While the hacking of Sony Pictures made headlines all over the world, the reality is many of the biggest security risks don’t come from unfriendly countries. They come from inside your own organization.
The most obvious is disgruntled employees. An employee who has been terminated, for example, may steal financial data, delete files or purposely introduce a virus or worm into the system to seek revenge.
Then there are those who inadvertently allow others access to information. Former “black hat” hackers generally agree that getting a user to provide network access through social engineering is far faster and easier than hacking the network from the outside.
A favorite technique is to send an email that appears to be from a friend of the user saying to click on a link to see a funny video or some other innocuous request. They may also send an email that appears to be from a package delivery service, a bank, the IRS or some other legitimate organization. In these cases the email will describe a problem that will cause the user to worry, urging them to follow a link to resolve the problem.
When the user clicks on the link software is downloaded onto that computer, opening a window into the network. Sometimes the software is designed to act immediately. Other times, such as with advanced persistent threats (APTs), it sneaks onto the network and sits quietly, learning all it can about the security protocols. When it finally “phones home” it details opportunities for access that will be difficult to detect because they appear to be normal activity.
Another means of gaining access is through public Wi-Fi connections in a coffee house or other location frequented by employees of the targeted organization. When an employee uses the free Wi-Fi to check their email or perform some other action, the cybercriminal can not only steal unencrypted data as it crosses the network, he or she can piggyback on that connection and gain access in a way that looks like normal traffic to network security.
Finally, there is the lost or stolen device — especially if it is set up to connect automatically. That is like walking through the front door and being handed the keys to the data center.
Filling the User-sized Security Holes
Changing human behavior is not easy, nor is it quick. There are no “patches” or downloads that can be implemented into the brains of users to upgrade protection. Instead, it requires a continuous effort and constant vigilance around:
Policies and procedures should be in place for:
- Identifying the security executive responsible for developing, implementing, monitoring and communicating security
- Authorization of who is allowed to access protected information
- Permissions for their level of access
- Where access to protected information is allowed
- Devices on which access to different types of data is allowed
- Detection of security incidents
- Sanctions for employees who do not follow policies
- Constant re-education on policies and procedures with refresher courses on user security
IT must also work with other departments, especially Human Resources, so the people responsible for security are aware of changes (such as terminations) that could constitute threats and get ahead of them.
Passwords/user authentication – The use of “strong” passwords is much-debated. While a random series of characters is more difficult to guess, it is also more difficult for users to remember – which leads to them writing the password and leaving it in a location where it can be easily stolen.
Two-factor authentication provides greater protection of data. This method involves not only something the user knows (password), but also something the user has (such as a proximity badge) and something inherent to the user (fingerprint, voice print). Today, almost every two-factor authentication technology vendor has mobile and soft token capability, eliminating the need for physical key fobs.
BYOD policies – In today’s world, users want to use their own devices (smartphones, tablets) to access their applications and data. While BYOD offers many benefits, it also creates great risk to the organization. With technologies such as VNA viewers users no longer need to download information onto a mobile device, removing this common security risk.
User training – Once policies and procedures are established, users must be regularly trained on them. The organization should also periodically test user knowledge and adherence to security protocols to close gaps in performance and educate users on the importance of following corporate mandates — especially users who take their devices outside the protected environment of the organization. Devices should be inspected and tested as well to ensure they are in compliance with the organization’s policies.
Vulnerability testing – Security policies and procedures should be tested through periodic ethical (white hat) hacking to determine if users are following them. For example, testers can send social engineering-type emails. Any holes should be addressed immediately and included as part of the user education.
Using the Cloud to Strengthen User Security
One of the most significant contributions a cloud provider can make is virtualizing applications and data. Rather than downloading data to a device, the applications and data remain on the cloud provider’s servers and are merely “viewed” with the device. In that way, if a device is lost or stolen no data remains on it.
A cloud provider will also have security protocols in place to look for unusual activities, such as multiple incorrect attempts to enter a password, and monitor them 24/7. The provider will determine the nature of the problem before alerting the client’s internal security team, helping eliminate false positives and alarm fatigue. They will also take on the responsibility of vulnerability testing, normally as part of the overall contract.
Whether the cause is intentional or inadvertent, there is little question among security experts that users pose the greatest risk to data. They are the weakest link because they provide multiple points of entry, and are the most difficult to control. In this situation, the security solution might literally be found “in the cloud.”
Matt Ferrari is CTO of ClearDATA.
Originally posted 12/23/2014
Read more: http://insights.wired.com/profiles/blogs/users-the-weakest-link-in-data-security#ixzz3Mkrde3dU