Celestial Defense of Atlanta Georgia has over 30 years experience helping contractors nationwide with computer forensic and data security issues.
To discuss a particular computer forensic or computer security matter, like the DFARS requirements for safeguarding CUI, contact us to speak with one of our experts or call 770-777-2090
10 Steps to Protect Your Network From
Employee Based Computer Compromise
(Last updated March 16, 2019)
When it comes to computer security and protecting the data contained on them, our attention is often focused on forces from outside the organization. Even the NIST 800-171 security controls imposed on contractors by the requirements in DFARS 4.7300 and the clause at DFARS 52.204-7012 invovling safeguarding Controlled Unclassified Information (CUI) are more outwardly focused than internally focused. There are several reasons for this. One is that many computer threat assessments quantify attacks from outside the organization as much more numerous than attacks from within. Another is that there have been many large data compromises from forces outside the organization.
Despite those numbers, there are mitigating factors that should also be considered. One is that many hackers just like the challenge. Consequently, while there are a lot of attacks, the damage is often minimal because the hacker lost interest or did not know what to do next once the penetration was perfected.
By contrast, the number of internal threats is usually a much smaller number. Nonetheless, forces within the organization are likely a bigger threat than forces from outside. One need look no further than the cases involving Bradley Manning and Edward Snowden to realize just how much more significant an internal compromise can be than an external one.
Not all internal based compromises are the result of malevalent insiders. Indeed, there are two other situations where insiders are cause for data compromise.
The first situation where insiders are a considerable risk, other than malevalent actors, is that even the large hacks that come from outside are often the result of an unwitting security compromise by an insider. In other words, an insiders is the unwitting victim of a physhing or social engineering exploit. Thus, the reason that there should be more concern about employee based compromise is not simply that one needs to protect themselves from the malevolent employee but that they must also protect themselves against the unwitting employee that falls prey to a malevolent outsider.
The second situation where insiders are considerable risk, other than malevalent actors, is that successful hacks also occur when human error has misconfigured some device on the network which leaves the network vulnerable to attack. In either of these latter two situations, the employee based computer compromise is equally problematic.
The following sections discuss the 10 steps to protect your network from employee based computer compromise.
The first step to solving any problem is defining it. While it is easy enough to articulate one’s objective as being data security, that goal is meaningless if one does not also know what data should be protected and from whom it should be protected. Furthermore the answer to what and whom is not a universal solution. Indeed, there are likely degrees of what and whom that need to be decided as well. In other words, there is likely a hierarchy of data sensitivity.
Answering the questions of what and whom is the pivotal first step to designing an effective security scheme because the solution will not be a simple, one dimension plan. Rather it will have many dimensions. The dimensions will be more like concentric circles where the greatest protection is offered to that data at the center of the rings.
In addition to the organization’s own data for which most sensitive sits in the middle there are several different kinds of data that come with statutory and regulatory requirements. Things like personal identifiable information (PII), payment card information (PCI), and health information (HIPAA) may have no real significance to the organization other than the statutory and regulatory requirements that surround them. By contrast company trade secrets or other company sensitive data, as well as, Controlled Unclassified Information (CUI) can have significant consequences to the organization if it is compromised.
The value of practicing good security fundamentals cannot be underestimated. This is true because good fundamentals are the old 80/20 rule of the computer security world. In other words, 20 percent of the effort can deliver 80 percent of the benefits. Thus the second step to protecting computer data is practicing good security fundamentals.
There are other reasons for practicing good security fundamentals other than the obvious. Perhaps the most significant is that should an organization’s sensitive data be compromised and the organization seeks damages or recourse against the offending party, one of the hurdles that must be cleared is that the organization will have to show that it made reasonable efforts to protect the data. If the organization does not have good fundamentals it will have a much harder time in making its case.
Security fundamentals are, essentially, of three types. They are physical access controls, authentication controls and authorization controls. These tend to be many of the security controls incorporated by NIST 800-171 and imposed by the DoD regulations involving safeguarding of CUI.
As the name implies, physical access controls involve physical access to the device where the data resides. Typically, if physical access of a device can be achieved then other types of security measures such as passwords can be easily defeated.
Physical access controls can involve locking the device in a secure environment such as within its own room, behind a locked door or restricted access door, within a secure building. For certain types of devices like servers an additional layer protection could also be useful in the form of a locked storage rack. After all, in many office buildings lessors, property managers, maintenance and janitorial staff have master keys to even the locked room within the locked office. So, the locked server rack provides the added protection that physical access to the server can be denied to even property owners, their management teams and other staffs.
When the devices are something more portable, such as a laptop computer, physical access can include encryption of the storage media. Encryption of the storage media denies access to the data even if someone were to get physical access to the device.
There is one drawback to encryption, however, When trying to analyze the effects of a data compromise that analysis can be impeded by encryption. It is not so much what encryption does to the active data that impedes the analysis. Rather, it is how encryption makes deleted data unrecoverable and during any kind of after the fact analysis there are all kinds of artifacts that would exist in deleted space if it could be recovered. Thus, security planners must consider the advantages of data protection that comes with encryption versus the diminished analysis capability that it also brings. Of course one way to offset the downside of encryption is to expand the data retention horizon, particularly by enabling volume shadow copy as is discussed in a later step.
