top 10 steps towards eliminating inside threats by paresh thakkar

Compiled by Paresh Thakkar CISM, MBA Based on an original article in CSO FORUM by Paul Kenyon

2

Background

• Computer networks are complicated and keeping them secure depends on a multitude of factors. However at the core of these activities are administrative rights that make it possible to fundamentally alter the configuration of the desktop PC, its applications and network linkages

• A slight error by an admin can result in malicious code getting installed and running on the company server, potentially compromising the company network.

• Once a problem occurs, it often unravels into a downward spiral taking your business and reputation – down with it.

Insider Threat Compromise

© Paresh Thakkar CISM, CEH, ECSA, MBA email: [email protected]

3

Why this presentation?

• These 10 steps would help mitigate your organisation’s risk that mostly revolve around taking “Least Privilege” approach, meaning end-users can perform their jobs with ease, but without threatening organisation’s security.

• Here are 10 steps that you can take towards making “Least Privilege” a reality

Insider Threat Compromise


4

• Operating systems work based on certain files and folders that are within the Windows folder, and registry…If these are modified without IT department knowledge, the system can become unstable, and the chances of Data Leakage increase. IT should be made accountable and responsible to control what applications a user can install, or change.

• Regular evaluation of security risks, combined with application whitelisting is essential in providing an extra layer of defence.

STEP 01 REGULARLY EVALUATE RISK


5

• The proliferation of personal devices into the workplace has increased complexity and cost of defence for an organisation. Create a balance of personal and corporate devices, and even have role based eligibility model.

• If an employee justifies the use of a device, the onus is on the organisation to establish its compliance with company policy, with clear matrix of support responsibility, and business continuity in event of loss of device

STEP 02 ENCOURAGE USERS TO HAVE FEWER DEVICES


6

• Lock down machines so users can only change their desktop config. NOT THE CORE system – this also reduces support calls and costs.

• Move to managed services, eg. use Microsoft Group Policy, and Microsoft System Centre.

• These enable effective deployment of services such as automated patch management and software distribution/updates

STEP 03 MOVE TO A MANAGED ENVIRONMENT


7

• Security is often seen as too limiting for users if not well-planned and implemented.

• You can actually improve the user experience and give privilige back to users who were previously excessively limited.

• Give users feedback on activities, rather than completely blocking them from resources. This would lower calls to the helpdesk, thereby lowering support costs.

STEP 04 IMPROVE END-USER EXPERIENCE


8

• Ask yourself – have I maximised the use of Active directory in my organisation? It can be used very effectively to derive higher efficiencies and productivity of employee time.

• More Granular control of user activities is possible, without adversely impacting them, thereby boosting productivity.

• Mobile device Management solutions help comply with company policies even with personal devices. Use them to ensure personal devices do not leak corporate data. Have a standard minimum configuration of devices published.

STEP 05 USE ACTIVE DIRECTORY


9

• Excess admin privilege == Lost Productivity• User who does not understand how much

power his comp+admin rights have, can be a severe threat to your network…think Denial of service, flood of traffic, spambot and what not…

• Least privilege environment increases stability of the network as well as quality of traffic on the network

STEP 06 IMPROVE NETWORK UPTIME


10

• Research about all compliances that your organisation need to comply with. This will reduce regulatory penalties. All compliance directly or indirectly impose the minimum privilige to complete everyday tasks.

• Eg. PCI DSS [Payment card Industry Data security standard] states that the organisation must ensure that privileged user IDs are restricted to the least amount of privilege needed to perform their jobs.

STEP 07 REGULATORY COMPLIANCE


11

• Help educate the employee about safe computing and acceptable use policy.

• Make public posters about possible threats around them, make them visible in public areas such as the utilities, pantry, canteen etc.

• This also helps build customer confidence, increase reputation of the organisation, and goodwill.

STEP 08 DEMONSTRATE DUE DELIGENCE


12

• Simply put, secure and managed systems are cheaper to support, thus making security a business enabler, rather than a cost/expense

• Publish knowledge base, Process, Work-Flows on need to know basis, so panic calls to help desk are avoided. Self Help systems definitely reduce support costs.

• Continuous incremental approach to security would see continuous reduction in support costs.

STEP 09 ANALYSE SUPPORT COSTS


13

• As discussed in Step 1, unauthorised and uncatalogued config changes can be disastrous. As it is, systems are complex. Simplify by removing any local administrative rights, intregate systems in a central active directory, enforce group policy centrally, without which network access is disallowed.

• Give flexibility to line of business applications, NOT the core Operating system.

• Build a centrally available store of approved applications that can be installed. These can be for all the types of devices in your organisation: Blackberry, Android, Iphone, Windows, Java etc.

STEP 10 REDUCE COMPLEXITY


14

SO, WE REDUCE INSIDER THREAT BY: 1 •REGULARLY EVALUATE RISKS

2 •MINIMISE DEVICES

3 •MOVE TO MANAGED ENVIRONMENT

4 •IMPROVE END-USER EXPERIENCE

5 •MAXIMISE THE ACTIVE DIRECTORY

6 •IMPROVE NETWORK UPTIME

7 •REGULATORY COMPLIANCE

8 •DEMONSTRATE DUE DELIGENCE

9 •ANALYSE SUPPORT COST

10 •REDUCE COMPLEXITY


15

ENDNOTE

Organisations need to leverage least privilege management to achieve a smart balance for an IT environment where everyone can be productive while remaining secure.

It all boils down to a logical decision:Do you want the best of both the worlds, productivity and

security?PRODUCTIVITY SECURITY


16

I AM REACHABLE ON PCTHAKKAR @ GMAIL . COM

@pcthakkar/pcthakkar


top 10 steps towards eliminating inside threats by paresh thakkar

Business

paresh thakkar cism

mba email

company network

support calls

support costs

company policy

corporate devices

acceptable use policy