Page 22 - Publication6
P. 22
Yes, hackers have gotten a lot of press coverage by carrying model. This approach integrates policies, procedures and
out insider-style attacks. They can steal credentials using technical controls.
phishing attacks or malware.
Policies should include human resources and legal
Once inside, they can expand their foothold, learn the requirements. Procedures should include physical controls
enterprise�s network, identify vulnerable assets and and data ownership. Technical controls should span IT
exfiltrate data. security policies including Information Assurance and
software engineering.
By the time the breach is discovered, they�re gone. As
excruciating as the breach is for the enterprise, the damage To avoid vulnerabilities in any of these three domains,
controls should:
● Establish a threat model that defines expected attacks
● List assets that must be protected, classified as to their
nature and the protections they require
● Assess controls currently in place to identify any gaps
in coverage
● Identify the owners and custodians of the assets
● Create an acceptable risk baseline that can be tested,
automated and made actionable
is typically self-limited, since most attackers are not going Most organizations already have various levels of such
to stick around. controls, albeit in various levels of maturity, usually built
around frameworks from NIST, ISO, COBIT, or some
But what about genuine insiders� Just sitting at their desks combination of the these.
they already have the credentials to get into sensitive
systems.
“Insider threat
They already know the layout of the enterprise�s network,
and what�s worth stealing. detection
Worse, that combination of credentials and knowledge also platforms that can
allows them to cover their crime.
predict patterns”
Rather than grabbing what they can in one big raid, they
will slowly bleed assets from the enterprise, creating the
potential for open-ended damage that will continue until Central to such precautions is diligent management of all
insiders� (employee, contractor, partner, etc.) access
the crime�s discovery—which may not come for a long
privileges using a zero trust model, where verification is
time.
always required.
Organizations can blindly trust people to do what they are
supposed to do — or implement a Threat Deterrence risk
CYBER DEFENSE MAGAZINE - ANNUAL EDITION 3
