employee-dataThe hotshot developer your company just lost to a competitor could also be your biggest security risk from employee data theft. You shouldn’t wait until he’s left carrying a 1TB flash drive full of trade secrets to worry about what else may have just walked out the door.

But suppose you need to clean up a mess, or prevent one from occurring after somebody moves on. What steps can you take?

From Irate to Exfiltrate

First, understand what you’re stepping into. Employee exfiltration is an underreported problem in network defense. Whether because a former staffer has become disaffected, angry or simply accepting of a better offer elsewhere, there are many ways for a motivated knowledge worker to remove important data. And an IT pro is a special category of knowledge worker for whom data exfiltration is the greatest risk.

Back in 2010, as reported by Network World, DARPA asked researchers to study the ways they could improve detection and defense against network insiders. That program, Cyber Insider Threat (CINDER), attempted to address employee data theft — within military or government facilities. Those DARPA contracts were awarded because insider threats were generally neglected, due in part to a dominant perimeter threat mentality.

Research was well underway when in 2013 Edward Snowden demonstrated the full potential for data exfiltration to any remaining disbelievers.

The takeaway for every system administrator and CSO: If you’re only focused on tweaking firewall settings, you may be at risk. Your company’s lost data probably won’t be published in The Guardian or the The New York Times, and you won’t be grilled on “60 Minutes.” But you’d be right to sweat it.

Post-Termination Steps

After a termination, there are many steps you could take. The proper course of action will depend upon the employee’s access to data, organizational role and, generally, a mature risk assessment framework. Here are a few to point you in the right direction:

  1. Today, many employees have company data on their mobile devices. Company-owned or company-managed phones may have remote wipe features, such as through Google Apps. Use these to purge sensitive data.
  2. Revocation of encrypted datasets is an approach that, according to TechTarget, allows you to revoke the ex-employee’s certificate.
  3. Study logs, using tools such as the Ipswitch Log Management Suite, enable you to identify potentially anomalous activity over an extended period of time. The theft may not be recent.
  4. Examination of Windows event logs can help identify whether the ex-employee attached USB devices to a company workstation.
  5. Catalog all applications accessed by the employee, both on-premises and cloud applications.
  6. Working with affected line-of-business managers, identify any sensitive datasets.
  7. If the ex-employee had root or sysadmin privileges, wholesale permission schemes and passwords may need to be updated, especially for off-premises resources.
  8. Ex-employee-managed workstations (and possibly server instances) should be quarantined for a period of time before returning them to the asset pool.
  9. For especially sensitive settings, heightened audit and log monitoring of coworkers for a limited period of time may be called for.
  10. For ex-employees who enjoyed privileged access to IT resources, tools such as Ipswitch WhatsConfigured can identify attempts to relay data to offsite servers or sabotage applications.
  11. Know your application risks. Web conferencing tools like WebEx and GoToMeeting, for example, provide the means to share data outside the corporate sandbox.

Match Points

As with other sysadmin duties, you’ll have to decide how much effort you should put into mitigating a potential data loss. Knowing which data has been lost and the potential business impact may be just as important as knowing which logs to examine. In the meantime, don’t overwhelm yourself with false alarms, and don’t underestimate your opponent. These steps can help you even after the employee has left. Best practices have it that you’ve done much more before the termination event.

You’ve probably ceded the first few moves to your opponent. A determined adversary’s next moves might well include tripwires, sniffers and other mischief — at which point you’re going to need even more tools to get things back to normal.

Ask 10 network professionals about infrastructure security and you’ll get almost as many opinions ranging from “you don’t need more than a firewall and a good set of access rules” to “invest in a variety of included and separate network security tools” and everything in between. However, the truth usually lies in the middle.

Admittedly, you don’t always need to buy a shelf full of software to realize good infrastructure security on a budget. “All you really want is a good firewall and good security permission within the network,” says Ryan Jones, an independent network security consultant. “Use a limited-access principle and give everyone the minimum required access and escalate the permission upward only when required.”

This approach will work for some, but others — especially those involved in banking or e-commerce — will need at least another layer. “Using metrics management and monitoring [for] the network and data is complex, but basically, apply some methodologies and use the software of your choice to manage security,” recommends Rodrigo Arruda, an IT specialist for Itaú, an international financial institution headquartered in Sao Paulo, Brazil. “It does often involve some cost, though.”

