Tech Insight: Top 4 Problem Areas that Lead to Internal Data Breaches
External data breaches from groups like Anonymous and internal data leaks from insiders such as Edward Snowden have enterprises questioning and rethinking their security programs. Are they doing enough to protect their data? Are there security controls effective? Would they be able to respond appropriately to a data breach and contain it quickly?
Much of the questions and confusion has to do with executives not understanding where their critical assets are and how they need to be protected. Their sense of security is skewed by the fact that they’ve passed their compliance requirements causing them to think they are safe. For most companies, if they were truly targeted by a sophisticated and determined attacker, they would fail miserably.
Why would they fail? Traditionally, security was focused on protecting the perimeter. Based on my experience with penetration testing organizations from all different industries, companies are doing a great job of locking down there externally exposed assets, with the exception of Web servers. There are fewer devices exposed and even less ports open that could provide an avenue for attack.
That sounds great, right? So, why would these companies fail at protecting their critically important data and business systems?
The first problem area is not knowing where all the critical assets are located inside the network and protecting them appropriately. All to often, when I ask during a penetration test what are the critical systems, I get several different answers depending on the person answering the question. The CIO will have a different answer than the security team leader and this will differ from the various business unit owners.
Then once the testing begins, we find that there is little to no true network segmentation between various organizational units, the servers, and general network devices. Most logical network separation is done because of physical separation between holding floors and geographic locations. It is not done from a security standpoint and there are usually very few, if any, firewall rules between those networks.
In order to combat the problem, you risk assessment and full inventory of all systems including the types of data handled by each system need to be completed. That information can then guide the proper network segmentation. Of course it can be done completely without looking at the business processes and how users use and access the data. When the previous 2 processes are then combined, access control for users can then be properly architected and implemented, which leads us to the next problem area.
The second issue that plagues many enterprises is that they don’t have a solid concept of what the “principle of least privilege” and “need to know” mean. Users regularly have a great deal more access and privilege than necessary to complete their job — this goes for secretaries and systems administrators alike (i.e. like Snowden the snooping sysadmin). A company may take the proactive step of removing local administrator rights from their users on their desktops, but they don’t bother with the level of access in various internal applications and network file shares.
Properly designing those access controls can be difficult without already having the inventory and understanding of the business as mentioned above.
The third major area is security training and awareness for users. Having developed a security awareness program for a large university and working with many different enterprise organizations, I’ve found the best way for traction is to make it personal. Teach users easy and practical concepts that relate between home and work. Many of the same protective behaviors they should be doing at home can also help protect their corporate desktops and laptops.
The fourth issue, and one that is compounded by several of the others, is the presence of shared credentials and password reuse. Password reuse across local system accounts is one of the biggest problems we encounter during penetration tests. It allows us, and the bad guys, to easily move laterally within a company’s network once we compromise one system.
Or, once we compromise a user’s password, it is often the gateway to getting access to other systems and applications because users commonly reuse passwords across multiple company systems. You think single-sign-on sounds great? It’s even more useful to an attacker with a valid username and password because they can now get into everything with that one set of credentials.
User education and technical controls are needed to address both of these problems. The education piece needs to explain the problem and the impact to help instill a sense of responsibility and ownership. Being able to explain to a user exactly what could happen if their username and password were compromised, such as theft of corporate trade secrets that could result in their losing their job or the company going out of business, opens a few eyes.
Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.