What measures should be taken? Legitimate attackers hiding in the internal network

Author: Shen jianmiao

In today's Internet era, many companies and solution providers are lagging behind in their approaches to ensuring data security. The firewall and VPN technologies we usually talk about cannot completely eliminate security risks. What measures should the company take, especially for legal attackers hiding in internal networks?

80/20 dilemmas

To ensure that only the authorizer and the authorized user can access and exchange clean data, many companies have deployed firewalls, intrusion detection solutions, and anti-virus software. However, the survey shows that only 20% of data corruption is caused by external personnel of the company. This means that even making full use of existing technologies can only solve 1/5 of security problems. These solutions do not eliminate security risks from internal authorized users.

The intrusion detection software package cannot report data from internal intrusions to administrators. what's even more worrying is that it cannot investigate the extent of damage caused by internal employees.

To overcome this challenge, many organizations use query-based internal analysis tools to enhance internal security and discover unauthorized activities. Although the query-based analysis tool provides an effective method for detecting security vulnerabilities or abusing network permissions, it can only be regarded as a passive remedy, even the most vigilant query-based analysis is usually one hour late.

Control Key 80%

To control the critical 80% security vulnerabilities, the key is to answer four fundamental questions: 1. What happened? 2. What is the specific time? 3. Who is doing the damage? What measures should we take?

The query-based analysis tool can only answer the first question. When comparing previous reports, it will accurately record changes to important network parameters in the log. However, this tool can only check the current status of the network and cannot mark down who is destroying, damaging, and affecting the network. Without this important information and real-time tracking function, internal security will remain passive. Only proactive security policy management can effectively control 80% of attacks that are hard to uniform.

Proactive security policy management promotes the concept of intrusion detection to a more effective and reasonable level of intrusion detection (or even internal intrusion. Internal security vulnerabilities lie in people rather than technology. Therefore, the focus should be on identifying problems and filling vulnerabilities, quickly turning to identifying who is the owner, taking remedial measures, and eliminating the possibility of re-occurrence of incidents. If you do not know who the destroyer is, the problem cannot be solved.

Three types of internal security hazards

Internal security hazards can be divided into three categories: misoperations, troubles, and ignorance of users. Operation errors include the fact that users inadvertently obtain permissions they should not possess. Although they are not malicious, these new authorized users will inadvertently cause serious damage to data and systems. The correct measure is to cancel excessive permissions. However, the query-based analysis cannot show who has the permission to cause the problem or who has granted the permission.

Taking deliberate destruction by valued employees and resigned employees as an example, possible internal security vulnerabilities in the enterprise include: employees who complain about leaving the company and set up a Trojan horse to gain access, in-service employees are dismissed or seriously damaged before work changes. Poor management of user and user group permissions often results in employees leaving the company for a long time to access critical company systems, for such malicious events, the correct measures include revoking permissions, eliminating opportunities for chaos, and notifying administrators. If necessary, collect evidence to record illegal activities. Traditional security measures, such as intrusion detection and query-based analysis, cannot show attackers of such activities. For companies that place a high degree of emphasis on storage space and work efficiency, security vulnerabilities caused by employee ignorance can cause a huge price. If an employee downloads a large number of MP3 and image files and the server is overwhelmed, the overload will compromise the performance of the entire network. Reasonable security policy response mechanisms include educating users, deleting documents in violation of policies, and notifying administrators and management departments. Query-based analysis cannot take these actions.

The company's proactive security policy management tools, including real-time event tracking and automatic policy enforcement, can successfully collapse every breach of internal security policies. No matter whether it is intentional or destructive, a reasonable policy tracked by real-time review tools with real-time execution functions can eliminate almost all major security vulnerabilities. This tool can reveal who has broken down security, damage conditions, and when, but perhaps more importantly, it can take self-healing actions to bring the system back to the status before the attack.

Use security management tools

The best tools for true security policy management should include real-time review of directories and server functions, including: Continuous Automatic Monitoring of directories, check for changes to user permissions and user group accounts; and vigilant monitoring of servers, check for suspicious file activity. Whether unauthorized users attempt to access personal files or get bored with their work to download MP3 files, the real security policy management tool will notify the corresponding administrator and automatically take the scheduled action.

With this real-time tracking, notification, and repair function, the dangers of Internal Security damages can be easily controlled and the management time is required. However, if a resigned employee starts to access important data through a Trojan horse, this tool will also notify the Administrator to comprehensively review tracking activities, eliminate backdoors, and recover all affected data to the State prior to destruction.

The only way to comply with the rules

Currently, many countries have implemented data security legislation. For example, the new security requirements of the us hipaa law have an important impact on how companies treat data security. HIPAA includes a series of security measures with strict requirements. First, review and tracking are required. Of course, simply knowing that the incident does not give you the security organization you need to be sure to track who is the destructor, when the incident occurs, and what impact it has. Wise Companies require a comprehensive and fast way to repair damages. If you want to provide all these benefits, the only choice is to use security policy management tools.

--------------------------------------------------------------------------------

What does law 80/20 tell us?

In the network security industry, a 80/20 rule is popular: 80% of security threats come from inside the network. That is to say, hackers are no longer embarrassed and dangerous, but the real "enemy" is hidden inside. Therefore, in order to ensure network security, we must manage the internal network while doing well in boundary protection. Therefore, the current security point of view is: the highest level of security is not products, nor services, but management. Without good management ideas, strict management systems, responsible management personnel, and management procedures in place, there will be no real security.