Defend against attacks inside the network environment

In this article we will introduce you some basic steps that can be used to protect you from attacks coming from within the network environment.

According to a recent report by MSNBC.com, a statistic conducted by CSO Magazine found that more than 58% of attacks were done from outside, 21% of attacks were done inside; however, the danger of internal attacks is far more dangerous than in 2010, particularly 33% compared to 25%. The most worrying thing is that internal attacks are becoming much more complicated, with up to 22% of internal attacks using rootkit tools and hacker tools compared to 9% last year, tons of tools public also increased at an alarming level. This article will show you how to protect your network against increasingly complex internal attacks.

Why do internal attacks become more and more dangerous?

We can understand that internal attack is an attack directed by people who are accessing the network and your system illegally. They are most likely a number of employees for some reason who want to fight the company, some because of the motive of wanting to make money illegally using the system to steal the company's assets, . anyone who abuses Use their privileges in the corporate network to use it in an unauthorized way. Some attacks can be intimidated, bribed by outsiders to steal company information, install virus plugs or malware to crash your network, etc.

Some of the attacks here are:

1. Deliberately infected computers and corporate networks with malware or viruses to interrupt work and result in productivity loss.
2. Install spyware, keylogger software or other similar types of software to steal information about what your colleagues or others are doing.
3. Stealing passwords to log in to the corporate network to disguise certain users.
4. Copy the security information of the company and send it outside without permission.

Why do most security strategies often focus on outside attacks?

If internal attacks are more damaging to the company, why do most security policies and strategies often focus on protecting the network from outside threats? There are many reasons to explain. The foundation of network security is a firewall - a 'gatekeeper' placed between computers (users) in the internal network and potential attacks from outside. The problem with this model, however, is that it creates a large and sometimes invalid assumption, that all internal users must be fully trusted. We are not surprised that many companies make this assumption. That's human nature, not many people think their people betray me. Although this may be a fatal error for you.

Perhaps the main reason is not simple to counter attacks from within. Employees often have to access sensitive information to do their job. They have valid certificates to log on to the network, so it is easy to exploit any security vulnerabilities that may disrupt network services. Some people think that we cannot control these people. They point out: If you give someone the key to enter the kingdom, then it will be really difficult to prevent him from abusing them to do what he wants. However, there are still many steps that can be used to limit internal people from performing widespread destructive behaviors.

Develop a security strategy to protect against internal attacks

Some retail organizations have used stealing programs to prevent their employees from stealing goods and money, some organizations involved with sensitive electronic data can also use the DLP ( data loss prevention ) program. And now there are many vendors offering DLP technology, but a comprehensive strategy would be best compared to just buying a DLP device and using them.

Maybe we will never completely eliminate the risk of internal attacks, but here are some things you can do to reduce the incidents and its effects:

1. Use specialized DLP devices or software: DLP devices or software allow you to track company data traffic, be it in real time or by collecting information and summarizing it in daily or weekly reports. You should have a DLP system that can block and read SSL messages or be encrypted, otherwise users will be able to encrypt the data they send out of the network very simply. Note that the disadvantage of DLP is that it can negatively affect network performance.
2. Configure the firewall to control traffic in both directions : Most modern firewalls are capable of filtering inbound and outbound traffic, but most are configured only to control incoming traffic. Setting out sending rules on your firewall will block or allow network traffic to match your established standards. For example, you can block outbound traffic using a certain port.
3. Using data packet inspectors inside the network : DLP devices and firewalls often prioritize focusing on traffic sent out of the network. However, you can use packet inspection tools such as Network Analysis and Visibility products (NAV) to check the contents of packets moving within the intranet, for example when users download. A file from the server to his computer that this user does not have access to or this data is not necessary for their work. The NAV tool can examine content in depth and search for specific words or data types (such as social security numbers) within a document or file. Disadvantages of NAV as well as DLP are slowing down network performance.
4. Use email security products with content filters : You can use the content filtering feature for email security products, for example, to block which messages are sent that contain keywords That, or block users from sending attachments, prevents insiders from sending confidential information out of your network.
5. Data encryption : Encrypting sensitive data makes it difficult for people inside the network (as well as outsiders) to access and read information.
6. Minimal privilege policy : For the best security and defense against internal threats, you must always implement a policy that allows users to have the most restrictive privileges, however still make sure they still do the job well. Using such a policy when configuring your DLP product or the policies sent to the firewall begins by blocking everything and then allowing what is most needed, this method will be the opposite. completely with starting to allow everything and then limiting what you feel is necessary later. Similarly, keys to access encrypted data should only be made available to those whose work requires access to that data, not to all employees.
7. Verifying file access : Enforcing access auditing for file system objects will help you detect when internal users access information that is not related to their work.
8. Business-related areas : This is a policy to ensure that no individual can conduct an important session (such as currency transfer) alone. An individual can initiate that process but it cannot end without the authenticity of someone else. This will allow testing multiple times and create a balance in protecting against certain traitors or intruders.
9. Control USB devices : DLP, firewall and email content filtering will help prevent insiders from sending corporate sensitive information out of the Internet. However, devices such as external USB drives are often used by people inside the company to help them copy sensitive information and take it out of the company. To avoid this, you can disable USB ports on the system of those who do not need to use it. You can use Windows or other third party software group policy to restrict or block the installation of USB devices. Software like GFI Endpoint Security can be used to manage user access, record actions of USB devices, memory cards, CDs, floppy drives, iPods and MP3 players, power Mobile phones, PDAs and anything else can connect to a computer via USB.
10. Authority management services : Managing permissions allows you to provide data access to users but will help you prevent these people from sharing data with unauthorized people. Windows Rights Management Services (RMS) allows you to block copying or printing documents, blocking forwarding or copying email content, etc. Windows also allows blocking of full screen scans to protect your accounts. data and email. While there are still many ways that users in your company can exploit (for example, using a camera from their mobile phone to take screenshots), but this will make them more difficult to work with. embezzling confidential information.
11. Change management : Change management and configuration management tools, Configuration and Change Management, can help you identify when users within your organization make changes to the system configuration to Increase access to information they don't need. There are many products on the market that can be used to find changes in the network.
12. Identity management : Because access privileges are based on user identification, it is imperative that you have a good identity management system. This becomes even more important in today's network environments, where joint ventures move some or all of the data into the cloud, which makes things more complex than ever.