The next type of access control is authentication controls. These are essentially userids and passwords.
If userids and passwords are compromised then anyone can access the system posing as an authorized user with whatever privileges that user may have. Thus, it is important that all employees have their own unique userid and password and that the security of those credentials is maintained.
To maintain the security of authentication credentials, they should be changed frequently. In addition, employees should be trained not to post them on the backs of keyboards and monitors, or kept in their desk drawers or any place else where they could be found by someone else.
Authentication integrity should also be protected by prohibiting employees from leaving computers without first logging off or at least having screen locks that prevent usage of that machine without proper authentication.
The last kind of access control is authorization control. Authorization control involves the privileges that a particular user may have. Privileges could involve system operation such as installation of software or the ability to access devices and all or part of their storage media.
Authorization control can be particularly problematic when users have been around for a long time and their job functions change. In those cases, it is common for users to accumulate authorization as they move from job to job. In order to avoid this kind of access creep, an user’s authorizations should be periodically reviewed, particularly when they change jobs within the organization.
The knowledge that good security practices have been followed will have big payoffs. Not only will it help to protect the data, it will facilitate the assessment and proper attribution of the original source after the fact.
Once data security targets have been properly identified and good fundamentals applied the next step is to enable auditing policies. Auditing policies allow for the collection of data into audit logs regarding the access and use of data and system resources. When auditing is enabled it should be full auditing and not just for success for failure.
Audit logs provide two types of benefits from a data security perspective. First, the periodic review of the audit logs can alert security personnel to a problem. For example, a brute force attack by someone or something to gain access to a particular resource would appear in these logs as an excessive number of authentication failures, which should alert security personnel that they are under attack or have already been compromised and further action is needed.
Second, the data captured in an audit log can help confirm the scope of what an unauthorized user has accomplished. If they have actually gained access to the system then following their activity through the system as shown in the audit logs will reveal the extent of what they were able to achieve.
The fourth step is to extend the data retention horizons. Regrettably, not all compromises are detected in real time. Rather, they are often detected after the fact and some kind of post mortem assessment is required. Thus the data retention horizon of audit log, activity logs and data backups need to be long enough to ensure such an analysis is possible.
In addition, when the actions of the unauthorized user was destructive, there could be a need to recover or restore data from a period prior to when the infection and/or destruction actually occurred. If the data retention period is not long enough all that will be restorable is the same old corrupted or infected data.
Whether conducting the post mortem or recovering data from a prior period, the data retention horizons must be long enough to enable those efforts. The look back on both a departed employee and a malware situation could extend back for several months.
Of course the data retention horizon is not just limited to the traditional data recovery and archival systems like server backups. It can extend to individual workstations and to a host of system functions like event and audit logs on both servers and personal computers.
Since the Windows Vista version of Microsoft's operating system there has been a feature known as Volume Shadow Copy (VSC) that can be used for retaining backups of system state information as well as all documents and data on a storage media. While that capability was enabled by default on Windows Vista it is disabled by default on Windows 7 and later. Organizations should enable these features on their workstations. They can be activated from the System Protection group in the Windows Control Panel (Control Panel | System | System Protection). Set the space reservation to between 10 and 15 percent of the storage media.
The other area where changes should be made involves event and audit logs. The default sizes of event and audit logs are frequently not large enough. Consequently, they should be doubled or tripled from their default data sizes.
On Microsoft Windows based systems the last accessed date is an available data element of system metadata. In XP systems, the last accessed date was very sensitive and could be updated when a user simply highlighted a file even without opening it and viewing its contents.
In Windows Vista and later versions the last accessed date was disabled by default, except for a very limited number operations where it could still be updated. It was thought that by disabling the update feature that system responsiveness could be improved.
The downside to this change was that the usefulness of the last access date during activity analysis was also disabled. When examining an intrusion the last accessed date stamp could help identify what has actually been happening if that date stamp was enabled. The last accessed date stamp could have similar usefulness when analyzing the activity of an internal user that is improperly accessing sensitive data.
Consequently, another step that organizations can take to help protect their computer data is to enable the last accessed date stamp. That can be accomplished by changing the value of the NtfsDisableLastAccessUpdate attribute to zero in the HKEY_LOCAL_MACHINE\SYSTEM\ CurrentControlSet\ Control\ FileSystem registry key.
When an employee is terminated or resigns, many employers delete their mailbox from the e-mail system and reassign their computer to someone else. Some organizations even reformat the employee’s hard drive or wipe the hard drive before reinstalling application software or restoring a standard image to the drive.
If it is later learned that the departed employee has done something that he should not have done and there is now a need to examine his e-mails and old computer, all of the normal processes mentioned previously complicate that process. Simple reassignment without any other changes is the least troublesome and wiping is the worst. Everything else is somewhere in the middle.
