This is the first in a two part series to look at the various threat vectors. A threat vector is a way that a hacker can get to your computer and it’s data. This first part of the series will examine INTERNAL ways that the hacker can get in and the 2nd part will examine the EXTERNAL ways they can get into your computer.
To begin, this is an outline of the internal threats. Each item will be explained in detail below the outline:
- Sale of credentials
- Planted malware
- Theft of Data, IP etc.
- Click on Bad Link
- Downloading infected apps
- Installing plug-ins/modules that have malware
- Accidental transmission of data/msg to the wrong target
This is someone who works for you and has access to at least one computer and the company network. This is not accidental. This is malicious.
Sale of Credentials – The going rate on the market for stolen credentials varies but is mostly less than $200. Since this is from an insider you will need at a minimum two factor authentication but keep in mind that they could temporarily change the phone to that of the person they sell the credentials to. The insider may also choose to use the their login for their own gain.
This can be countered via a policy about the use of employee computers and the penalty if found in areas not related directly to their job. Two factor authentication will help with stolen credentials and access control will limit where in the network the insider or their credentials will take them.
Planted Malware – This is where the insider deliberately plants malware on their computer which may propagate throughout the company. Remember this person can temporarily disable their virus protection on their computer while they plant the malware. This is difficult to defend against. The best defense is to put a camera (working or not) filming each computer or software that snaps a copy of the screen at intervals. Both these defenses will help catch the perpetrator but will not prevent their actions.
Theft of Data, IP Etc. – This is where the insider downloads copies of company information and exfiltrates (removes) it from the company via email, USB, or upload to a website. Software that monitors downloads and alarms when over a daily limit will be helpful here.
Scams – This is where the insider uses their inside knowledge of the company to pull a scam on the company via computer, in person, or via the phone. Training is a good defense against scams.
Click on Bad Link – The user clicks on a website or a link in an email that downloads malware or attacks their computer through a web page. This can be prevented by employee training and by white listing sites that are allowed.
Phishing – A compelling email is sent to the user to trick them to click on a link which often asks for their credentials under one guise or another. Again user training will help with them as well as white listing sites that are allowed.
Downloading Infected Apps – The user downloads and installs an app on their computer which contains malware. The best prevention are computer policies that prevent the user from installing on their computer.
Installing Plug-ins/Modules that Have Malware – This is the case where the downloaded software is ok but a module to be downloaded to ‘enhance’ it is not. Again the best prevention are computer policies that prevent the user from downloading and installing anything on their computer.
Accidental Transmission of Data/Msg to the Wrong Target – Even sent an email to the wrong person. What if it contains important company data which then gets into the wrong hands. The solution is to limit the amount of data available to a given employee and to have information graded as to level of security. Don’t allow certain levels to be emailed or emailed out of the company.
BYOD – As a society we are addicted to our phones and tablets. We bring our device to work and plug it into the wireless network. The night before we installed a new app which has malware and when it sees a network begins to infect the company. A variant of this can infect a computer that the device is plugged into just for power to recharge. The best defense against this is a policy of no BYOD, company phones on each desk and a set of lockers outside the security entrance where an employee can lock away their device for the day. Expect resistance and withdrawal symptoms. Some will not want to work at your company if you do this but you have to wonder how much of the day would have been lost to use of a personal device during the company workday.
USB – A computer consultant told me that before he met with the cyber security defending team he would scatter USB devices that looked high-tech in the parking lot. Each had malware that rang a bell on his website. He generally got a 20% response before he even got to his meeting with the security people in the company. The solution is to disable USB ports and to provide company training. A variation of this ploy is to scatter brightly colored USB devices at your children’s school or the sidewalk in front or even in front of your home.
A device is taken off premises and gets stolen. The best prevention is to have the hard drive encrypt the data so the only loss is the device.
In part TWO, we will examine the various threat vectors from outside your computer.