Protecting Against Remote Access Attacks With Strong Authentication
In most breach cases, a devious lone hacker, or an army of state-sponsored foreign attackers are among the defendants named in the media. But former employees may also pose a serious risk, as an FBI press release about a security breach case involving a New York company and former employee revealed a few weeks ago.
A software programmer launched a campaign of “digital retaliation” after he resigned from his company after getting passed over for promotions. Working for a high-voltage power manufacturer, he developed and customized software used to run the company’s business operations (purchasing, inventory control, production planning, sales, etc.).
Before he resigned, he created a program (malware) that harvested usernames and passwords of his colleagues. After he resigned and his network access was terminated, he used the credentials to access the network remotely and wreak havoc on their systems.
He deleted a line of code that led to incorrect work order cost calculations. He emailed a candidate that was being considered for his old position to warn the candidate about the company. He also modified the date on a database, stopping the company from processing transactions. He also manually purged a purchase order table that prevented the company from converting purchase requisitions to purchase orders.
All made possible by using stolen credentials to remotely access the company’s network.
How can a company protect itself against the insider threat? With stronger access controls, like two-factor authentication that will alert a user via their smartphone if someone is trying to authenticate using their identity.
In an advisory, Combating the Insider Threat, the U.S. Computer Emergency Readiness Team (CERT) also recommends using two-factor authentication for access, among other security practices to help reduce the insider threat, including:
- Train employees to recognize phishing and other social engineering threats
- Improve the usability of security tools, including software to reduce the likelihood of system-induced human error
- Consider using detection and deterrence technology like data/file encryption, data access monitoring, data access control, SIEM or other log analysis, intrusion detection/prevention systems, data loss prevention, etc.
- Deploy data-centric, not system-centric security
- Use the principle of least access privilege for authorizing users, and conduct periodic audits to detect any unauthorized access from old employee accounts
When you Google “insider threat” a bunch of government domains pop up. It seems like they’re especially suspicious of their own employees, and understandably so, with the type of classified information they handle on a daily basis - a breach of their type of data is also known as espionage (oh yeah, that whole Snowden thing). But a breach of any type of industry data can be potentially disastrous - consider the consequences of altered patient records and prescriptions, or companies that control our critical infrastructure, such as our power grids.
HealthCareInfoSecurity.com reported on the West Virginia United Health System and their new policies and technology implemented to deter the unauthorized access of patient records by employees.
The healthcare system uses logging and auditing technology to track multiple systems, including their electronic health record (EHR) systems, picture archiving and communication (PAC) system, and the pathology system. They audit millions of access records each year. Learn more about Duo Security’s security reporting, auditing and fraud alert features.
They also enable role-based access controls down to a very granular level in order to know exactly who has access to what, helping them identify any inappropriate access to patient data. Learn more about Duo Security’s role-based access controls for administrators, and our security controls for two-factor authentication to help deter the insider threat.