Pratum Blog

The age old battle of insider threat vs. external threat rages on between information security professionals. The ongoing musings around information security in the Wikileaks and Richard Snowden cases continues to be debated in various forums. Where do you stand? Are you more worried about information security threats from internal or external sources?

There are arguments for each side

First look at the facts. The Verizon Data Breach Investigation Report indicates that organizations are much more likely to experience a breach from an external source. Target for example wrote off $148 million related to their breach. Some of you will say "Hah...case closed, told you so." You may not be wrong in saying that. But the same report also shows that the cost of an internal breach is more than the average external breach. This is where the other side says "Take that...I knew we were right." So who is really correct in their argument? I say both and neither. The 2015 DBIR show a singular correlation for information security breach costs. The total number of records lost is the key to your costs and therefore a large part of your risk equation. Your organization must determine if there is a greater risk of record loss from internal or external sources. There is no right or wrong answer.

Approaching risk from different perspectives

I say it really depends on perspective. You could simply look at the situation from the narrow threat perspective. If you are a small family run company, external information security threats are probably a bigger concern than if you're a mid-sized company that treats their employees like garbage and has a very disgruntled workforce. Who's more likely to have a threat of internal or external attack?

If however you take a broader approach and think of risk in terms of threats who take action on vulnerabilities against an asset, you may look at things differently. What vulnerabilities exist? What administrative, physical or technical controls have you put in place to defend against threats? As you work through your risk management you should realize that information security is about balance and compromise.

A balanced approach to addressing threats

If we place too much emphasis on one threat or vulnerability we risk exposing our organizations in other areas. We must take a balanced approach to addressing threats whether they are internal or external. To some degree, we also need to ignore what others may see as a threat to their organization's information security. In the real world, no two situations are alike. No two companies are alike. No two threats are alike. The best thing you can do is to understand the full picture of the overall risks your company faces and deal with them in a way that works for you.

Information Security

Today I’m going to give you 5 simple steps to implement information security. For anyone who played sports in high school or college, you remember the first week of practice each season, right? Basic drills. Your coach harped and harped about how the basics were important. We could learn tricky offensive or defensive plays but if we didn’t have the basics down, we were going to lose. The same is true for information security so I’m going to remind you of a few basics.

  1. Train Your Employees – No employee wants to be the source of a security breach. If you spend just 1 hour per year on security awareness for your employees you will begin to see improvement year over year. Annually, that’s just .0005% of their time. That’s $22.50 for each employee that makes $45,000 per year. Where else can you get a better return on your investment?

  2. Actively Manage Anti-Malware – Most anti-malware systems are on autopilot. Unless an alert pops up that malware was detected, it’s ignored. This is a huge mistake. Someone should review this system daily and make sure all systems are reporting in, that their definitions updated and that scans were successful. Every single breach we’ve ever investigated had an anti-malware system that wasn’t being managed appropriately.

  3. Revoke Unnecessary Access – Staff often have far too much access to computer systems. It’s not about trust. It’s about what happens when that account is hacked. If the accounts are fairly restricted, hackers need to compromise several accounts to meet their objectives. This goes for system administrators too. They should have one account they use for internet surfing, email and daily work and another account used to administer systems. This makes it more difficult for cybercriminals to compromise systems.

  4. Secure Your Wireless – Wireless networks offer convenience and mobility, however they are inherently less secure than a physical connection. Securing a wireless network against today’s sophisticated attacks just takes a little planning. Splitting guests off on their own network and rotating pre-shared keys are critical to wireless security.

  5. Monitor Security Event Logs – While this is simple, it’s not necessarily easy. It will take some tools and some time to review these logs looking for security incidents. Sticking your head in the sand an ignoring the fact that you’re under constant attack won’t make it stop. It only makes it worse.

There you have it. Information Security Made Easy. With these 5 simple steps, your organization can see significant improvement in its information security posture. Taking the first step is always the hardest. Pick one and give it a try.

Two Factor Authentication

Two-factor authentication (2FA) is often a hotly debated security control. The argument for two-factor authentication from an information security perspective is that it helps ensure that only the actual user who is authorized to use the account is logging in. By using something you know like a password, with something you have like a one-time token or something you are like a fingerprint, you can add to the assurance that the person using the account is actually the authorized individual. On the negative side, many would say the cumbersome initial enrollment and subsequent login process has too much of an impact on usability.

Asking the Right Questions

Many organizations battle these questions when considering the need for 2FA. We always guide our clients in making risk based decisions. Which systems or applications are at the highest risk for unauthorized access attempts? What is the impact of an unauthorized user getting access to the system? When you start from this perspective it helps guide the cost and implementation discussions.

What options are available for implementing 2FA? A common method is to use SMS, or text messages, to send a unique code to a user’s phone. This eliminates the old “key fob” or “pin cards” from decades past. This ensures a user is authorized.

What about when you want to make sure only authorized computers are used to gain remote access? You can use a digital certificate or 802.1x protocols to quarantine the system until it has been interrogated and approved.

Making Your Decision

The reality is that remote access systems, including web based systems, are under unprecedented attack. The attacks are getting more persistent and more complicated. To keep up, the status quo has to change. Two-factor authentication, for remote system administration by IT staff or vendors, must be used in today’s world. The risk is just too great. After that, it’s really a business decision. One that requires more than just the IT team’s input. Have the discussion with your business unit, risk management, IT and customer service teams to determine if two factor authentication is the right approach. And remember, there are multiple approaches to 2FA, make sure you’re using the right one to get the outcomes you desire.

The information we track while users are on our websites helps us analyze site traffic, optimize site performance, improve our services, and identify new products and services of interest to our users. To learn more please see our Privacy Policy.