, resources, training and creating an environment where your employees are as concerned about security as the CISO.

It’s not just data that should be of a concern, but the resources that employees use to interact with the data is important, as well. The Ponemon Institute has released their findings about endpoints. And it’s not the devices, as much as the users that cause the risk. (Ponemon Study)

So while you may have the best security money can buy and you do everything you can to so that there is no way for anyone to get in, the threat from one of your own employees can create just as much, if not more risk.

So if you know:

  • what you have
  • who has access
  • who is utilizing that access
  • what are baseline business as usual parameters
  • what endpoints you have
  • what applications are in use

…and the answers to many more questions…you may be able to limit the vulnerability to your organization.

How many can you answer?

Stay in the loop

Join our mailing list and get notified of the latest SPHEREinsights