Internal threats have long been widespread and resonate with many security managers. Many major data security incidents are triggered by internal factors. However, despite this, enterprises still do not pay enough attention to the issue of internal threats. Most security teams only respond to internal threats after the fact, lacking forward-looking awareness.
According to Ponemon Institute's 'Global Cost of Internal Threats Report', the total number of internal threat incidents increased by 44% compared to the past two years. The data shows that 56% of incidents are caused byNegligence of internal personnelThe average cost per incident is 484,931 US dollars (about 3.1 million RMB);Malicious or criminal acts by internal personnelThe cost is higher, averaging 648,062 US dollars (about 4.1 million RMB), and they are the幕后黑手 behind 26% of security incidents. At the same time, the theft using permission accounts accounts for nearly 18% of security incidents in the past two years, higher than 14% in 2020.
There are many types of internal threats, ranging from employees with weak security awareness, employees with grievances, former employees, and third parties, to users who have advanced access privileges to sensitive data and systems, including system administrators, network engineers, even CISOs, who may pose threats and damage to enterprise data.
Specific manifestations of internal threats
We not only need to know what it is, but also why it is so. What are the specific manifestations of internal threats?
1,Privileged account/Invisible privileged account
People who hold privileged accounts have a say in the life and death of the enterprise information system, and the mission of these accounts is to ensure the normal operation of all business activities of the company. However, if there is an 'accidental click' or a sudden evil thought, these uncontrolled privileged accounts may bring a catastrophic disaster to the company's business. In addition to the privileged accounts specified by the company, there are also someInvisible privileged accountFor example, accounts with permission to allocate rights can be used to open sub-accounts with privileges, delete the sub-accounts after completing the risk inquiry operation, thus leaving no trace and making it difficult to detect. In addition, some projects involve a large number of employees or job rotation, and the more permissions they open, the closer the accounts are to privileged accounts. The invisible privileged accounts also face security threats such as malicious destruction by the holder, embezzlement, and operation errors.
2,Excessive authorization/Abuse of authority
Currently, there are many industries with high personnel turnover, with frequent employee entry and exit and job transfers; in some enterprises, third parties (such as contractors, part-time employees, suppliers, service providers, and customers) also have access privileges to the enterprise system. With the rapid growth and expansion of the number of third parties, the exposure surface of data is getting larger and larger, and the risk is also increasing. Sometimes in order to simplify the user management process and ensure that users can complete their work without triggering security alarms or being prohibited from using necessary assets, it is often the case that unrestricted or excessive user permissions are widely distributed to groups, roles, and individuals. As a result, users have too many permissions, and the security of data may be endangered, and unauthorized changes to data may occur, including adding, modifying, or deleting data; confidential or sensitive data may be viewed, including intellectual property, code, legal data, as well as personal information of employees and customers, even if these data are not necessary for their work; and even sell data for profit.
3,Unauthorized actions
Employees' unauthorized actions refer to the actions taken by employees that exceed the powers and limits of their positions and perform work that does not belong to their authority. Unauthorized actions contain two important characteristics: exceeding the scope of authority and making decisions arbitrarily. In the era of big data, the behavior of employees accessing sensitive data and profiting from it in enterprises often occurs. In 2022, a news about a Huawei employee being sentenced for unauthorized access to confidential data went viral. The employee was accused of accessing confidential data and profiting from it between 2016 and 2018. As a well-known enterprise, Huawei has always attached great importance to the security of data information, but illegal and irregular acts by employees still occur from time to time, involving data leakage, patent infringement, and so on. Clearly, unauthorized actions are one of the important factors of internal threats in enterprises.
4,"Zombie"Account
With the passage of time, a large number of invalid accounts and authorizations will be generated during the operation of business systems, such as test accounts or temporary project personnel accounts, etc. These 'zombie accounts' are not cleaned up in time, which may be attacked by hackers or viruses, or may facilitate some people with evil intentions to cause damage, deliberately destroy, and may delete key materials, important files, tamper with backend passwords, leak data, etc.
5,Shared account/Illegal operation
For the convenience of work, lend one's own account to other colleagues for use; communicate technical issues on forums or other media, copy or upload work content for discussion and learning; for the convenience of remote work, privately print and keep sensitive company documents and take them out of the company; maliciously export data, sell information for profit; in the event of an information security incident, timely handling prevents significant losses, as the impact has been eliminated and no report has been filed.
6,API Security Vulnerabilities
Application Programming Interface (API) is a set of rules and specifications that manage how two applications interact, usually through the internet. APIs are also known as the "front door" of an application. It enhances the development ecosystem, making it easier to build on existing platforms rather than starting from scratch.
