US Cyberwarfare Policy Should Make Enterprises Sweat the Insider Threat
Jul 27, 2011 5:00 AM PT
Christopher Zannetos The recent spearphishing attacks on security firm RSA (through the compromise of its SecurID tokens) and on the International Monetary Fund are both suspected of being attacks by foreign powers to steal data that could be used in a cyberoffensive against the United States.
Cyberattacks on U.S. assets aren't necessarily anything new, but the rash of recent high-profile break-ins has led the current administration to take a hard stance and draw a line in the sand. Although none of these attacks have been publicly linked to foreign nations, the Pentagon recently declared that any cyberattack by a foreign power against a U.S. asset could be interpreted as an act of war and would be answered with measured military force. Such a proclamation has been expected for some time -- but until now, the international cyberwaters have been murky, to say the least.
Why is this new world order significant? As enterprises and government organizations harden their exterior network security to guard against APTs (advanced persistent threats), they should also be mindful that foreign nations will likely try harder than ever to mask their true identity, given the high stakes that now exist.
The U.S. may currently be preoccupied with two wars, but the threat of a military response to foreign powers caught with their hand in the cyber-cookie jar has to give them pause. There is a better-than-likely chance that foreign nations will continue to engage in cyberespionage, but that they will be much more cognizant of covering their tracks when doing so.
Getting at sensitive data through someone inside an organization -- who has all the access rights they need -- is not only the most effective way to breach a hardened perimeter defense, but also a great way to obfuscate the attack. Organizations will need to be on the lookout for "middle man" hackers who may serve as mercenary forces for veiled attacks by other countries.
Whether unknowingly (through a highly targeted spearphishing attack) or unwittingly (accessing data for a seemingly harmless middle man), private sector and federal agency insiders will become one of the biggest risks to the security of critical data. The more vital the information, the more sophisticated, targeted and frequent attacks are likely to be.
All of this makes managing access to corporate or government resources more important than ever before. It's not enough anymore to know who is accessing the network and to verify that the user is approved to do so. A greater granularity is required to combine this access management with user activity monitoring to make sure that data access is appropriate and necessary.
By combining identity and access management (IAM) systems with security information and event management (SIEM) solutions, IT administrators can get a better picture of how data is being accessed and determine if anything out of the ordinary is occurring. Melding data loss prevention (DLP) solutions with these two will also add an extra layer of protection. Together, they add up to access intelligence.
So, the stakes have been raised and targeting insiders' access credentials, as we've seen already, will likely be a favorite attack vector moving forward. It helps hackers cover their tracks and gets them past the outer defenses of a company and into the soft underbelly where key data resides.
Organizations need to be more vigilant than ever to make sure that along with protecting the perimeter, they are continually monitoring access rights -- as well as how access is being used -- in order to quickly identify any anomalies and flag inappropriate access.
Your trusted users may not even realize that their access has been hijacked, so it's important to routinely check key applications to make sure that nothing out of the ordinary is occurring.