Saturday, 17 January 2015

Infosec: Insiders Job

Your security systems assume programmed logic and programmed decisions unlike humans. How good may be your security infrastructure, you don't meet the ends of security unless you educate your employees about your security policy. Whenever, news breaks open that reputed company systems are hacked, you would wonder how attackers did that?! There exists a high probable chance of insider job behind these attacks. "The attackers gained access to database server!" Now the question is how did they get the password? How did they get to know about the security systems in place inside the company?  How good are the small & medium companies when securing information?

Now, think who gave those passwords. It would be none other than who knows it, your employee. Not every employee would ends up providing passwords to the attackers. A disgruntled employee who started envying his boss will provide passwords for 95% of chances. Not only passwords but also the how good the physical security elements are in place! So how do far could you trust your employees when it comes to information security? Almost all employees will be discontent at some point. So it's up to your Information Technology team to decide how to handle critical business information.

Classified Assets:

A common phenomenon would be is to classify employees based on the importance of the work. Example, we can classify then as critical and non-critical assets. Critical assets are employees who work on classified information. A unique security guideline including social interactions when it comes to business must be placed. And liability for non-compliance of guidelines. A Unique password for each critical asset to interact with critical information. Avoid common security credentials for all employees. Providing unique security credentials will help in identifying the mole in the organization.

Firewall, Filters:

Also it is well advised to place good firewall, email filters policies to avoid data being sniffed out of your company. It may sound like old-school methods of securing information. But it is wise to invest on firewall to know the type of traffic and request which were turned down by your servers. They help in identifying the possible methods and protocols attackers trying to explore with your information infrastructure. 

When it comes to email filters, huge cry would be infringement on privacy of your employees. Most of them envy email filters as it will not spare even personal emails. But you will not regret placing such filters to identify what kinds of information are sent to outsiders from employee desk. Consider, an employee emails a spreadsheet which has crucial information about the business target of present fiscal year. If no filters were in place, respecting the privacy of the workers, then you will face a huge public embarrassment. Email filters will block such emails which are crucial to your business. Even the person states that he will work on the data from home. The company must take serious decision especially on "weather the person need that data? And what he is trying to do with that? Do he really have any useful business with the data?" A rational decision would save the day for your company future. For information security is all about being proactive. Once, the information goes out of company LAN then in no way you would be able to recover it.

Actually placing a working email filter is not spying technically. Educate your employees about the email filters and discourage them to use personal emails during work hours. This would be commendable as those using personal emails have high potential to infect the company networks with malwares and spywares.

Storage Policies:
Now, the way through email was blocked. Next best method for grabbing crucial information is through portable storage devices. Most common is Pen drive and USB sticks. First, question yourself, who need access to the USB and why do they need them? Not all employees need access to store information to a USB sticks. So create a storage policy that prohibits usage of external storage devices. But a general ban on USB external storage will hurt some business very bad.

So those systems through which external storage devices could be accessed must have record of people who use them. The activity log must be collected to analysis for any activity against the company policies. 

Assessments:

Last but not the least, test the integrity. You must conduct periodic test against your information infrastructure, especially, on the social interaction front of critical assets. Hire security experts and create a plan for the attack emulation. Work with experts and test against your assets and infrastructure. Find the vulnerabilities before the attackers get head-start. Find out how easy for outsiders to get information about your company.
Analyze your vulnerabilities and educate your employees about the importance of the role they play. Assess them periodically and under pressure. One who keeps up with the change will win the race. Don't relent and be complacent with information security. Being in the information era, investing in information security infrastructure worth every penny.


No comments:

Post a Comment