Preventing insider activity

The following practical recommendations offer companies insight into different methods used to prevent data theft and mitigate data leakage risks:

1. Conduct regular audits of IT security risks

It is very difficult for companies to find the right balance between trusting employees and safeguarding against them. A company must secure itself against internal attacks just as effectively as it does against external intrusions by following the principles of data risk management:

  • conduct an assessment of the overall infrastructure and identify all critical data assets;
  • identify potential threats and vulnerabilities, i.e., create a threat model for the company;
  • calculate the potential financial losses that could be caused by a data leak;
  • formulate a management strategy and rapid response plan.

It’s impossible to avoid risks completely, but risks can be minimized by finding a happy medium between secure company operations and business efficiency.

2. Teach your employees data security basics

Companies should foster a culture of teaching employees the basics of data. Employees need to understand what the security policies and procedures are, why they exist, and what security measures are used on the network. Informed employees are the first line of defense against insider threats.

3. Delegate job responsibilities and data access rights

If all employees are sufficiently informed of the principles of security, and responsibilities for vital functions are distributed among employees, then the likelihood of workers colluding to steal valuable information is greatly reduced. When responsibilities and privileges concerning company information are effectively delegated, employees will work only with the documents they need to perform their duties. As many procedures as possible should be automated.

4. Introduce strict policies to manage accounts and passwords

It won’t matter that company employees are loyal and conscientious if account details on the network are compromised: a malicious insider will have everything he needs to steal data without leaving a trace.

5. Tighten security for network authentication and authorization

Users that work with important data should undergo authentication and authorization procedures when they access data assets. This can include simpler, more old-fashioned methods and more advanced methods – especially the latest anti-insider techniques.

6. Be prudent about deactivating non-existing users

Established departure procedures (i.e., blocking access to information resources) should be carefully followed when an employee leaves the company. This will prevent former employees from copying data from a hard drive, copying documents, or obtaining remote access to the company’s mail server.

7. Monitor and collect employee activity logs in real time

Trusting your employees doesn’t mean that you shouldn’t monitor the suspicious or dangerous activities at user workstations that may happen from time to time. For example, if network traffic or the number of requests to the corporate database have increased considerably, or even if the consumption of toner and paper has risen – these are signs that ought to be acknowledged and analyzed, as they may be a sign of an attack or the preparations for an attack involving confidential data.

8. Carefully monitor sys-admins and privileged users

Companies typically conduct random employee monitoring using tools such as a remote workstation, URL filtration and traffic counters. However, it’s important to remember that even someone in a position of authority could be in cahoots with scammers and steal confidential data at their request. That’s why effective protection against malicious insiders should be managed at a level higher than that of system administrators and other privileged users.

Consider the following recommendations in addition to the simple and practical advice offered above:

  1. Actively protect your data assets against malicious code with good antivirus products that use both reactive (signature-based) methods and proactive technologies.
  2. Protect yourself against remote attacks and hacking, preferably with a multilayer solution that covers user applications and network packets at the very least.
  3. Get into the habit of using back-up copying and data restoration procedures. That way, if your data is ever compromised, you’ll be able to restore the source data.

It’s especially important to use the latest in data protection technologies:

  1. Use content filtration for all outgoing network traffic: email, instant messages, browser-based email, forum postings, blogs, and other Internet activity should be checked for data leaks.
  2. Set up policies that regulate actions with external, removable, and mobile devices that can be used to copy and carry confidential documents (FDD, CD/DVD RW, and card readers) that can connect using different buses (USB ports or PCMCIA slots). Policies should also be in place for wireless networks (IrDA, Bluetooth, and WiFi).
  3. Check the documents being sent to the printer to prevent the theft of hard copies.
  4. Scan database requests in order to pinpoint dangerous requests aimed at retrieving confidential data.
  5. Encrypt critical information on block devices and laptops.

Leaking ads

We found that because of third-party SDKs many popular apps are exposing user data to the internet, with advertising SDKs usually to blame. They collect user data so they can show relevant ads, but often fail to protect that data when sending it to their servers. Read Full Article


Kaspersky Security Bulletin: Threat Predictions for 2018

Looking back at a year like 2017 brings the internal conflict of being a security researcher into full view: on the one hand, each new event is an exciting new research avenue for us, as what were once theoretical problems find palpable expression in reality. On the other hand, as people with a heightened concern for the security posture of users at large, each event is a bigger catastrophe. Read Full Article


A Modern Hypervisor as a Basis for a Sandbox

In the field of information security, sandboxes are used to isolate an insecure external environment from a secure internal environment (or vice versa), to protect against the exploitation of vulnerabilities, and to analyze malicious code. At Kaspersky Lab, we have several sandboxes, we will look at just one of them that was customized to serve the needs of a specific product and became the basis of Kaspersky Anti Targeted Attack Platform. Read Full Article


Satoshi Bomb

Let us discuss what defines the profitability of bitcoin mining, what principles for mining speed adaptation were initially embedded into it, and why these principles can lead to the failure of the cryptocurrency in the long run. Read Full Article


Neutralization reaction

Corporate information security services often turn out to be unprepared: their employees underestimate the speed, secrecy and efficiency of modern cyberattacks and do not recognize how ineffective the old approaches to security are. And if there is no clear understanding of what sort of incident it is, an attack cannot be repelled. We hope that our recommendations about identifying incidents and responding to them will help information security specialists create a solid foundation for reliable multi-level business protection. Read Full Article


ShadowPad in corporate networks

In July 2017, during an investigation, suspicious DNS requests were identified in a partner’s network. The source of the queries was a software package produced by NetSarang. Our analysis showed that recent versions of the software had been surreptitiously modified to include an encrypted payload that could be remotely activated by a knowledgeable attacker. Read Full Article