Ask an IT professional what strikes the greatest terror into their heart and they’ll almost certainly give you the same answer. It’s not ransomware, hackers, hardware failure, floods, fire or tornadoes—most professionals in the field will tell you that the thing that keeps them away at night is your garden variety user with administrator permissions.
Insiders pose one of the biggest threats to any business IT environment—they have access to the infrastructure, understand its layout, and might even be the most motivated to inflict damage. This probably seems counterintuitive. Depending upon your place of employment, you’ve probably heard about hardware or software firewalls, multi-factor authentication, and the need for ever more complex and difficult to remember passwords. These are all designed to keep people out right?
This then poses another question—what do you do about someone that is already “inside?” To use another analogy—would you be more concerned about someone forcing entry into your home, or someone that bears you ill will with a full set of keys? Firewalls, multi-factor authentication, and strong passwords are indeed all designed to prevent unauthorized access—the name of the game for internal access is a concept sometimes referred to as “least privilege.” You’ve probably gotten an error message to this effect: “You do not have permission to access this folder, contact your administrator.”
Sometimes this is in error, but in a well-managed corporate network, this is very much by design.
The concept of least privilege means that users only have access to the things that they absolutely need to do their job. This means restricting administrator access to infrastructure to IT professionals. It also means that users should only have access to network resources needed for their role. Accounting has access to accounting documents, and HR to HR documents. Unless those are the same team, they don’t have access to each other’s information. Users shouldn’t have permission to delete an entire shared directory, and if they do, they only have permission to a small portion of a larger share, etc. Least privilege is not a magic bullet however—it only serves to mitigate damage inflicted accidentally or maliciously by limiting its scope.
The next layer of security designed to prevent internal damage to infrastructure is a backup and disaster recovery solution. This is sometimes cloud hosted, and sometimes an appliance that lives onsite. Some of you reading this article may remember the days of tape backups—thankfully those days are (mostly) behind us.
A Backup and Disaster Recovery Solution or B/DR does nothing to prevent users from causing damage to files accidentally or intentionally, but it does make restoration of deleted or damaged files far less painful.
Any restore operation may carry with it some risk of down time and lost work however—depending upon a backup schedule a malicious user may be able to delete an entire days’ worth of work, or just several hours. Unlike the concept of least-privilege, B/DR solutions do nothing to prevent damage in the first place, they simply act as a safety net to be relied upon after the damage has already occurred.
The final piece of security is audit logging. Essentially, this means that IT is monitoring events taking place on network shares, workstations, and servers. While this does sound very “Big Brother” it is not as if someone is physically watching users interacting with their computers throughout the day. Rather, software is deployed in the environment that uses heuristic algorithms to alert IT based upon certain criteria. This could include something like a bulk change in permission to large numbers of files, a specific account consistently attempting to authenticate into an area it doesn’t have permission for, or a large number of folders suddenly being deleted from a network share.
Each of these events could very well be occurring for a legitimate purpose, but they could also be the harbinger of someone purging the work product of the entire staff on their last day, or indeed someone selecting control + a and then delete mistakenly.
Again, however, once alerting has fired off, some damage has already been done. Once an alert has been received, however, IT can take steps to limit the scope of the problem, such as locking out the user’s account until the event is investigated.
As with many IT security concerns, securing an environment from malicious internal actors is dependent on a multi-layered approach. Like an onion, peeling back a layer of security reveals another underneath; each works in concert to prevent damage to mission critical files and infrastructure and keep your place of business online. Hopefully this article hasn’t engendered any mistrust from management towards their employees, or employees towards their IT department. Safeguards like I outlined above are in place for everyone’s protection, not just the business.’ Like the Gipper was fond of saying: “Trust, but verify.”
Mythos Technology is an IT consulting and management firm that provides Managed Technology Services including hosted cloud solutions. For more information, please visit www.mythostech.com or call (951) 813-2672.