Stay Up to Date

You don’t have to spend your department’s whole budget on just a few things. In fact, Peoria Magazines says much of what you can do to secure your network without breaking the bank is free or close to it. Keeping your software up to date between major revisions is usually free and will plug up holes you might discover at an inconvenient time.

Stay Fired Up

You should also be using a sturdy firewall product and configuring it per the nature and sensitivity of your data. Don’t set it to auto-learn, which can be just as bad as auto-correct on a smartphone. Manage the rules so it knows which programs have what level of access, and be sure to specify the ports that will be used. Keep in mind firewalls should be supplements to more comprehensive authentication and threat-detection protocol.

Deny the SPAM

Although Kaspersky and similar cloud-based security services integrate pretty well with professional email platforms, your team should be willing to invest about $1,500 in a decent spam-filtering appliance, as phishing is often how network intrusions are initiated with unsuspecting staff (you’ve trained them on phishing content, right?).

Lock It Up Properly

Another way to ensure infrastructure security on a budget is to limit user access. This means John in Accounting and Mary in Sales shouldn’t be installing new software on a regular basis. In fact, these users should only need to install new software once or maybe twice a year. Only administrators, and select department heads, should be given administrative access to the network. Everyone else should be given the most basic rights they need to do their jobs efficiently and securely.

Use Deception to Foil Intruders

Sun Tzu, in his famous tome, said: “All warfare is based upon deception.” A minor modification and it resonates with IT personnel: “All ‘warefare’ is based upon deception.” In other words, use software to deceive intruders. Products like Sourceforge’s Active Defense Harbinger Distribution (ADHD) can detect a malicious network entry and block all outgoing traffic to that IP. To the intruder, your network just went dark.

Use a VPN for Remote-Access Users

Once upon a time, you could give your remote users a phone number, have them dial into your network and use something akin to a secure net key to give them remote access. The encryption that a virtual private network (VPN) uses is typically unbreakable, and even if it is breached, it will have taken so long to do so that the connection itself drops by the time that key is broken. OpenVPN is a solid open-source project and free through its community version.

Keeping your network secure with limited funds isn’t impossible, but it may seem like an insurmountable task at times. With proper planning, however, it doesn’t have to. Whether it’s free or very inexpensive, spam filters are your biggest commitment. Most of the suggestions above will only cost you and your team some necessary time.

We are excited to be part of AFCEA’s TechNet Land Forces – Southwest, the first in a series event in of TechNet Land Forces conferences. 

TechNet Land Forces – Southwest is the premier conference for Network Security and Operations with a focus on the ground component of the Army and Marine Corps, including components of Homeland Security, Industry, Academia, and Border Control. The conference also gathers the brightest Government, industry, and academia speakers whom will address a range of topics and focus on the challenges of network security issues of today and training cyber warriors of tomorrow.

If you are at the show, make sure you stop by the WhatsUp Gold booth #124 – You can chat with the team about any questions you may have, watch a product demonstration, pick up some fun swag, or just say “hi”!

Enhanced by Zemanta

As technology evolves so does the ability for people to hack it.

Ipswitch WhatsUp Gold is staying ahead of the game with its versatile network traffic analyzer, Flow Monitor.

Did you know it’s rarely an apocalyptic hack, like the ones depicted in SyFy films, of which businesses should be weary? Instead – according to a recent report on the Black Hat Briefings by SearchSecurity.com– – it’s the persistent, targeted attacks that weaken a company’s IT infrastructure and compromise its business.

SearchSecurity.com reported last week on two researchers who demonstrated examples of hacks at the Black Hate Briefings. The duo’s hacks ranged from zero-day PDF attacks to memory-based rootkits.

The presenters, Nick Percoco, senior VP at Trustwave’s SpiderLabs and Trustwave senior forensic investigator Jibran Ilyas pointed out what WhatsUp Gold Flow Monitor customers already know:

That attackers are hiding in plain sight and that they are moving data out of organizations using tried-and-true means, such as FTP, HTTP and SMTP.

Firewalls are of little use in these situations. They won’t flag HTTP traffic as an anomaly.

What you need is the ability to monitor traffic moving over TCP port 31337. WhatsUp Gold Flow Monitor, in conjunction with Alert Center, provides this ability and alerts users in real-time when a security breach happens.

In addition, the new release of WhatsUp Gold Flow Monitor allows users to set up monitors on multiple TCP ports (80.8080, etc) so by setting up an alarm specifically for port 31377, you can monitor in real-time and detect the kinds of attacks that Black Hat is reporting.

To download a free trial of Flow Monitor click here.