“For all practical purposes, we can never secure or trust the … endpoint participants in any computing environment.”
Amit Yoran, president of RSA, keynote speaker of RSA 2015 conference
The real message of the quote above is that minor and major security incidents are already part of an average day. Sony, Ashley Madison, Target, Uber and NSA are only a small snippet of those organizations that have suffered a very serious data breach recently. These stories also confirm the fact that attackers are, and will always be, ahead of us. It’s not a matter of if these attackers will infiltrate our network. If our data is valuable enough for them, they will keep on trying until they get in – or they are already inside.
One of the key points of the success of attackers is that corporations have several blind spots in their IT environment. There is a common theme in most of these so-called blind spots: the activities connected to them appear absolutely normal in 99.99% of the cases – but although sometimes it seems that monitoring these potential security holes is infeasible, the experience of the last years prove that the most serious data breaches and security incidents originate from these security holes.
Top 8 most dangerous blind spots of IT security
- 0-day & 0-hour threats
- Lateral movement inside the network
- Shadow IT
- Business applications
- Shared accounts
- Database manipulation
- Scripts running on personal accounts
- File servers & file transfers
0-day & 0-hour threats
According to Symantec’s annual Internet Threat Security Report, 24 new 0-day vulnerabilities emerged in 2014, and the top 5 of them were left unpatched for a total of 295 days, compared to a total vulnerability window of 19 days in 2013. 0-day threats could be public enemy nr. 1 of IT security – every CISO knows how dangerous they can be to his or her protected IT infrastructure. Since threat prevention is very difficult and challenging using the current 0-day protection solutions, it is highly recommended to apply alternative forms of defense in the network.
Lateral movement inside the network
Most monitoring solutions focus on authenticated logins to the company’s IT system, not considering when an attacker might have compromised an employee’s trusted credentials and infiltrated the network. In this case, the attacker can freely move in the system for months. According to research by Ponemon and IBM, 90% of recent data breaches went undetected for over 3 months, which means IT security solutions shouldn’t concentrate only on authentication.
IT departments are unable to keep pace with the continuous flow of newly launched cloud and mobile applications. According to a study by IBM Security, about 33 percent of Fortune 1000 employees regularly save and share company data to an external cloud-based platform that the company cannot track. These GTD, notetaking, instant messaging or other kind of apps have become extremely popular among users, but in most cases, these are not approved by IT – users still find ways to install and use them. As IT departments do not know about them, do not pay attention what happens in these applications and can’t prevent the leakage of valuable company data from there.
Business applications – such as SAP and others – play a crucial role in the everyday operation of almost every company. These contain a huge amount of valuable information ranging from the financial data to client lists – even traditional IT security defenses are unable to monitor what happens in these systems, e.g. which privileged user leaks out what kind of important information using these applications.
“Three can keep a secret, if two of them are dead“, as Benjamin Franklin famously said, and it’s true for shared accounts as well. The cornerstone of most security policies is to have personally identifiable accounts and only use shared accounts when it’s absolutely unavoidable and do it in a controlled way.
Databases contain a lot of valuable company information – they are home to almost all sensitive information from bank account numbers of employees to the detailed lists of invoices issued by the company. Unfortunately, most enterprises do not have reliable methods to detect when someone manipulates their databases.
Scripts running on personal accounts
When a sysadmin automates some tasks he has to perform regularly and allows a script to use his own credentials, he creates a huge security risk. If an attacker finds a way to hack the script (and such ad-hoc developments are often prone to trivial attacks like SQL or shell injections) or gains access to the stored credentials the script is using, he gains access to all the services the admin has access to.
File servers & file transfers
Besides databases, file servers are the second most important sources of critical data. And similar to databases, traditional IT security solutions do not defend these very well, do not pay extra attention, for example, to the transfer of sensitive files.
A defensive strategy that is based purely on access control, incident management and identity management is not sustainable. The complexity is overwhelming and the constraint on business is unacceptable. Besides, the greatest risk usually comes from someone who has gained access and is able to abuse privileges already granted.
Experts agree that the new perimeter, where we have to focus, is our users. They are the new focus of our security measures instead of the infrastructure. Users present too big a challenge for most of the current security solutions, as the required level of data, analytic capability or the contextual information to catch their potential malicious activities isn’t available.
Traditional IT security solutions are mostly target known threats – but these 8 blind spots prove that the most dangerous threats frequently arrive in unknown forms. User Behavior Analytics is the next generation of IT security solutions, which is able to identify unknown threats by monitoring users and gathering logs of system and application activity. The continuous and real-time analysis of these activities will minimize the time to detect, assess and prevent data breaches by thorough and rapid investigation.