Leaks, After Leaks, After Leaks
Recently there has been a rash of leaks from inside the two major U.S. intelligence agencies, the CIA and the NSA. In the case of the CIA, WikiLeaks, via Vault7, released a slew of hacking tools that the CIA “lost control” of. Similarly, the group Shadowbrokers came into the possession of malware from the NSA and have also begun releasing it to the world. While how this data came into the possession of WikiLeaks and Shadowbrokers is largely unknown, whether it occurred due to a network breach or an insider is irrelevant. The fact is that two of the seemingly most secure organizations in the world suffered a major loss of proprietary data. As an information security professionals and leaders, we inevitably ask, if the CIA and NSA cannot be fully secured, can anything?
Sadly, in reality, the answer is no: Not so long as whatever is being protected is networked, remotely accessible, or handled by humans. No matter how well an organization secures its enterprise and locks down its crown jewels, there will always be a risk of data loss. The least common denominator: People.
Who Should You Be Most Concerned About?
The single biggest threats are your insiders: Both your everyday employee and your disgruntled insider with malicious intent.
Most frequently, data loss occurs because employees simply make mistakes or fall victim to social engineering. While their mistakes may result in data loss or an occasional system failure, rarely do they have large negative consequences, such as a widespread hack, or extensive data loss. On the other hand, falling victim to social engineering on the part of hackers often does result in data loss and remote access to sensitive systems.
Employees with an Agenda
Malicious insiders can do the most damage to any organization: More damage than your regular employees, more damage than the cyber-criminal stealing credit card information, and more damage than poorly written code that fails and causes systems to crash. Why? You trust insiders/employees. They usually have broad access to data and systems and can often access your “crown jewels” without raising a security eyebrow. Malicious insiders take complete advantage of their trusted status and will quietly lay the groundwork for doing damage to the enterprise or stealing the data they want.
Control What You Can. But Know It’s Not Everything. Ever.
While no one will ever be able to protect their data completely, here are three simple recommendations that help make it harder for both hackers and malicious company insiders to be successful:
- Implement layered defense. Segment your network and deploy effective identity and access controls, utilize internal firewalls, and employ and secure a DMZ for public facing systems.
- Monitor East-West traffic. It is a best practice to employ security monitoring and detection. Most organizations monitor traffic entering and leaving the network (i.e. North-South). However, most do not monitor internal-to-internal (i.e. East-West). Your security operations are most prepared to protect your enterprise via monitoring your entire network and not just your perimeter defenses.
- Training and Awareness. While an insider with malicious intent will pursue their objectives regardless of the amount of training they receive, training can have a major impact on lessening the frequency of events caused by innocent employees. Training and awareness need to be a constant priority, and there should be regular monthly communication whether it be a newsletter, formal training, webinar, or lunch and learn. Training your staff to recognize phishing emails, how to browse and use the internet safely, and to properly do their job can and will go a long way to lessening the chance that data loss will occur at their hands. Informing employees that noticing and reporting abnormal and dangerous behaviors keeps the company and their jobs protected. The perception of whistleblowing in the cybersecurity threat context needs to be lifted and rewarded.
So while the alarmists are right in that no one is completely secure, when you employ cybersecurity best practices and have processes in place to address all possible scenarios, the threat avoidance odds can be in your favor.