Driving into the office this morning, I was thinking about a conversation around favorite school subjects my daughter and I had on a drive back from our last beach trip. For some reason, one of her lessons from school jumped to the top of my head – the Who, What, Where, When and Why of Reading Comprehension, I could not shake that lesson from my head and after my second cup of coffee, was ready to tackle the world of information security. Sitting down at my desk, I started to parse through an email and a phrase from a teammate’s email jumped out me, “the hygiene of information security.”
Reading through Verizon’s DBIR and Cisco’s Mid Year Cyber Security Report, we get a clearer picture of the current threats to the intellectual property created and consumed by enterprises. These reports provide revealing insights as to where many enterprises may have fallen short or even potentially fallen victim to untrustworthy insiders, nefarious actors or other misuse or misappropriation of data.
By failing to exercise good security hygiene, enterprises have unwittingly increased their vulnerability to cyber attacks. Furthermore, by continually failing to address past and current infrastructure vulnerabilities, while allowing unfettered access to proprietary, restricted and sensitive company data, they have invited unpatched and unsecured devices to gain entry into their data centers.
So can we apply the 5Ws to information security? Let’s give it a shot.
Who?
Everyone in an enterprise needs some level of physical and/or system access to perform their job and the given tasks it entails. But are we doing a good enough job of identifying WHO is requesting access and then authenticating that user?
One unfortunate byproduct of using directory services to authenticate users is the typical sprawl of access control it results in. This can lead to a number of vulnerabilities that can be leveraged by nefarious actors. Auditing, performing frequent assessments, and optimizing your directory services platform are among the key measures that can ensure the right people have the right access in accordance with their tenure and duties, while adhering to the principle of least privilege.
What? #1
Once a user is authenticated, have we identified WHAT device is requesting system access? Have we done any type of posture assessment on that device to ensure that it complies with a policy for local or foreign devices? Can that computing device be trusted to access data, store it locally or touch sensitive infrastructure?
Regardless of whether it’s MPack, Blackhole, Angler to Neutrino, these exploit kits all have a few things in common. Most notably, the capability to take advantage of systems and software that are left unpatched. Sadly, many of these systems remain unpatched not for days, weeks or even months, but years.
One of the best hygiene methods an enterprise can do to reduce the surface area of opportunity for hackers is to frequently scan endpoints, systems and infrastructure devices for vulnerabilities and apply the proper updates, patches or compensating controls to those vulnerabilities to minimize business risk.
What? #2
Furthermore, as we create and consume data, have we identified WHAT data is to be considered proprietary, restricted and sensitive, and would require a higher level of control than the weekly cafeteria menu? Can we then apply controls based on the WHO and WHAT above to ensure that only authenticated users and devices are granted access to the most sensitive of content?
To make the most of any administrative or technical control, an enterprise needs to assign value to the data it creates and consumes by incorporating a basic Data Classification Program. Whether it’s knowing the width and depth of a Cardholder Data Environment (CDE) to assist with PCI Compliance, or the business risk of having proprietary design documents on unsecured shares or endpoints, being able to classify data for its entire lifecycle (from inception or receipt to expiration or destruction) helps ensure the investment in current or future administrative and technical controls will be maximized.
Where? #1
When a user and device are requesting system access, do we know WHERE that user session originated? Are there more restrictive privacy laws in the country of origin? Or is the place of origin one of increased risks based on factors such as a user’s home network, a VPN connection, unsecured hotel wireless, or originating from a country where it would be physically impossible to initiate communication from based on travel time? Do we have visibility to WHERE our outbound connections are going? Is a user attempting to upload a sensitive document to an unsanctioned cloud storage service or browsing a domain that’s known for distributing malware?
Having visibility into the source:destination of networked communication with real time intelligence of any potentially risky or statistically impossible behaviors can go a long way toward preventing data leakage, destruction of sensitive data or the distribution of malicious applications and software.
Where? #2
After applying the most basic of Data Classification rules, are we ensuring that proprietary, restricted and sensitive data is created, consumed and stored on devices and systems with tighter administrative and technical controls? Are we auditing user and account access on these systems to further enforce the principle of least privilege?
In accordance with the WHO and WHATs from above, enterprises should follow their Data Classification program with a certification process to identify systems, shares, and endpoints that are authorized to create and consume sensitive data. Furthermore, by maintaining tight control of WHERE sensitive data resides, we can fine-tune the fidelity of the technical controls’ event reporting capabilities to reduce false negatives (e.g.: clipping level) and the dwell time to incident recognition.
When?
Much like the end of summer and our personal lives, there is a natural cadence to user behaviors. Have we trended user account access behavior to identify and isolate anomalous access requests?
Like the behavior trending that credit card companies have been engaging in for decades, trending user behavior over time can provide significant visibility into potential threats from hijacked user credentials, either by trusted insiders or imposters. It is likely not normal behavior for user account rjohansen, for instance, to attempt access to the R&D share at 3am, but it may be normal on the other hand, for rjohansen to access spreadsheets with customer data at the end of each fiscal quarter.
Why?
Have we instituted and enforced the principle of least privilege? Have we asked WHY a user or system account has requested access to a share, installed software or made changes to data?
While technical controls can assist in protecting data, the administrative control of identifying sensitive data must stay in the hands of the business function’s leadership, the Data Owner. The Data Owner institutes the workflow and influences the technical controls that can support proper user access control. The Data Owner is responsible for granting user access to the data individuals need to perform their job functions. If there is a deviation, which there inevitably will be, the proper business justification to allow rjohansen access to the R&D share at 3 a.m. for 90 days will be documented so it can be audited.
Conclusion
While it is back to school time and our routines are returning to something like a “normal” state, it’s also a good time to establish a similar normal for good information security hygiene, consisting of maintaining a regular cadence of assessing, auditing and optimizing administrative and technical controls. While we all may have enjoyed a break over the summer, the bad actors, nefarious insiders and other threats to our data are working year-round.
Learn more about the information security services ATSG has to offer by contacting one of our experts today.
Comments