The best process for handling a departed employee’s computer data, particularly a significant or key employee, is to retain the hard drive for some period of time after departure like six to twelve months. The departed employee’s mailbox should be similarly preserved, although the preservation should go a step further and include recovery of any deleted e-mails that still reside in post office but not are accessible to the user in the mailbox itself.
Prior to just storing the data it is also good to give this data a quick peek to see if there is any unexpected activity like deletion activity, unexpected messaging, or potential taking of sensitive data. Naturally, there are a lot of different tests that could be done. It could be useful to develop a relationship with a vendor and let them perform a standard, but minimal, examination of the computer data of departing employees, particularly significant or key employees. A more comprehensive examination could be performed it something actually stimulates a deeper analysis in the future.
As with many things, the human element in the security scheme will likely be the weakest link. The technology alone is never enough. It still takes people to operate the technology, follow procedures and monitor the results. Furthermore, the procedures are not limited to just things like secrecy of a user’s logon credentials or not leaving a computer unattended with the user logged in. Indeed, there are a host of other things as well that could be as far removed from work as “friending” someone on Facebook.
Amazing as it seems, a person’s personal life and even social media activity is often an information resource that evil doers use to devise schemes to deliver malware to home and work computers of target organization employees. Since home computer are often less secure than work computers, they make great targets when employees work from home.
Thus, there is a lot about computer security that employees need to be taught and reminded. Furthermore, it is not just something that they can leave at work. The practices can follow them home as well. In fact, a successful organization should impress upon their employees that they (the employee) will be a target as a result of their employment. Consequently, they must always be on guard for evil doers and practice good computer security.
How the labor force is educated about an organization’s computer security is often a complex task. Maintaining a well trained workforce that follows the procedures is an important step toward computer security.
It is always a good idea to control how users can actually use their computing devices. The idea is to limit the path they can take to only an approved path that is consistent with the organization’s security plan.
Chances are that organizational users have everything they need to do their job with the computers that they have been issued. Consequently, there is really no need to attach other devices like their cell phone or even worse other storage devices like USB flash drives that could be used for all kinds of mischief.
Naturally, employees may need to examine data given to them by someone outside of the organization on an external storage device. It is easy enough to control an employee’s access to external storage devices. The ports used to attach them can be enabled or disabled through the Windows device manager, for example. Computer security managers can easily turn them on or off.
If an employee does need to view data on storage device, the data could just as easily be made available by having a computer security manager copy the data onto an approved network storage location that the employee could view. This would also provide an opportunity for the data to be examined for safety before it is ever exposed to the organization’s other resources.
There have been a lot of studies that have quantified the amount of lost workplace productivity when employees surf the net. In a lot of cases, there may not be any real need for internet access other than e-mail.
One aspect that needs to be considered is for what do employees really need the internet? If they don’t need it then it can be disabled on their workstations. It is easily accomplished by turning on or turning off Windows features in the programs group of their control panel. If they do need it, the chances are that it is quite limited and filters can be set that either prohibit access to many types of internet sites and data types or restrict their use to only certain internet resources.
Beside productivity issues, there are other reasons for controlling internet activity. Disabling or limiting internet access not only protects the organization from employees browsing infected sites that contain malware, it also limits an employee’s ability to use web based resources to improperly store or send sensitive data.
After extending data retention horizons and enabling all kinds of auditing on file and computer usage activity, there will be a lot of data that is being accumulated. In one respect it is being collected to support an after the fact analysis of a data compromise. This same data can be used to try and detect the compromise at a much earlier stage, however. Of course the limitation is that someone has to review it first.
The collected data is kind of like the gauges on your dashboard. They can tell you a lot and alert you to some impending danger but two things have to happen first. One, the data has to be reviewed. Two, the reviewer has to know how to interpret it.
In any event, the last step in protecting your company from employee based computer compromise is monitoring the data collected and related system activity.
In the early stages of medicine doctors learned that by simply washing their hands between patients that they could avoid transmitting infections from one patient to the next. Today that seems so simple and obvious. One could say that washing hands is the 80/20 rule of the medical profession.
There are a lot of parallels between the medical world and the computing world. In both cases, infections are easily transmitted. Following good computer security fundamentals is the 80/20 rule of computer security just as washing hands is the 80/20 rule of the medical profession.
There is more to consider than just good fundamentals of access control. Equally important are the other categories of data protection captured in the ten steps like identification of sensitive data, monitoring of system activity, and then effective communication to employees of procedures and expectations.
This article discusses the importance of 10 steps to good computer security and keeping an organization healthy from the infection of employee based computer compromise. The 10 steps previously discussed are also similar to the advice from doctors about maintaining good personal health like eat right, get plenty of rest, drink lots of water and exercise regularly. Thus, if you follow the ten steps above your organization will lead a longer and happier life just like you will live longer and happier if you follow your doctor’s advice.
There is still more reason to implement procedures similar to the above items. In the event of a malevolent employee compromise where trade secret data is taken, the success of any legal action could depend on whether reasonable steps had been taken to protect the data in the first place. Unfortunately, restrictive covenants and warnings against improper use may not be enough by themselves.