Who do you trust most on your network either corporate or home? Where is the biggest threat to your network, from the outside or inside? Are the people you are ignoring ones that can be ignored? These are pretty simple questions with obvious answers, right? External threats from the Internet are the biggest and most dangerous threats to my network. From a network point of view you are probably correct for attacks, but what about those already on the network.
If you ask those same questions but focus it around your data, will you answer the same way? When it comes to your data, which is what network penetrators are going after, is the external activity and users from the Internet the biggest threat? You still might say yes. Most companies spend millions of dollars on perimeter network devices, threat detections, fraud analysis on user activities and most ignore the biggest, most damaging threat to the company. Their employees and internal access holders.
Look through the news about security breaches, see how many you can find where a company was compromised from a random external source and their data was stolen. Then search for breaches where employees left a laptop full of SSNs in their car and it was stolen, or left on a bus, or a former employee walked out with their entire database on a usb drive. I guarantee you will have to hunt for external breaches and you will find an endless list, every day, of employee stupidity and negligence causing critical data being lost to the open.
In your company do you have an ongoing joke that no one cares about the employee convenience and you have more than 10 separate user ids and password? How many of those do you have written down? To me the joke is not that the employees are ignored, but the company really doesn’t care about true security or they are really trusting of everyone they hire. Why spend millions on the area where your probability of risk is much lower than those who are entrusted with all your data?
I have a task for you to do – Go right now, across all the systems an employee has access to and get a report on what and where they were today. You have 15 min.
I don’t know your environment and I bet you can’t do it. If you can, bravo. For your application users and customers you probably could but you can’t see who internally accessed the database where all your customers data sits in a timely manner, or ensure it was one individual or a shared account, and what they did when they were in there. Internal focus is so neglected in the world today most companies are exposed at levels they can’t imagine or choose to ignore it. The catch is that you don’t need to have a public failure. You have a disgruntled employee or worse consultant that has the right, unregulated access that takes a full dump before they leave and cover their tracks. You may never know about it because he sold that database full of identifying information. No one is the wiser and your customers are dealing with identity theft.
Identity and Access Management for internal employees really needs to be picked up by the world much quicker than it is. Especially in IT, employee shelf life at a company is on average 2-5 years. People are moving around all the time. Which means your company’s processes and flaws are moving around all the time. Don’t think your cozy firewalls will protect your customer’s data, from the outside world probably, but you are naive to trust everyone in charge of keeping the lights on. Some offices can’t keep power supplies, projectors, monitors on their desks, yet the data that makes the company profit is just as vulnerable to getting lifted. Except digital data can be lifted over and over again.
The more you distrust those around you, then you start to build the proper processes and governance around your internal identities. Everyone doesn’t get a skeleton key for all the offices in the building but they have access to far more critical areas.
Binary Blogger has spent 20 years in the Information Security space currently providing security solutions and evangelism to clients. From early web application programming, system administration, senior management to enterprise consulting I provide practical security analysis and solutions to help companies and individuals figure out HOW to be secure every day.