Preventing a minor, insider accident from becoming a security catastrophe

Accidental cyber attacks caused by well-meaning insiders can be the most damaging, so agencies should not overlook these effective steps at prevention, Chris LaPoint writes.

There are accidents – and then there are accidents.

A dog eating a kid’s homework is an accident. Knocking over a glass of water is an accident. A fender-bender at a stop sign is an accident.

The incorrect use of personal devices or the inadvertent corruption of mission-critical data by a government employee can turn out to be more than simple accidents, however. These activities can escalate into threats that can result in national security concerns.

These types of accidents happen more frequently than one might expect — and they’ve got DOD IT professionals worried. Because for all of the media and the government’s focus on external threats — hackers, terrorists, foreign governments, etc. — the biggest concern continues to be threats from within.

This concern is not solely focused on intentional harm, as IT administrators are recognizing that many of the most potent threats can arise from simple human error. As a recent survey by my company, SolarWinds, points out, administrators are especially cognizant of the potential for fellow colleagues to make havoc — inducing mistakes. Yes, it’s true: DOD technology professionals are just as concerned about the person next to them making a mistake as they are of an external Anonymous-style group or a rogue hacker.

Given this, it’s fair to ask whether or not federal agencies are focusing their security efforts appropriately. According to our survey, the answer is “maybe not,” as respondents feel that their agencies’ investments remain primarily centered on the external problem.

So, what are agencies doing to tackle internal mistakes? Primarily, they’re bolstering federal security policies with their own security policies for end users. This involves gathering intelligence and providing information and training to employees about possible entry points for attacks.

While this is a good initial approach, it’s not nearly enough.

Additional policies and training alone don’t address the root of the problem, which is the sheer volume of devices and data that are creating the mistakes in the first place. These factors are causing the potential for accidents to increase through any number of ways. Unauthorized and unsecure devices could be compromising the network at any given time, without users even realizing it. Phishing attacks, accidental deletion or modification of critical data, and more have all become much more likely to occur.

IT professionals need more than just intuition and intellect to address compromises resulting from internal accidents. As I’ve written before, networks are simply too complex for that type of exclusive approach. Any monitoring of potential security issues should include the use of technology that allows IT administrators to pinpoint threats as they arise, so they may be addressed immediately and without damage.

Thankfully, there are a variety of best practices and tools that address these concerns and nicely complement the policies and training already in place, including: 

  • Monitoring connections and devices on the network and maintaining logs of user activity to track: where on the network certain activity took place, when it occurred, what assets were on the network, and who was logged into those assets.
  • Identifying what is or was on the network by monitoring network performance for anomalies, tracking devices, offering network configuration and change management, managing IT assets, and monitoring IP addresses.
  • Implementing tools identified as critical to preventing accidental insider threats, such as those for identity and access management, internal threat detection and intelligence, intrusion detection and prevention, SIEM or log management, and Network Admission Control.

Our survey respondents called out each of these tools as useful in preventing insider threats. Together and separately, they can assist in isolating and targeting network anomalies. Log and event management tools, for example, can monitor the network, detect any unauthorized (or, in this case, accidental) activity, and generate instant analyses and reports. They can help IT professionals correlate a problem — say, a network outage — directly to a particular user. That user may or may not have inadvertently created an issue, but it doesn’t matter. The software, combined with the policies and training, can help administrators attack it before it goes from simple mistake to “Houston, we have a problem.”

The fact is, data that’s accidentally lost can easily become data that’s intentionally stolen. As such, you can’t afford to ignore accidental threats, because even the smallest error can turn into a very large problem.