A lot depends on whether or not you've been compromised. And therein lies the problem. Cyber threats are often ignore d until they cause some damage, at which point management looks for people to blame and gives all kinds of attention to fixing the problem – until the next crisis in accounting or warehousing or staffing comes along. This after-the-fact strategy is not a strategy at all – it points to a lack of one, and what's lacking is the ability to articulate to decision-makers the implications of insider threats. It only takes one employee clicking on dancing bears to transform an outside threat into an inside threat. It's not a matter of if, but when.
Compliance isn't the answer – fully compliant systems are hacked regularly. The solution isn't in doubling your security staff – chances are you don't have that kind of money. The answer is to develop resilience to threats – what we used to call "defense in depth."
Instead of putting random controls in place and hoping that they cover the weaknesses, a much more effective approach is to use a security framework. The framework that has gained the most traction recently is the Critical Security Controls (CSC). Twenty tested and proven control sets that represent the consolidated wisdom of over 100 contributors, the CSC address all phases of an adversary's actions to attack a network. For example, reducing the number of users with administrative privileges reflects directly requirements in CSC 3 (Secure Configuration), CSC 12 (Controlled Privileges), and CSC 15 (Controlled Access).
It's just bad business practice to give end users all kinds of privileges all the time just so that they can install a program once in a while. A key attacker strategy is to compromise a privileged account. Reduce your attack surface by limiting privileges associated with end users. Yes, you will have some administrative overhead in responding to a user request to install or upgrade an app, but you must understand that overhead is WORTH every penny.
Got kids? How about let them ride without seatbelts except just before you know you're going to be in an accident. Sounds pretty stupid, right? Well, if you let your users operate with privileges, you're doing the same thing. Buckle up, be safe, and implement least privilege. You'll do better, you'll sleep better, and you'll stay out of the newspapers.
Spend an hour with one of America's top security experts, G. Mark Hardy, who will give you the insight you need to understand and communicate the insider threat to management. G. Mark is known for his entertaining and informative style, and has been presenting at security events and conferences since (He probably knows a thing or two by now.) And, if you hold a security certification like CISSP, you will receive one continuing professional education (CPE) credit for listening in.
Watch On-Demand Don't wait. Your enemies aren't.
G. Mark Hardy, CISSP, CISA President, National Security Corporation
G. Mark Hardy has been providing information security expertise to government, military, and commercial clients for over 25 years. A long-standing industry veteran, he is a perennial speaker at major industry trade shows. As president of National Security Corporation, he directs the efforts of the information security consulting firm he founded in 1988.