A recent federal cybersecurity survey by SolarWinds found federal IT professionals feel threats posed by careless or malicious insiders or foreign governments are at an all-time high. Worse, hackers aren’t necessarily doing technical gymnastics to navigate through firewalls or network defenses. Instead, they’re favoring some particularly vulnerable targets: agency employees.
The vast majority of these employees are honest, hard-working people dedicated to keeping our country and its information safe. But they are human beings and can make mistakes. Who hasn’t worked a 12-hour shift and, bleary-eyed at the end of a long night, accidentally clicked on an email from a suspicious source? Which administrator hasn’t forgotten to change user authorization protocols after an employee leaves an agency?
These errors aren’t intentional, but they could be costly. A recent study found that 47 percent of business leaders claimed that human error caused data breaches within their organizations.
The “people problem”
Hackers understand that people can be vulnerable and look to exploit their vulnerabilities in a number of ways. Phishing attacks and stealing passwords through a keylogger attack are some of the more common threats. Hackers have also been known to simply guess a user’s password or log into a network with former employees’ old credentials if the administrator neglects to change their authorization.
This “people problem” has become perhaps the biggest challenge facing federal IT managers. The challenge has grown so big—and the methods that attackers are using have become so sophisticated—that attempting to address the problem through manual security processes has become nearly impossible. Instead, agency IT professionals should automate their security protocols to have their systems look for suspicious user patterns and activities that could go undetected by a human network administrator.
Targeting security at the user level
Focusing on an agency’s users requires a more targeted approach than broad brush automated network monitoring. Automating access rights managing and user activity monitoring brings security down to the level of the individual user.
Access rights management has been a top challenge for many IT managers. It can be difficult to ascertain who has or should have access rights to particular applications or data, particularly in a large Department of Defense agency. Reporting and auditing of access rights can be an onerous task that can potentially lead to human error.
Automating access rights management can take a burden off managers while improving their security postures. Managers can leverage an automated access rights management system to assign user authentications and permissions and analyze and enforce those rights. Automated access rights management reinforces a zero-trust mentality for better security while ensuring that the right people have access to the right data.
User activity monitoring should be considered an essential adjunct to access rights management. Administrators must know who’s using their networks and what they’re doing while there. However, networks have grown enormously complex, making it impossible to manually analyze all user activity.
Fortunately, managers can automate user tracking and receive notifications when something suspicious takes place. The system can look for anomalous behavioral patterns that may indicate that a user’s credentials have been compromised or if unauthorized data has been accessed. It can also detect when a user may be attempting to exfiltrate data.
For example, when the system discovers that a user in Virginia who normally works a regular 8:00 a.m. to 5:00 p.m. day suddenly starts logging in at 3:00 a.m. from a foreign country, it could raise a red flag. Perhaps that user’s credentials have been stolen by a foreign entity. A situation like that would be extremely difficult for a single security manager to detect, but the automated system can discover the pattern, immediately shut down access to the network for that user, and alert the manager before any damage is done.
Monitoring the sites that users visit is also important. Threat detection isn’t just about malware, and administrators should strive to always know where their users have been. When someone visits a suspicious website, it will show on a users’ log report. If a user is continually visiting LinkedIn, it could indicate that the employee is thinking about leaving the organization. That person could be considered high risk and should be watched more closely to ensure they do not take sensitive data with them.
Active response management
Some suspicious activity is even harder to detect. It can be difficult to ascertain when a system has mysteriously begun communicating with a known command and control server, for example—and nearly impossible unless the manager is specifically looking for it. This undetectability makes this type of scenario particularly insidious and potentially damaging. The cybercriminal on the other end of that server could be gathering a treasure trove of data or the ability to compromise the defense network, and no one would know.
Employing a system designed to specifically look for this can head off the threat. The system can automatically block the IP address. This effectively kicks the attacker out, at least until they are able to discover yet another workaround.
Staying ahead in the arms race
Unfortunately, hackers are industrious and indefatigable. Once they encounter a closed door, they simply look for another way around. For federal network administrators, keeping pace is like fighting a cyber arms race.
The good news is that we now know that hackers are targeting employees first. Administrators can build automated defenses around that knowledge to stay ahead.
Jim Hansen is vice president of products, security and cloud management, SolarWinds, a network monitoring company based in Austin.