Attack from the Inside or Out: Small Security Steps can Stop Big Breaches
Today's news is again rife with data breaches; namely at UPS (possibly linked to the Backoff malware, which my colleague blogged about here), and Community Health Systems (which may be linked to the Heartbleed flaw). A continuing theme across these breaches is that a relatively small, seemingly mundane action such as requiring two-factor authentication for remote access or applying a security update could have stopped attackers.
According to GovInfoSecurity in an article about the UPS breach:
Chris Hague, a managing consultant at Trustwave who's investigated Backoff intrusions, says businesses that use remote-access tools must secure them using two-factor authentication. "In the cases we've reviewed, poor passwords with remote access were to blame," Hague says. "Many companies use remote access, and if you're not using two-factor authentication, it makes it easier for hackers to brute-force those passwords."
And regarding Community Health Systems, SC Magazine quoted David Kennedy, the principal security consultant and CEO at Ohio-based TrustedSec, as saying that the immediate implementation of a Heartbleed fix could have possibly thwarted the breach.
Not surprisingly, this theme is continued in another article regarding a different, but real and present threat: your own employees. In “Insider Risks: What Have We Learned?”, Data Breach Today’s Jeffrey Roman writes:
When it comes to mitigating the insider threat, the obvious measures can help in preventing data loss and are often the most over-looked. Measures that can stop the little losses from occurring would have stopped Snowden, [Ira] Winkler, [information security expert and former intelligence and computer systems analyst at the National Security Agency] says, including access controls and audits.
This is a discussion I’ve been having with prospects and customers for years. Allowing system admins unfettered and unmonitored access to systems is setting yourself up for trouble. Many times these admins are using remote access tools to manage and work on systems. By simply requiring admins to use a centralized remote access tool that limits what systems they can access and captures an audit trail of their activity, you can reduce the threat of someone doing something shady. Even better, require two-factor authentication to your remote access tool so employees can’t easily use someone else’s credentials to gain access to different systems.
This of course doesn’t stop an admin from using a rogue remote access tool to get to your network, or from physically walking up to and logging into a system. But if you take the steps to block unauthorized remote access tools from your entire network, and put the right physical security practices in place, you can also mitigate these risks.
As always, security is a many-layered thing. But these layers are usually made up of a bunch of small steps that are often seen as insignificant. It’s time to start sweating the small stuff.