The information security sector has grown rapidly over the last two decades, and is now rising three times faster than overall worldwide IT spending, with analyst firm Gartner predicting that information security products and services will exceed $114bn in 2018, up 12.4% from last year.
Much of the money is spent on protecting against external threats of which the highly regarded Verizon Data Breach Investigations Report (DBIR) found that 78% of incidents are committed by external hackers. However, the report, which looked at 53,000 real incidents, also uncovered that 30% involved internal actors or partners. This portion of attacks is perhaps the most worrying as it is an often-overlooked area of IT security and the most difficult to prevent.
Internal threats can come from a myriad of different sources ranging from gullible users becoming victims of phishing attacks, to disgruntled or criminal-minded employees readily unlocking the doors for the cyber-criminals waiting just beyond the perimeter.
Often the most dangerous insider threat comes from individuals within the IT department. In some cases, the insider threat is not down to maliciousness but simply due to device misconfiguration or unapplied patches to critical systems that expose an easily fixed vulnerability, as in the 2017 breach at Equifax that had 146 million customers’ details stolen.
In the worst-case scenario, a rogue admin may have both the understanding of where critical data resides but also the technical knowledge to disable defenses in a way that may well go undetected for a significant period of time ahead of an attack.
The reason why almost a third of breaches with an insider element has remained such a constant statistic across several years’ worth of DBIR surveys is in part due to the design of many security systems along with the lax processes to secure access to elements such as the firewall, IPS, IDS, NAC and VPN platforms.
For example, gaining access to many of these systems just requires an administrator name and password and few vendors offer change control, audit tracking or multi-factor authentication (MFA) as a built-in capability. However, even though most security appliances and software tools will support integration with privileged access management and MFA solutions, it is unclear how many organizations enable these features for access to security infrastructure. For example, a 2016 survey of IT administrators by Thycotic suggested that 20% of organizations have never changed their default passwords on privileged accounts and 30% of organizations allow accounts and passwords to be shared.
Many large organizations we have spoken with over the last decade have a cultural assumption that Infosec administrators are trusted individuals and as such they can be left with the keys to the kingdom with minimal oversight. This is a dangerous supposition when cases such as that of “Terry Childs” come to light in which in 2010, the rogue IT admin locked the city of San Francisco out of its Municipal Network by refusing to hand over passwords for all its Cisco routers and switches.
In other cases, a failure to patch a vulnerability or even a misconfiguration in the security device itself leads to a weakness in the overall effectiveness of a security infrastructure. Without the ability to record if patches and configuration have been made, when and by whom, a security weakness can occur without any accountability or understanding as to the intent of the error.
However, this situation is starting to change as CISOs start to recognize that both the security infrastructure and the people that manage these critical elements need better processes and tools to protect against both negligence and insider threats.
On the process side, some common IT practices that may simplify management need to cease such as the use of static, single factor credentials for logging into management interfaces for critical security appliances. The shared user name/password paradigm is rapidly disappearing from every other aspect of system administration and needs to extend to the infosec team.
To address many of these issues, organizations could use smarter out-of-band (OOB) console technology acting as a centralized conduit to manage secure access to security appliances across an environment. This has several major advantages. The first is a simpler way to deploy MFA that only needs to be integrated into the console server to be enforceable across the entire security appliance layer.
Secondly, smarter console technology can act as a system of record for all configuration changes and patches with changes sent over an alternative path such as a 4G network and retained at a centralized SOC or SIEM solution. An update failure that leaves the device unreachable via the production IP network can often be rectified via this same out-of-band connectivity that accesses the service ports on most network devices to reach the underlying console.
This approach not only helps managers quickly determine if critical infrastructure has been patched but also allows forensic investigators to find out if a breach was aided and abetted by the actions of an insider or was just an oversight.
This OOB connectivity is also useful during a cyber-attack that disrupts the production IP network such as DDoS, a targeted switch attack or a rogue admin “lock out” attempt, with the OOB console server providing direct connection to critical devices such as routers, switches and firewalls using 3G/4G cellular modems.
For organizations to combat the issue of insider threats, more need to recognize that the systems they use to stop cyber-attacks must follow the same security best practice as the critical corporate assets that they endeavor to protect.