Commit this fact to memory: People are your weakest link
Pistanthrophobia-The fear of trusting people due to past experiences.
Please stop for a moment and make a list of all the people you work with that you do not like or do not trust to do their jobs. That list typically has just a few – if any – names on it. Most people will move on from a job where you do not trust the people you work with.
Most of us like the people we work with, which is a major reason why it is so hard to understand you cannot trust anyone in your organization when it comes to security – physical, logical or technical. An employee may be the absolute best at their respective job, but can easily fall prey to phishing e-mails or malware attacks. People are good at their jobs, not at information security.
If you assume an outside threat has obtained a valid set of credentials allowing access to your system(s): How many layers in your ‘defense in layers’ approach have been bypassed? I’ll bet the answer shocks you. We build ‘defense in layers’ protection to keep threats coming in from the outside. But not from a threat obtaining a valid set of credentials to your system(s).
A few pitfalls of having a valid set of credentials to your network that is accessible by an outside threat
- Direct access to the local machine. Most phishing attacks operate by gathering credentials and attempting to install malware on the local machine a user is logged on to.
- Remote Access. An outside threat will be able to find your remote access system. If they have a valid set of credentials, several attempts to log in that system remotely, and if successful, attack your internal systems to gather information and formulate further system(s) attack.
- Mapping your entire network. The outside threat will use those credentials to try and map your network to see where they can install malware and then mount data gathering programs and/or launch attacks.
Layers to add in a ‘defense in layers’ approach to mitigate risks from compromised credentials
Please note that the following list is not comprehensive and may not be relevant to every network. It is important to remember that your network security requirements will determine what layers are right for your needs.
- Multi-factor authentication. This requires a user to use a second type of authentication, not just a password, to access your system(s)
- No administration rights on end user systems. This will provide a big obstacle that will help prevent malware from being installed. This type of malware is the outside threat’s biggest tool.
- Highest protection levels on anti-virus/malware protection. Let the tools work at their highest ‘threat level’ awareness in order to help find any malware that makes its way into the network.
- External remote access multi-factor authentication. Some remote access systems use two separate authentication systems for internal and remote access. Multi-factor should be included in all authentication systems.
- Password change policies. Over time, forcing consistent password changes will render a set of compromised credentials useless.
- Separation of duties. Having key, sensitive duties split between two or more employees will ensure that compromised credentials do not contain a single ‘key’ to everything.
- Awareness training. The best defense is to train, train and train again! This helps employees understand and become more aware of phishing and other threat attacks.
Being able to separate out “trust” for co-workers to do their jobs, and “trusting no one” in security planning, engineering and operations is one of the hardest things to do. How can you like someone personally and not trust them in security matters?
If a security team is comfortable, they can even create their own phishing attack and look at the results, (https://insight.duo.com/ is a free tool). Apply the lessons learned to your organization. Your Risk assessment process should identify all user compromised scenarios and identify the mitigation steps.