Addressing the weakest link in network security

Dec. 29, 2014
Authorized users represent the single largest security risk to organizations

You’ve done everything in your power to build strong walls around your company’s critical information but there are still hundreds—if not thousands—of threats lurking behind your perimeter at any given moment.

Yes, it's the malicious hackers, whistleblowers and privileged Unix users that have caused some of the most high-profile security breaches to date. But the inconvenient truth is that all users—from the general business user to the third-party contractor—represent the single largest security risk to your organization.

Unfortunately, companies simply don’t have the visibility and control necessary to identify and manage these new types of threats. What you need to do is go past access control and provide IT security teams with the ability to see what your users are doing and how they are behaving once they have access. Before we look at exactly how you can protect your organization, let’s first understand this new user-based threat.

Advanced Hacking Techniques

The threat landscape is constantly changing and it’s not about to stop anytime soon.

Hackers are becoming more sophisticated in their methods of attack, luring oblivious insiders to click on infected links or malware-ridden websites using spear phishing attacks that grant them access to an entire wealth of information. All of this, coupled with the unpredictable nature of a user, only opens up greater possibilities of a breach.

Therefore, enterprises must be highly strategic when it comes to protecting against both internal and external threats. There is no singular security appliance or software that exists to mitigate them all. But there is one common denominator when it comes to these incidents—it’s users and their legitimate access that represent the single largest risk to organizations today.

How Hackers Target Users

Users are the weakest link in the security chain because they have the potential to turn malicious, be careless or make mistakes. Hackers also know that the user is the easiest gateway into an organization’s data.

Even if you have strong firewalls, malware protection, and are taking all the traditional infrastructure measures to secure your organization’s sensitive information, a critical component is still missing from your security architecture.

Historically, organizations primarily focused on threats stemming from administrative and other IT users—and rightfully so. Given the amount of proprietary knowledge they need to do their jobs, they can leverage a broad range of IT assets and cause a significant amount of damage from a single event. These users are also especially high-risk given the generic, shared admin account log-ins they use. Because their credentials aren’t indicative of a specific user, a hacker can gain access to these administrative accounts and leverage it to compromise data without leaving a trace as to who did it.

So you may be shocked to find out that in fact these accounts are not the most compromised in an organization. Tight access control and monitoring is usually placed on these accounts and hackers like to use the principal of least privilege to compromise accounts with less monitoring. Companies can no longer afford to only monitor administrator accounts. By adopting user activity monitoring software, companies can monitor every user across all systems.

A recent study found that 76 percent of security incidents involve accounts with legitimate access, and 69 percent of reported security incidents involved an insider. In this case, an insider is anyone or anything that operates within the organization using an authorized identity. Therefore, anyone under a general user classification, which includes people, systems, and applications, poses a high-risk too.

Unlike administrators, where changes to administrator level accounts and activities raise alarms when changed, business users and third-party vendors are a greater cumulative risk.

If an attacker can compromise or create an account that has access to the targeted resource but does not have administrator level access, the odds of long-term success and residence in the target environment increase significantly. In fact, when evaluating the percentage of data breaches that resulted from an insider, 84 percent involved some trusted insider that did not have an administrative-level identity.

Unwitting User Risk

Aside from the generic business users being used as bait for malicious outsiders, security mishaps can stem from mistakes and bad policies revolving around data management within a company.

Accidental data sharing produces a greater amount of lost data than software vulnerabilities. The simple act of clicking a bad link or misplacing a smartphone can put you and your company’s sensitive information at serious risk. Misconceptions about appropriate ways to handle data within the office and with employees who are quitting add to that risk. Many employees transfer data to their personal devices while others may use it to exploit information to gain a competitive advantage in a future job, for example.

When all is said and done— when your firewalls are properly configured, antivirus is up to date, data is encrypted, and access controls are assigned appropriately— your users remain a significant source of risk. The ability to analyze, detect and respond is just as important as being able to prevent.

How to Handle User-Based Risk

Until recently, having a good security architecture meant installing the latest security software, updating your firewalls, performing security audits and remaining compliant to keep outside threats from getting inside. While preventing outside attacks is still a critical part of a comprehensive security strategy, organizations are now looking for ways to increase visibility for user based attacks. A recent study by the Ponemon Institute reported that 56 percent of security executives are looking for solutions to provide increased visibility into user based risks.

Security executives can no longer think in terms of only preventing attacks. With these new user based threats, organizations must also focus on investigating and responding to potential and eventual breaches.

It may seem more important to focus on prevention, but the fact is 66 percent of breaches go undiscovered for over six months. Companies don’t have the visibility and control necessary to recognize breaches, and a major missing component is understanding what users are doing with their access.

The first step to identifying and controlling user-based risk is to ensure that you add user activity monitoring to your security strategy.  Look for a solution that provides coverage for all users and access methods, complete session monitoring, visual forensics of user actions, and analytics and alerting to provide proactive notification of incidents stemming from user based threats.

Adding comprehensive user activity monitoring will help organizations overcome many of the security challenges they face today. By understanding how users act and behave inside your organization and arming them with tools to identify potential threats, you can spot the early signs of an incident and respond rapidly before it becomes a data breach.

About the Author

Dimitri Vlachos | Vice President of Marketing, ObserveIT

Dimitri Vlachos is vice president of marketing for ObserveIT, a provider of user activity monitoring software.