Making a distinction between external and internal threats is becoming increasingly difficult and less and less relevant. The issue of internal security threats was highlighted by Geoff Webb's article this week (linked below). As he rightly states, the insider threat may easily outstrip Internet-based cyber attacks in terms of information asset loss or damage, and yet still be the less feared and therefore, less well-defended against, threat.
Whether due to complacency or naivety, the vast majority of organizations have failed to adapt security processes and procedures to reflect the changing threat landscape. As Webb highlights, growing numbers of data theft are inside jobs where users are ‘over-privileged’ in terms of rights and permissions to roam the network and steal data. However, the other significant knock-on effect from these over-privileged users is that they will also be empowered to do far more damage to the organization if they fall victim to a phishing attack or other malware infection.
It is therefore critical that organizations start embracing a higher level of best practice and governance in security processes and procedures and, in particular, extensive internal defenses.
Organizations need a completely infallible way of detecting the presence of malware and to also ensure hardening measures and user access controls are being enforced. Any configuration drift or other breach activity needs to be alerted in real-time to stave off threats and potential damage. Whilst all compliance, governance and regulatory standards require security controls such as a hardened build standard, control of user rights and tight change control, this is too often focused heavily on protecting from external threats with a lack of understanding that the internal threat is potentially of more significance.
File Integrity Monitoring (FIM) is proven to radically reduce the risk of security breaches; it raises an alert related to any change in core file systems or configuration settings. The potential breach is detected regardless of whether this has been instigated by an inside man or an unwittingly phished employee introducing malware or other zero-day threat, blasting unrecognized past the AV defenses. Flagging up changes in this way ensures there is no chance of an APT gaining hold; no risk of the stealth attack that gets in and out leaving no trace – there is a trace and the business is immediately notified.
The fact is that every business is at risk at all times and defenses and detection mechanisms must be implemented on the assumption that traditional firewall and AV measures are fallible – and that the lines between the external and internal threat are now intrinsically blurred.