Endpoints operated by your end users present a tremendous risk to your organization. From being the entry point for infectious malware, to leaking sensitive corporate information, trusted insiders play a critical role in your organization’s overall security posture. During this presentation, we’ll discuss the four blind spots that you need to consider in 2014 and how you can take proactive measures to prevent them.
• Personal Clouds
• Email
• Mobile Devices
• Removable Devices / Media
4 Insider Risk Blindsports: What You Need to Know and How to Prevent Them
1. 4 Insider Access
Blind Spots
What You Need to Know and
How to Prevent Them
Chris Merritt
Director of Solution Marketing
source: http://www.livearts-fringe.org/blog/images//blindspot1.jpg
2. Introduction
• Traditional Focus on Perimeter
• Evolving Towards Endpoint
Protection
• Four “Blindspots” to Consider
»
»
»
»
2
Cloud-based Personal Storage
Email Attachments / Links
Mobile Device Storage
Removable Devices / Media Storage
12. More Information
Free Security Scanner Tools
» Application Scanner – discover all the apps
being used in your network
» Device Scanner – discover all the devices
being used in your network
https://www.lumension.com/resources/
premium-security-tools.aspx
Whitepapers
» SC Magazine Security Brief - Under the Radar
https://www.lumension.com/resources/
free-content/SC-Magazine-Security-Brief-Under-the-Radar.aspx
» Data Privacy Day 2014 Resource Center
https://www.lumension.com/
2014-Data-Privacy-Day.aspx
» 2014 Data Protection Maturity Trends webcast
https://www.lumension.com/resources/
webinars/2014-Data-Protection-MaturityTrends.aspx
12
Get a Free Trial of
Lumension Application Control
https://www.lumension.com/
application-control-software/free-trial.aspx
Data Exfiltration …Data uploaded to Dropbox, iCloud, Google Drive, Box, etc.Everyone knows about these … If someone uses an iPhone or Android-based phone, they almost assuredly have access to one or more.But these are not limited to mobiles … easy peasy use on workstations (desktops / laptops) too.Some of these put a client on the endpoint … others do not.So there’s a problem of visibility … we recently did a survey which shows that this is an emerging security nightmare, with 30% having no idea about usage, 40% knowing but having no control, and the remainder claiming to have some level of control [Data Protection Maturity survey webcast next week on 01/28.]
Malware Intrusion …The other issue is downloading malware …Your network may protect, but does your user’s home network provide same level of protection?Documents may be poisoned in such a way as to only work in the organizational networkApps which are considered impermissible might be downloaded via this end-run routeAlso used in facilitating comms (proxy for receiving instructions from the real C&C server)Cloud services also being used to maintain / spread malware or used to sync malware to get around firewallsMore generally it’s the web, not just personal storage … Watering Hole attacks, Drive-by attacks, IM attacks, etc. … we’ll talk more about these in a minute.Solution = Triad of People, Policy and Technology …People … ongoing education, alerts, etc. … in our Data Protection Maturity survey results, we’re seeing continued increase in “formal / ongoing” training, which is a good thingPolicy … is this an acceptable risk for the organization? It might be, in order to facilitate productivity … or you might have a preferred online storage vendorTechnology … Defense-in-Depth … slow down attacks (trade space for time), enhance probability of detection, get more time to reactURL filtering / NG firewalls / gateway inspection … all good stuff, altho I don’t know as much as perhaps I shouldAV obviously has a role, but perhaps the better endpoint focus should be on application whitelistingAlso, enforce encryption requirements … see People and Policy too
Data Exfiltration …This is perhaps an obvious issue … users sending data out via emailData leakage can be unintentional (sent to wrong person) or intentionalMight be well understood, but how is it being managed?
