The weakest part of any network isn’t some tool in the data center or some device on the wire. No, it’s the people who are logging in. We’ve said it repeatedly here, and as long as people keep providing us with examples to cite then we’ll keep saying it over and over. The latest example comes out of Britain and its Office of Communications, or, as they like to call it, Ofcom.
Turns out that a former employee downloaded up to six years worth of television broadcaster data before leaving the company. This employee then took that data to his new employer, another television broadcaster, and offered it as a competitive advantage. That broadcaster didn’t use that data but instead turned it over to Ofcom officials.
This post is the second in a series of four that we are calling our Network Security Spring Clean series. In the first post we looked at hardware. This week we will focus on your people, and over the course of the next few weeks we’ll cover your data and your network.
While his motives were ulterior, this former Ofcom employee proved the point. Either through intentional misdeeds or ignorant mistakes, your people are the biggest threat to your network. And while you can’t necessarily control what and angry ex employee does, you can do your best to control the damage any employee can do, malicious motives or not. And that’s the first of four tips for spring cleaning when it comes to your users and their accounts.
Actively manage user accounts
The Ofcom breach proved why it’s critical for you to actively manage the user accounts on your network. If you’re using Active Directory, use the auditing feature to review user accounts and privileges, logon activity, and account policies. This is how you can make sure that employees aren’t nosing around areas of the network they shouldn’t be or downloading files that they shouldn’t have access to.
Also use the auditing feature to look for old or redundant accounts and remove them.
Audit all systems
This really does mean all. You want to look at your internal systems, everything from an intranet to custom applications. You also want to look at anything that’s external, like an Amazon AWS account or other managed service accessed through a browser. What are you looking for? Again, old or inactive accounts. Get rid of them. Also check to make sure that the people who have access to these systems are still supposed to have access. Someone may still be an employee but in a new role and access may no longer be necessary.
Review authentication systems
Your people need secure passwords. That’s a given. But do your authentication systems allow them to make truly secure passwords? And do your people even know what that means? It’s not about cute combinations of letters, numbers and special characters like we’ve been teaching them for so long. Those passwords aren’t that strong when put up against rainbow tables and sophisticated brute force hacking techniques. We have another post that talks about what makes a strong password. It’s worth reviewing.
Consider user management software
This would be in addition to Active Directory. Software like Okta or Centrify can provide an extra layer of protection against stolen credentials or an identity-based data breach.
Train your people
You can put measures in place. You can keep directories and user lists updated. And you don’t really have a choice but to do all of that. Still, the best way to make sure your people aren’t a liability is to make sure they are well trained. Not just once either, but regularly. Hackers are always updating their methods. Your people need to be kept up to date on what social engineering techniques they might see.
There are some great third-party resources if this training isn’t something you don’t have the capacity to handle in-house or it’s something you aren’t comfortable doing on your own. One to consider: Securing the Human by the SANS Institute. It’s thorough; it’s customizable; and it can all be done online.