According to the recent X-Force Threat Intelligence Index 2020, more than 8.5 billion records were exposed due to breaches in 2019, of which 86 percent were due to misconfigured assets. These issues affected only half of the records breached in 2018, and as the 2017 report stated, 70 percent of the 2.9 billion records lost that year were due to misconfigurations.
These statistics paint a picture of what inadvertent insider threats can look like. While we may imagine inadvertent insiders as careless people clicking on dodgy emails, this image needs to be updated to include a wider variety of poor security hygiene behaviors. Arguably, the greater source of security incidents in our environments is people creating cloud servers that are set with dangerously unrestricted permissions.
Unmonitored Additions Increase Inadvertent Insider Risk
How safe would you feel driving a well-engineered car full of innovative safety features that has been regularly tested to do well in crash scenarios? Would you feel differently if the car was engineered on the fly with no tests to verify whether legally mandated safety features are actually being used properly?
In the case of misconfigured servers and other digital assets, it’s as if everyone on the manufacturing floor were adding unexpected parts to the final automotive product and just hoping for the best. Since there is no monitoring of the process, there’s no telling what effect one part will have on the others or how the final product might endanger the life of the driver.
In an environment where people routinely implement shadow IT options, including entire databases full of sensitive customer information, there is no way to verify that our environments are truly secure. As more and more industries are made to comply with regulations that mandate the use of “reasonable” security practices, companies could accrue huge fines if they experience breaches due to misconfigured assets.
In a previous article, I argued that we needed more than security awareness to improve our security posture against the risk of insider threats. The increase in breaches due to misconfigured servers is further proof that security experts need to learn new ways to address inadvertent insider threats.
Expectations Versus Reality
According to last year’s “Cloud Adoption and Risk Report” from McAfee, most organizations surveyed believed that only 30 cloud services were in use in their environment. However, the report found that the average organization actually uses closer to 1,900 unique cloud services, and that 20 percent of all files stored in the cloud contain sensitive data — an amount that has increased by 53 percent year-over-year.
For a security practitioner, these statistics naturally bring up a few questions: What services are being used? Who is using them? Who creates or maintains these servers? What purpose do they serve, and could they be replicated in a safer environment? Presumably, these are not assets that are being created with the blessing and supervision of IT or security departments.
The best way for you to answer these questions within your environment is to have an ongoing dialogue with people in your organization. The people who use your network are its eyes and ears, and it’s critical that they feel comfortable telling you what products and services are being used, especially those which involve sensitive data.
However, communication is only the beginning. There are other steps you can and should take to identify and remediate insider threats.
Implement Traffic Monitoring and Blocking
While open lines of communication with your employees can bring a variety of important benefits, you should also be checking network traffic to determine whether cloud services are being used often within your organization. Getting a sense of what kinds of traffic are normal for your environment can help you see when things have gone amiss, whether because people are creating unapproved cloud services or because a criminal is exfiltrating data from your network.
Plenty of businesses block staff from accessing popular cloud services at the gateway, but be wary that if you do this without discussing it with your employees first, you’re liable to drive shadow IT further underground rather than bring it to light.
Create an Acceptable Use Policy for Cloud Services
If you already have a serious shadow IT problem, taking time to develop an acceptable use policy that covers cloud services might feel a bit like shoving toothpaste back into the tube. Still, it’s better to be late rolling out thorough policies than never to have them at all. You must have rules in place to clarify the steps that should be taken before a cloud-based asset can be added. This will help to ensure that such devices and services can be monitored and assessed in line with the appropriate predefined security settings.
Make sure these policies include a list of positive actions employees can take in addition to a list of prohibited actions. If you do establish disciplinary consequences for failing to adhere to policies, you must do so in a way that does not make people too afraid to report mistakes or accidents.
Include Cloud Services in Your Risk Assessments
As you identify cloud services in your environment, your next step should be to give them a thorough inspection. Whether you’re simply checking that the services are using the best available security settings or migrating them to an approved platform, you must implement processes that make sure they’re still secure as time goes on.
If you’re not already doing ongoing risk assessments, now is a good time to start. Include any cloud services you identify so they can be included in future assessments. It can be tempting to assume that cloud service providers will take care of security measures, but they can’t reasonably be expected to keep us from shooting ourselves in the foot if we make changes that decrease our own security.
Some cloud service providers are trying to do exactly that by providing scanning for misconfigured services, but it’s likely that someone could click through these warnings without fully understanding them, leaving critical data in danger.
Cloud services provide a new way for inadvertent insiders to create holes in our defenses. If poor communication between security staff and the rest of the organization allows shadow IT options to proliferate unchecked, we will be making our own jobs harder. Tools and technology can do a lot to help us see what’s going on in our environment, but listening to the people we work with and communicating why we do what we do are equally important in making our companies’ assets secure.