Recently, the Security Team here at SolarWinds conducted a survey to gather information about security risks you felt would be the most detrimental to your network. While it was clear the reality is the external threat will always be a risk, there was a lot more confidence in your perimeter defense systems, policies, and procedures. On the flipside, there was also a significant increase in the belief that the INTERNAL threat is a much higher risk.
The following infographic provides several simple tips that can help reduce the risk of insider abuse. Below you will also find some additional best practices that you can use to create a more secure user environment.
1. CREATE STRONG PASSWORDS/PRACTICE PASSWORD HYGIENE
- Configure and enforce the use of strong passwords - while your user/customers may become grumpy, your leadership and compliance auditors breathe a sigh of relief.
- Educate your users on the importance of passwords to create buy-in. One of the most effective ways to drive a point home is to show them how easy it is to crack simple passwords: get permission from management and run a live attack on sample passwords. The “shock and awe” factor can be a pretty effective method.
- Use SIEM or Log Management tools to monitor and alert on odd password sets/resets, such as strange times of day or too many accounts being changed at once. This can be an early indicator of both brute force and low and slow attacks.
2. KEEP YOUR INBOX SAFE
- User education is also extremely important when it comes to email. Providing real-life examples of phishing emails would be a good way to help your user base gain a simple understanding of how emails can be used to gather information. Most importantly, encourage them to ask questions! The old adage “If it’s too good to be true...it probably is” is a good mantra to remember when preaching email security.
- Email content scanners are essential for scanning attachments and emails for embedded code, while SIEM and Log Management tools can also be used to monitor logs for suspicious authentications events. Look for someone logging on to another user’s inbox, “send as” events against critical inboxes, port 25 traffic that does NOT source from your email server(s), or an abnormal amount of traffic that is in fact coming from your internal email server(s).
3. KEEP SECURITY TOP OF MIND
- The Department of Defense provides a decent model for creating a security culture with education tools like emailed “Security Tips”, required online or classroom based self-paced security courses, and enforcing a “Clean desk” policy. This type of consistency in education keeps users aware even if they only pay attention to half of the material, and builds accountability - to use an old military quote, users will begin to “police their own” and hold their peers responsible for a secure environment.
4. KEEP YOUR DEVICES SECURE
- It’s absolutely imperative that systems and applications are kept up to date on updates and patches. Take it just a bit further and use the operating system or domain policies to limit a remote user’s capabilities within a system. Realizing that this is not popular and can be difficult to manage, the alternative is much more frightening. Once a system leaves the mother ship the security risk grows exponentially. Once again I will mention user education (notice a theme here?). Hammering the fact that this shiny new, expertly provisioned laptop is not a “personal device” is key to reducing the security risk.
5. AUDIT WHO HAS ACCESS
- Auditing is one of, if not the most crucial tools/features that should be enabled in every environment. Some of the key logs that should be audited are:
- Access logs – Monitoring successful/failed logons at the domain AND local level can alert you to authentication based attacks by looking for the use of privileged accounts at odd hours or large amounts of failed logon attempts from same account, and can also provide critical information for root cause analysis and forensics.
- File Activity –Native operating system audit policies, File Integrity Monitoring applications and Content Scanners all create audit trails on file servers and endpoints that can be used to detect data theft and suspicious file changes. In many cases these tools may also alert you to zero-day viruses and other malware.
- Network, System and Application logs - These logs can not only identify perimeter attacks , but also identify outbound FTP traffic which can indicate data theft or malware, and critical error and change information that may alert you to site hacking, malware and denial of service attacks sourcing from INSIDE the network.
The risk of attacks and breaches only grows with the introduction of Bring Your Own Device (BYOD) mobile devices so implementing the right tools, policies and procedures now just might create the proper security culture within your business.
Avoid some of the cybersecurity pitfalls. Secure your environment with Log & Event Manager. Get started for free.