Close Look into Insider and External Threats
One challenge we face many times is related to the confusion between the threats our Data Loss Prevention and Mobile Device Management solutions address. Even though DLP has become very popular and, while it has not reached maturity, pretty much any IT Manager or CSO knows what DLP is, but there is still some confusion regarding the risks it minimizes or what user behavior is controlled. In fact, data security is so complex, that the confusion regarding on how threats act and how software responds extend to other solutions as well, not only DLP.
To bring some clarity into what DLP covers, we need to make a distinction between external and internal threat vectors:
For a complete protection, organizations must also address the biggest threat of the 21st century – insider threats. While IT Administrators are busy securing the network and setting up the firewall to make sure attackers do not get to company’s data, insiders are freely copying sensitive data to portable storage devices and uploading files to the cloud. Don’t get me wrong. Firewall protection is a must have but do not underestimate the power of human error or lost devices when it comes to the amplitude of the damage it can cause. A research we performed showed that lost or stolen unencrypted USB devices are among the top 3 causes of worldwide data breaches. It also revealed that 7 out of 10 employees have access to confidential files and use them in their daily work. Thus, chances of employees taking out confidential information, by mistake or intentionally, through cloud apps, e-mail, instant messenger, are pretty high.
We have written about insider threats with several occasions, so instead of repeating ourselves, here are the top threats that originate from inside the organization and the links to more information and resources.
1. Human error
3. Shadow IT
“Shadow IT divides companies into IT department and the rest of the people, getting businesses off to a bad start,” says Roman Foeckl, our CEO in an article published in Computing Security Magazine.
He also states in an article on HelpNet Security that “most of the cloud storage apps represent what’s called shadow IT and this is part of the problem. Employees use a significant amount of apps that are not officially supported by IT and have no sort of rules. It is also something that should be addressed by cloud storage apps providers, which could support more enterprise features, like Dropbox for Business is providing an API for third-party security vendors”.
4. Vindictive employees
CSO Online wrote an interesting piece regarding 9 employee insiders who breached security and represent perfect examples of what disgruntled employees can achieve if they set their minds to it.
Insiders, especially malicious ones, can resort to different tactics to leak sensitive data, but regardless of the method, Data Loss Prevention solutions provide visibility into users’ data transfers and alert IT Administrators about DLP violations, offering them the premises for setting up stricter policies, to report to the management or to take other necessary actions. One of the most recent data breaches at Swift was the result of collaboration between an insider and external attacker, a nasty combo. So, that is also a possibility that has to be considered when implementing information security solutions – making sure insiders are not able to leak data that can further be used by attackers to gain more company records.
Attacks have become targeted, with malicious individuals or groups being more persistent than ever and using inventive techniques. They are now collecting data from one organization just to use it to extract more data from other organizations. Usually, they penetrate networks with some sort of malware to gather information about how those systems work and then they use other techniques to collect sensitive data.
One of the most common threat and perhaps, the most versatile, malware is a more general one that includes viruses, Trojans, ransomware, spyware, adware, scareware and others. They penetrate networks through different loopholes, like software security flaws, infected portable storage devices, outdated systems, unprotected operating systems, etc. Organizations have to make sure they have a strong anti-malware in place, or they can opt for both anti-malware and antivirus solutions.
Bots or chatbots are software programs that are used to automate the kind of tasks that are too time-consuming and they can be automated, like conversation simulations inside messaging apps. Slack is one of the many apps that use bots and have made bots more interesting for bots developers. While they are mostly used for good purposes, cyber criminals can take advantage and use them for spamming, phishing, DDoS attacks, etc. While it is really difficult to differentiate between boot bots and bad bots, a basic measure to prevent against bots is to set up the robots.txt file to allow the bots you know to be good bots. Firewalls and intrusion prevention systems can help detect suspicious traffic and alert system administrators to take further actions. We discussed also in a previous article more about bots, botnets and how DLP can help mitigate these threats. Lets’ say that a bad bot manages to convince a user to send sensitive data like credit card numbers through an app. DLP will not detect the malicious bot, but it can alert users that they are copying / transferring sensitive data and can block them if they are not authorized to send out that info. Administrators will also be aware of that action since they receive detailed reports regarding the attempt.
3. DDoS attacks
Since we’re talking about DDoS attacks, these compromise the target from multiple sources with illegitimate data packets over the Internet overwhelming servers, routers, firewalls, etc., causing a denial of service for users of the targeted computers. Basically, users are not aware of the fact that their computers are controlled and compromised, although they do experience symptoms like slow network performance, denied access to certain websites, increased number of spams, and others. DDoS attacks may lead to extortion, loss of customers through very slow websites, data theft, besides affecting productivity and business operations. There are several solutions to defend against DDoS attacks, like dedicated DDoS mitigation appliances, Intrusion-detection systems, firewalls and others, but each solution has its pros and cons, so they have to be thoroughly evaluated.
One of the most recent attacks targeted Snapchat. The attacker impersonated the company CEO and asked by e-mail payroll information. The scammer managed to convince the employee that his e-mail address is legit and so is his request. The company apologized for the compromised identities and promised to double their training programs. Phishing attacks are some of the most common social engineering techniques. Scammers use not only e-mail, but also phone calls, social media, and other communication tools. Anyone can fall into these traps, without some basic data security knowledge. Besides training, organizations should also make sure their systems are up to date with the latest security patches, use a spam filter that can block senders, implement web-filtering to ban access to malicious websites and DLP solutions to alert and block users when uploading or copy&pasting sensitive data.
5. DNS attacks
Like the name suggests, the target is the Domain Name System (DNS) which can be exploited in case it has vulnerabilities. There are different types of DNS attacks: DDoS, DNS amplification, cache poisoning, fast-flux DNS and zero-day attacks. The most common DNS attack redirects traffic to a different server, allowing the scammer to launch more attacks or to collect sensitive information. Additionally, if a DNS service goes down, all devices and applications connected through that DNS stop working. Business is interrupted because Internet connection can also be stopped, the organization’s image is prejudiced and customer confidence is shaken.
To prevent DNS attacks, a handy solution is using the https instead of HTTP. The protocol can compare the owner’s website certificate with the attacker’s website certificate, alerting users if they are interacting with the real website and not a malicious one. There are also dedicated appliances like in DDoS case and other mitigation tools and techniques, but again the best solution depends on each organization’s network and DNS infrastructure.
6. SQL Injections
This type of threat mostly affects websites and SQL databases. Data that shouldn’t normally be accessed by unauthorized parties is available when an attacker is allowed to input commands to query the database and get information like user names and passwords or the entire database which can be further used to perform other attacks and gain benefits. Sanitizing the input data is the first thing to do for best practice to prevent SQL injections. Another solution could be database security tools which secure databases, not just to prevent attackers to input commands to retrieve data.
These are the most common threats and organizations should treat with the same caution both types, external and internal, and implement the proper solutions that, in the end, have the same purpose – to keep data safe. Also, before you say you are sure you do everything to secure your organization’s sensitive data, look carefully into what your colleagues do or can do with it.
Download our free ebook on
Data Loss Prevention Best Practices
Helping IT Managers, IT Administrators and data security staff understand the concept and purpose of DLP and how to easily implement it.