Malware Intrusion …And this is the flip side to the “obvious” issue of email … it’s being used as an attack vectorWe all know about phishing attacks and their highly targeted analog, the spear phishing attackLinks that go to watering holes, drive-bys or other poisoned content … or attachments that are booby trappedSolution …Very definitely a training angle here … keep folks aware, and on the ball … and “crowdsourcing” this might be an effective tacticAlso, a policy / process angle … how do your folks report this? are they chastised or belittled for reporting? is there a connection between their efforts and organization-wide outcomes?Of course, there are also technical tools which can be brought to bear … not really my bailiwick, but things like DLP, gateway filtering and so forth. Another obvious tool is AV … but we all know it’s not working as well as a few years ago, so this is another instance where application control will work well: if the user accidently clicks on something that tries to download malware the evades other defenses, it will prevent it from running.
Data Exfiltration …An emerging area of concern are smartphones with substantial storage capacities, which can be connected to endpoints in your networkIn addition, when connected, they may lead to add’l apps being installed, either manually or automatically … for instance, plugging an iPhone into an endpoint will lead to iTunes being installed.Depending on your security posture / risk tolerance, you might want to manage this ... we‘ll get into some of the means in a second.But, before I leave the “data exfiltration” aspect of mobile devices, I should also point out that most data privacy / breach laws / regs will cover data lost on a phone, just like if it were on a laptop or on the network.
Malware Intrusion …Not a day goes by now without hearing about some sort of mobile malware storyMost of it seems aimed at Android OSes, but iOS certainly not immuneSeeing continued growth in quantity (26% increase in Q3-2013 according to one survey I saw) and more sophisticated (so-called “Jekyll Apps”)Less obvious is how some of these are propagated to the networkSolution …App store notionAC / AVEncryptionDC … limit data off / executables onMDM … lock / encrypt … can get fancy, but our DPMM survey shows these basic “blocking & tackling” steps are not being used, so this might be a good first step
Data Exfiltration …Think Wikileaks / Manning … data taken on USB sticks or CDsThis problem has been around for a long time, but it remains a blindspot … physical vector is still not considered as strongly as the network vector, but should beStill seeing reports of data breaches via USB sticks … in the US, we see a lot in the HC and Public sectorsSubject to all data breach / privacy laws / regs
Malware Intrusion…Malware propagation via USB is commonFamous examples …Stuxnet / Flame Cryptolocker has recently been updated to include a “sneaker net” component via USBsIn fact, there was a report a couple years back that ~70% of USB keys found in AU rail stations contained malwareAnd, in case you think space is the ultimate air gap solution … back in Nov-2013, the ISS was infected by a USB stick brought onboard by a Russian cosmonaut!So, as you can tell, this is a very well worn path / attack vectorSolution …DC / Encryption … better than gluing ports shutAC / AV … prevent infection even if it gets thruPolicy / People … don’t pick up sticks (“red team” exercises)
So, we’ve covered four (4) ways your insiders can cause issues … Unintentional … use training and technology to mitigateIntentional … use technology and vigilance to mitigateBTW, we didn’t really talk about Business Associates (BAs) … supply chain security is a burgeoning issue for many sectors, and is beginning to get the attention of regulators too … of course, in the HC sector, this is already a fact of life b/c of HIPAA / HITECH.
Focus on …App / Device scanners … what do you really have on (or attaching to) your servers?SC Magazine Security Brief - Under the Radar … Most computer users think nothing of transferring files on to tiny memory devices. Security pros warn about the risks. Read this edition in our serious of reader surveys on various aspects of Advanced Persistent Threats focuses on removable media. Find out how respondents perceive the risks associated with removable media and how they are prioritizing these concerns.Data Privacy Day 2014 … Data Privacy Day is Tuesday, January 28, 2014. It's a great reason to educate the employees at your organization and bolster your security posture. You can find a few resources on the site.2014 Data Protection Maturity Trends webcast … Finally, I’d like to encourage everyone to attend our webcast next week on the 3rd annual Data Protection Maturity Model survey results … you’ll find the reg. page on the Data Privacy BTW, we have a lot of other technical whitepapers available, including several on by Tolly on how you can improve server / endpoint performance while also increasing security, and several on best practices for deploying AC / DC.