360 Advanced Warns About Insider Threats: Is Your Data Already Out There And You Don’t Know It?

June 10, 2014

TAMPA, Fla., June 10, 2014 /PRNewswire/ — Chief information officers cannot underestimate the creativity of online organized criminals to quietly penetrate their IT systems through a growing area of vulnerability: employees and vendors. That’s the conclusion of information security compliance specialists at 360 Advanced P.A. (www.360advanced.com).

“The media normally paints insider threats as one of your employees going rogue,” said David James Smith, an information technology security consultant and Certified Ethical Hacker at 360 Advanced. “It has been my experience that a lot more is happening inside a company and inside a network that is just as dangerous. Your information, your data, may already be out there and you don’t even know it.”

With the growth of APTs (advanced persistent threats), Smith explains there is an expanding community of uber hackers who are intentionally going through small numbers of trusted but lax employees and vendors to get into information systems, and managing to stay there because they have such a small footprint. They work inside, often undetected for months, because they entered through so-called trusted routes.

Smith, a CompTIA Certified Advanced Security Practitioner who worked for the U.S. Department of Defense, offers the following advice:

    --  Be careful about BYOD. As more and more companies follow the popular
        trend toward permitting employees to "bring your own device," or BYOD,
        Smith says allowing company information to be shared over numerous
        employees' personal devices puts all data at risk because you cannot be
        sure the machines are safe. "If you don't have the ability to see into
        them to make sure they are running controls and have the latest virus
        definitions, all of your corporate secrets could be going out the
        window," Smith said. Smart phone infections are common and becoming
        moreso. You should have a corporate policy in writing limiting access to
        financial information, client contracts and other sensitive (and
        valuable) data on personal devices.
    --  Don't think you are too small to be hacked. In fact, a clear trend now
        is for smaller companies with lax IT security standards and numerous
        unmanaged permissions to become easy platforms for hackers to hide and
        wait to enter larger firms with whom the small ones do business. Smith,
        who conducts penetration tests for 360 Advanced clients, calls small
        firms today the "low hanging fruit" that cyber thieves are stalking as
        larger firms become more vigilant and harder to penetrate.
    --  Renew your dedication to the principle of least privilege. Immediately
        conduct an audit of permissions of access, and cut back. Over time,
        through the phenomenon of permission creep, too many people have access
        to information who should not. "The big problem is awareness. My rule is
        know thy network, and people don't," said Smith. "On several projects,
        when we point out the dangers of too many permissions, we're told,
        'well, nobody could do anything with that data,' and then we'll show
        them what could be done with that data using the privileges that they
        thought were safe."
    --  Beware vendor access. Smith warns that a vital component of the rule of
        least privilege is to thoroughly and regularly analyze what access you
        have allowed for your vendors. As increased use of extranets grows, know
        your vulnerability, and avoid opening the door to a vendor's access to
        vital company information without a thorough compliance audit.
        Obviously, your HVAC vendor should not have access directly to the same
        set of computers where you store your payroll data. Such routes through
        vendor sharepoints and extranets are favored by hackers, and Smith says
        he sees that frequently.
    --  Consider your liability. If you are a third-party vendor managing
        information for one or more - or dozens - of clients, be aware of the
        civil liability of not having the proper controls and allowing
        unauthorized criminal access to your client's propriety data. While
        carelessness in this area has not reached the level of criminal
        negligence at this point, there are indications that governments are
        moving in that direction. If you unknowingly allow one of your machines
        to essentially become a bot working for paid hacker, you can be held
        liable for real and actual civil damages. At the least, you will lose
        perhaps hundreds or thousands of man hours and participating and
        supporting the criminal investigation into how it happened.
    --  Don't just check the boxes. If you manage data for a client, invest the
        time and money to achieve compliance in one or more of the nine most
        important information security levels you may need, depending on the
        type of client information housed. Those levels are compliance with the
        Health Information Portability and Accountability Act (HIPAA); SOC 1 and
        SOC 2, which are the AICPA Service Organization Control Reports;
        Penetration Tested Service Organization (PEN); Payment Card Industry
        Data Security Standard (PCI); ISO 27001; Standard Information Gathering
        (SIG); Federal Information Security Management Act (FISMA) and the
        Experian Independent Third Party Assessment (EI3PA). However, after you
        earn compliance, the real work begins. You can't just check the boxes
        and relax. Develop a culture dedicated to information security.
        Self-test is a continual thing. "Any time there is any structural change
        to the network, a new server, a new gateway, a new firewall, especially
        if you bring in a new vendor, or host new client server, consider how
        these changes can impact overall security," Smith advises. "Avoid
        complacency at every level."
    --  Ask for credentials from security assurance contractors. Information
        security is big business and getting bigger every day. More and more
        so-called experts are entering the field, and many are providing
        inadequate examinations/audits that only superficially analyze your
        vulnerabilities and then certify compliance. Make sure your compliance
        contractor is a multi-service, licensed Certified Public Accountant
        (CPA) and Qualified Security Assessor (QSA) firm that specializes in
        integrated compliance solutions for service providers related to
        internal controls, security, confidentiality, privacy, processing
        integrity, availability and other elements critical to information


Andy Bowen


SOURCE 360 Advanced P.A.

Source: PR Newswire

comments powered by Disqus