Week 11

CERT - Common Sense Guide to Prevention and Detection of Insider Threats, 3rd Edition- Version 3.1

          This CERT document outlined several issues regarding Insider Threats with real-time practice cases and situations came across the business practices. In this blog, I would like to discuss using layered defense against remote attacks, one of the Insider Threats outlined in CERT document.

While providing the remote access to employee, there is a possibility of attack remotely using legitimate access provided by the organization, although, the main purpose of remote access is to enhance employee productivity.  So, organizations need to be cautious while providing such kind of access to critical data, processes, or information systems. Most of the case it makes easy to an employee to access organization’s assets and use for other purposes such as personal gain, other business advantages because it eliminates the concern that someone could be physically observing the malicious acts. This possible vulnerability emphasizes the need to build multi-layers of defense against such attacks while providing remote access to most critical data and functions and only from machines that are administered by the organization. So, access to these assets should be limited to a small practicable group and system administrator.

Therefore, while providing remote access to critical data, processes and information system, an organization should offset the added risk with closer logging and frequent auditing of remote transactions such as login account, date/time connected and disconnected, and IP address of user should be logged for all remote logins.  Not only the successful remote access, the organization needs to monitor failed remote logins, including the reason the login failed. Most of the time organizations overlook to disable the remote access to terminated employee or someone no longer working with organization, so it is critical to retrieve all company-owned equipment, disabling remote access account, disabling firewall access, changing passwords of all shared accounts, and closing all open connections to the terminated employee to avoid risk and control their access to system.

          Most of the time user’s information like remote access logs, Source IP addresses, and phone records usually helps to identify insiders who intended to attack. It helps to point out the intruder directly, but the organization has to cautious when the intruder tries to frame other users, diverting attention away from his/her misdeeds by using other user’s account or manipulate the monitoring process.

According to CERT study, they found that some of those insider threats came from user’s home machine, and most of the time attacks happened from other remote machines, which are not under the administrative control of the organization using the application like PC Anywhere.  Although the intention could be for personal benefit or any other business benefit, or another possible opportunity, or business advantage, it ultimately cost the organization a big loss and possibly could run out of the business. So it is very important to consider providing the extra layer of security, and document all the incidents as well as document and revise it according to the lesson learned from past incidents.

References:

CERT 2009, “Common Sense Guide to Prevention and Detection of Insider Threats”, 3rd Edition- Version 3.1, Published by CERT, Carnegie Mellon. Retrieved From: https://cyberactive.bellevue.edu/bbcswebdav/pid-7538856-dt-content-rid-10132342_2/courses/CIS608-T303_2161_1/cert_common_sense_guide_to_prevention_and_detection_of_insider_threats.pdf