API security is crucial for enterprises because APIs are often used to expose internal systems and data to external developers. There are many reasons for this, such as integrating partners or providing a way for third-party developers to build new functions on existing platforms. However, exposing internal systems and data to external developers also involves risks. For example, if an API is not properly protected, it may allow unauthorized access to sensitive data.
7,Resignation Leaks
Employees who intend to resign repeatedly download or export important data, take important company secrets after resignation, may claim the achievements of the projects they are engaged in as their own, and may leak important company information to competitors; or, employees who have resigned but still have access rights log in to the system again, maliciously destroy data or leak data, etc.
How can enterprises prevent?
The absence of data security incidents does not mean that there are no internal threats. Even if no action is taken, at least keep an eye on it and prevent problems before they happen. How can enterprises prevent?
No.1 Data Management
Step1、Identify Sensitive Data:For enterprises, how much data is there, what kind of data is included, how much sensitive data there is, and where it is distributed. By understanding the high-risk sensitive data of enterprises, it is possible to establish more effective defense mechanisms in a targeted manner. Therefore, it is first necessary to identify the sensitive data contained in the enterprise and its distribution situation.
Step2、Data Classification and Grading:Data with different sensitivity levels have different protection strategies when used internally, and different degrees of sharing and openness to the outside. High-value data requires more stringent protection mechanisms, and the value of data is time-sensitive, and the list of data classification and grading also needs to be constantly changing. Enterprises need professional data classification and grading products or services to effectively protect important data assets of enterprises.
Step3、Sensitive Data Exposure Surface Analysis:How many business systems have exposed these sensitive data, and how many departments and how many people have exposed through business systems? What types of exposure are there? How much is the scale of exposure? Through the analysis of the data exposure surface, understand the level of security risk of sensitive data.
Step4、Data Security Technology Management:By sorting out the data in advance, we can understand the distribution of the data, the sensitivity of the data, and the risk level of the data. Different strategies need to be adopted for data at different risk levels, such as monitoring, blocking, alerting, desensitization, encryption, and so on. The data security management technology adopted can be determined according to the classification and grading of the data, combined with the business, to decide which data security technology to support. Usually, technologies such as encryption and decryption, data desensitization, DCAP, DLP, CASB, IAM, and UEBA are adopted.
No.2 账号管理
Account managementTemporary accounts:
Establish temporary accounts for third-party employees such as contractors or interns, which expire on a specific date at the end of the contract or project. This measure ensures that individuals cannot access these accounts after leaving. The validity period of the account can be extended as needed."Zombie accounts":
Regularly conduct audits multiple times, regularly retrieve inactive accounts and zombie accounts that have already expired, and handle them in a timely manner. Enterprises should ensure that departing employees know that they cannot take the company's property and closely monitor employees who download excessive data, and implement the departure process to terminate their account access rights after the employee leaves.Privileged accounts:
Establish a list of privileged accounts (including hidden privileged accounts), impose specific restrictions on privileged accounts, such as limiting the IP, address, and devices they can access, which is to strictly limit the use location of privileged accounts and clarify the use scenarios. The fewer privileged employees, the easier it is to protect enterprise data. This not only means that there are fewer employees with the opportunity to perform malicious operations, but also means that the number of accounts that hackers/insiders can intrude upon or misuse is reduced.Not only for privileged accounts, but all accounts in the enterprise should comply withprivilegeminimizationprinciplesofNetwork security standardsRegulate that each account in the enterprise should have the least possible privileges, and upgrade privileges when necessary. Using the principle of minimum privilege to control which resources (such as assets, applications, data, devices, files, networks, systems, etc.) an account can access, and what operations the account can perform on these resources. This also applies to third-party access to data, ensuring that they have the least privileges and that credentials are deleted after their work is completed.
No.3 Behavior control
1,Improve employees' data security awareness:Regularly carry out data security awareness campaigns and training activities, carefully build corporate security culture, and make employees aware of the importance of data security and the seriousness of violations.
2,Access behavior control:Prohibit employees from sharing accounts or, as far as possible, limit the use of shared accounts; certain technologies can be adopted to detect abnormal activities, such as zero-trust network access and behavior analysis, to monitor and alarm abnormal behaviors in the process of account login, data access, data download, data export, and screen capture copying in real time. Abnormal detection is the only way to identify users' abnormal activities, with real-time monitoring and alarm response, and prioritize dealing with the most critical threats.
3,Security auditing:By recording, analyzing, and reporting on user access behavior, it helps enterprises generate compliance reports and trace the root cause of accidents after the fact. At the same time, through big data search technology, it provides efficient query audit reports, locates the cause of events, and facilitates future queries, analysis, and filtering to strengthen internal network behavior monitoring and auditing, and improve data asset security.
评论已关闭