Treat Your Internal Environment as Hostile Territory

APAC Voices4 minutes readJul 5th, 2012

In October 2011, Unisys polled the public in 12 countries as part of the Unisys Security IndexTM and asked “What action you would take if you found out your personal information being held by an organisation had been accessed by an unauthorised person?”

In every country, the survey found that individuals were prepared to take strong action against the organisation responsible for the data breach.  For example, in Australia 85% said that they would stop dealing with an organisation if their data was breached, 64% said they would publicly expose the issue and 47% said they would take legal action.  These are all actions that can harm a business’ bottom line, reputation or both.  Clearly this shows that securing against data breaches is in fact a business issue, not just an IT issue.

Whether it is personal client data, valuable intellectual property, or sensitive corporate documents – preventing a data breach is a key concern for most corporates and IT managers.  And WikiLeaks serves as a stark reminder that in some cases the enemy is actually inside the enterprise – trusted (or formerly trusted) employees and contractors with authorized access to sensitive corporate data.

The extent of “insider attacks” ranges from 4% (2012 Verizon Data Breach Report) to over 20% (2011 CyberSecurity Watch Survey conducted by CSO magazine).  But what everyone does agree is that the damage incurred by insider security breach can be far more severe than that caused by external threats.

The insider threat can be unintentional (such as a lost USB drive with corporate financial data, a lost or stolen mobile device with access to corporate systems or emails, or an employee fooled into disclosing data in response to the increasingly sophisticated socially engineered spear-phishing scams) or malicious (such as a disgruntled or compromised employee).  Regardless, the consequences for the organisation can be devastating.  But how can an organisation protect against insider threats?

While there is no single solution, the basic advice Unisys offers organisations is to take the appropriate steps to secure their perimeter, but also treat the internal environment as hostile territory.  In other words, take the insider threat seriously and don’t pretend it doesn’t exist.

There are a plethora of tools that can be employed to detect potential security breaches by monitoring data access/usage by insiders.  For example, Cyber Security Operation Centres (CSOC) employ Security Information and Event Management (SIEM) analytics to capture and analyse data from various event logs and to automatically alert IT security staff of potential security breaches.   The downside of this approach is that detection occurs after the fact.  Also, the additional monitoring and processing required to close the gap between occurrence, detection and response may result in significant performance degradation in the very systems being protected.

Some of the newer end-point protection technologies avoid this problem by focusing on the prevention of data breaches.  For example, data encryption can be used to enforce “need-to-know” access control.  However traditional “need-to-know” security solutions often incur significant administrative overhead as changes are required to multiple system components (e.g., routers) whenever there is a need to add/delete personnel or create/change roles.

Enter Unisys StealthTM!  Unisys Stealth overcomes the administration challenge with a new breed of encryption technology that supports highly secure “Communities of Interest” that can be administered easily and efficiently via Microsoft Active Directory or similar tools.

And for organisations providing employees with access to sensitive data from mobile devices, “need-to-know” access control may need to be further augmented by attribute-base access control:

  • Need-to-know-WHO: If the data is particularly sensitive, verify the identity of the requestor through a second/stronger form of authentication such as a voice or face biometric.  Mobile devices with integral microphones and cameras are ideal for this.
  • Need-to-know-WHERE: If an employee has the requisite need-to-know right to access a particular data resource, but the request comes from a laptop or mobile device in a café or other public area, it may present an unacceptable risk.  Mobile devices with built-in location services are able to support this type of capability.
  • Need-to-know-WHEN: If an employee is requesting access to data resources outside normal hours, there may be cause to question the request or enforce additional authentication.

While no technical solution can protect against all forms of insider threats, organisations can significantly reduce their insider threat risk profile by moving beyond perimeter defence and treating their internal environment as hostile territory.  This means employing advanced breach detection/response capabilities like CSOC and breach prevention technologies like Stealth and attribute-based access control.