Well .. Most of the companies initially concentrated on making their system Higly Available, keeping security at stake. Infact, all the answer they have for the security is – “FIREWALL”. Thinking that a ‘FIREWALL’ will be an ultimate solution for the security of their systems. To some extent, may be they are true – but it seems that they never think of ‘INSIDER ATTACKS’.
CERT(Computer Emergency and Response Team) and the USSS(US Secret Service) has conducted a variety of research projects on Insider Threat. One of the conclusions reached is that insider attacks have occurred across all organizational sectors, often causing significant damage to the affected organizations. Insiders have a significant advantage over others who might want to harm an organization. Mechanisms such as firewalls, intrusion detection systems, and electronic building access systems are implemented primarily to defend against external cyber threats. However, not only are insiders aware of the policies, procedures, and technology used in their organizations, but they are often also aware of their vulnerabilities, such as loosely enforced policies and procedures or exploitable technical flaws in networks or systems.
Basically the Organization’s business will get impacted negatively with Insider Attacks, such as inability to conduct business due to the system or network being down, loss of customer records, or inability to produce products due to damaged or destroyed software or systems. Furthermore, Most of the insiders took steps to conceal their actions either by deleting their entries in the log or by modifying the logs to implicate someone else for their actions. So it is better to ‘Prevent’ these kind of actions to happen rather than going for ‘Cure’ after the attack.
Based on the research conducted by CERT and USSS, they outlined industry best practices that are most important for mitigating insider threats.These practices should be implemented throughout organizations to prevent insider threats.
By Implementing following practices in an organization, will prevent or facilitate early detection of many of the insider attacks.
PRACTICE 1:Institute periodic Enterprise-wide Risk Assessments.
PRACTICE 2:Institute periodic security awareness training for all
Employees.
PRACTICE 3:Enforce separation of duties and least privilege.
PRACTICE 4:Implement strict password and account management
policies and practices.
PRACTICE 5:Log, monitor, and audit employee online actions.
PRACTICE 6:Use extra caution with System Administrators and
Privileged Users.
PRACTICE 7:Actively defend against malicious code.
PRACTICE 8:Use layered defense against remote attacks.
PRACTICE 9:Monitor and respond to suspicious or disruptive behavior.
PRACTICE 10:Deactivate computer access following termination.
PRACTICE 11: Collect and save data for use in investigations.
PRACTICE 12: Implement secure backup and recovery processes.
PRACTICE 13:Clearly document insider threat controls.
Now if you look at Practice 6, which says something about Privileged users. A privileged user like a DBA can have access sensitive information of the organization. Oracle has its own way of handling the privileged user. It introduced many tools like Virtual Private Database(VPD), Encryption, Oracle Label Security, Database Vault, Identity Management etc., to maximize the security capabilities from Database point of view.
We will explore some of them in our later posts.
Gopi's Blog 