Verizon does IT buyers and the security industry a great service with their annual Data Breach Investigation Report. Those of us that are interested in IT security topics eagerly await this report, which is a valuable reference for staying informed on the latest trends in cybersecurity. They usually release this around the time of the RSA Conference, which happened recently in San Francisco.
While they have not released the classic version of the report yet this year, they did release a separate, related report during the conference. It’s called the Verizon Insider Threat Report, and it’s well worth a look for anyone concerned about network and data security.
Usually when we see a data breach in the news, we think of malicious parties external to the organization. The external party may be part of a criminal enterprise, or they may be acting on behalf of a nation state. They could also just be an individual hacker (hoody optional). The attackers may use malware, spam emails or network access security hacks to gain access to sensitive data. Sometimes, despite the best forensics, the root causes of data compromise remain unknown.
Verizon’s take on insider threats to data security
As the title of the new Verizon report states, it focuses on an underappreciated threat vector within the cybersecurity landscape: data breaches that result from the intentional or inadvertent actions of stakeholders within, or closely affiliated with, an organization. The report outlines several personas of individuals that can cause a breach, including the “careless worker,” defined as “employees or partners who misappropriate resources, break acceptable use policies” and so on. This category represents mainly individuals who inadvertently compromise an organization’s data. Other personas, such as the “disgruntled employee,” act intentionally.
The report also outlines a variety of security measures to combat insider threats. We don’t want to give away too much, so we’ll just focus on a couple of key recommendations in the executive summary of the report. Verizon recommends that organizations “control and restrict access to trade secrets, customer data and other proprietary information on a need to know basis.” They also say to “disable access for activities deemed inappropriate, malicious or otherwise posing organizational risk.” Although the report does not call out network access control as a product category that organizations should consider, many of the protections they recommend are embodied in that product category.
Network access security helps to combat insider threats
As we have said before on the Ruckus blog discussing the Eastern Europe bank hack, a layered defense is the cornerstone of a sound IT security strategy. There’s not much controversy about that—it’s a truism in security circles. In the same way that insider threats are an underestimated cause of data compromise, network access security is an underestimated layer of defense.
Everyone knows they need a firewall, anti-malware protection, a spam filter and various other elements of the security taxonomy. Too many organizations leave the security holes inherent to the default methods for network onboarding and authentication (pre-shared keys, MAC authentication) unplugged.
To understand how secure access maps back to defending against insider threats, consider the high-level Verizon recommendations mentioned above. Network access policies are a great way to “control and restrict access … on a need to know basis.” Users should only get the level of access to network resources appropriate for their relationship to the organization. These could be internal users on an IT-owned laptop or a personal tablet or smartphone. Or they could be guest users with a temporary need to connect their devices.
The size of the attack surface when it comes to insider threats varies directly with the number of people who have access to the data you are trying to protect. With policy-based network access, you can make sure the people that have access to sensitive data on your network are those with a need to know. The default mechanisms for network onboarding and authentication don’t let you provide this differentiated level of network access.
As Verizon indicates, you should also be able to cut off access when you become aware of inappropriate activity. We would add that doing that requires being able to associate a user with a device and having a mechanism to revoke access. Here too, default mechanisms for granting network access fall short. For example, with conventional pre-shared keys, users share a common Wi-Fi password. You can’t revoke access for one with revoking access for all.
Ruckus gives you an “easy” button for policy-based network access
You may be wondering where we are going with this. A system for secure onboarding and authentication like our own Cloudpath Enrollment System makes it easy to define and manage role-based policies for network access. It’s your “easy” button for implementing granular network access policies. It’s SaaS/software that also lets you associate every user with a device and gives you the power to cut off network access if you become aware of inappropriate activity. Cloudpath software also gives you access to a variety of other measures that increase security for users, devices, data and the network. It’s an important piece of the IT security puzzle as you define a strategy to address insider and other threats.
If you have read this far, chances are that you are a security-aware IT professional, but you may not be a specialist in IT security. The Verizon Insider Threat Report is a great resource to keep you up to speed about insider threats to data security and we encourage you to access either the executive summary or the long version of the report. This can also be a great resource for educating others in your organization who may influence your organization’s IT security strategy. We don’t want to steal the thunder of the Verizon team, so we won’t reveal other recommendations in the report—some of which map to other Cloudpath capabilities. Another great resource is our recent e-book: Seven Network Access Security Risks—and How They Can Lead to a Data Breach. The subject matter extends beyond the above-mentioned insider threats, and it’s also well worth a read.