People often say that 80% of attacks on a network come from the inside, and recent studies confirm that management considers internal threats a business problem. According to
But how likely is an attack from the inside?
While there are several common ways that Windows servers get hacked, there is really no adequate way to measure the percentage that comes from the inside.
This is because many – if not most – internal breaches go undetected since the controls necessary to mitigate the risks are typically not in place or are not properly managed. The Privacy Rights Clearinghouse Chronology of Data Breaches lists a variety of internal security breaches dating back more than five years -- but this only scratches the surface. In addition, anyone with a computer on the network can carry out an attack, regardless of their technical abilities. If someone with malicious intent wants to get in, they will. Everything's there for the taking.
Marcos Christodonte's new book Cyber Within depicts a situation of an insider gone bad -- and all the things that can happen along the way. However, the insider threat isn't just fiction: If your business hasn't been affected by insider abuse, you can bet a few of your friends have experienced it in their workplace. If not now, then it's only a matter of when.
Harsh economic times lead to employee theft and other exploitations, and what better way to abuse the system for ill-gotten gains than with a computer? It's convenient, there's no physical risk and tech-savvy employees know that the odds are they'll never get caught. Furthermore, there are often many entry points into the network – typically using the same user/password combination – that management often overlooks, especially after employees are laid off or fired.
So, how high is risk of an attack from the inside?
There's really no way to know unless -- and until -- you have reasonable controls that are several layers deep into your network. For the most part, the focus has been on keeping the bad guys out of the network perimeter -- all the while, Windows-based systems on the inside were wide open for abuse.
Therefore, to protect yourself from internal threats, you not only need the typical external firewall and IPS configuration, but you also need to consider the following for your Windows servers:
- Share and file permissions that keep the people out of information they don't need to access
- Consistent patch management across all servers including SQL Server and third-party application
- Audit logging that tracks success and failures of login events and related system access
- Endpoint controls on servers including personal firewall (such as Windows Firewall) and malware protection
If you have the budget – and are up to the challenge -- you should also consider a third-party data leakage prevention appliance to monitor and protect the comings and goings of classified server information.
While overall dealing with internal vulnerabilities is complex, it can be distilled into some basic elements.
In a nutshell, here's how to combat the insider threat:
While this is a simplified view of things, most organizations can improve in all of these areas. And you've got to start somewhere -- be it with something as focused as Windows servers or more broad like your entire information systems infrastructure.
Remember, with the emerging tech-savvy Generation Y workforce, insider threats are only going to become a bigger issue down the road.
ABOUT THE AUTHOR:
Kevin Beaver is an independent information security consultant, author, and speaker with Atlanta-based Principle Logic, LLC. He has more than 18 years of experience in IT and specializes in performing information security assessments. Kevin has written five books including Hacking For Dummies (Wiley), Hacking Wireless Networks For Dummies, and The Practical Guide to HIPAA Privacy and Security Compliance (Auerbach). He can be reached at kbeaver @ principlelogic.com.
This was first published in January 2010