Shulou(Shulou.com)06/01 Report--

You can build a wall, set up comprehensive defenses, and spend a lot of manpower and resources to maintain it in order to resist threats. However, if your enemy comes from within, then the wall is in vain. The struggle against the internal enemy is a smoke-free but still serious war.

At the end of April, the leakage of user information on takeout platforms such as Meituan, ele.me and Baidu takeout once again aroused discussion among the whole people. Information disclosure is nothing new, but this time, it is not the hackers who talk about it, nor the loopholes that have not been fixed in time, but the Insider that the enterprises do not pay enough attention to but cause serious harm.

A rampant mole

With the gradual increase of legislation and publicity at home and abroad, many enterprises have had a preliminary understanding of information security and data protection, and have adopted appropriate security products and security services to prevent external threats and attacks. However, an open gun is easier to avoid than a hidden arrow. While they attach importance to external threats, they ignore that internal threats are equally serious and need to take corresponding measures.

Cases of mole divulging information can be found everywhere at home and abroad. Apart from Meituan, ele.me and Baidu takeout, which have not yet been investigated, it is rumored that ZTE, which has just been sanctioned by the United States some time ago, was also obtained confidential documents by "insider spies" because of its own carelessness, and ended up at a disadvantage in court. It is said that in order to investigate ZTE and collect evidence, the United States sent undercover lawyers to ZTE, only to find that ZTE put highly confidential documents, including contracts, strategies, and other highly confidential documents on the intranet, which can be publicly accessed by all employees of the company. As a result, the lawyer got lethal evidence that overwhelmed ZTE with little effort. Later, the US Department of Commerce also made a ZTE negative textbook PPT published online to remind newcomers to pay attention.

In 2016, Beijing online recruitment Consulting Co., Ltd. (hereinafter referred to as "Zhaopin recruitment"), the operator of Zhaopin recruitment, reported that company employee Shen took advantage of the company's business logic to illegally obtain users' resume accounts and passwords. And sell users' resumes to the outside world, involving more than 150000 pieces of information. These resumes include name, ID number, address, telephone number, education level, work unit, salary income and other detailed personal information, resulting in a loss of nearly 25 million yuan for Zhaopin recruitment. In the end, the court sentenced the employee to three years and six months in prison.

In 2017, a former Google executive left to join Uber while taking away the autopilot technology that would have belonged to Google. Google sued the executive, as well as Uber, and was awarded $245 million in business compensation. Of course, the most typical insider leak is estimated to be Snowden's "Prism Gate": Snowden used his position as a security contractor to gain access to critical systems and then copied hundreds of thousands of classified documents from the National Security Agency. He provided these materials to the Guardian of the United Kingdom and the Washington Post of the United States, which caused an uproar after the exposure. The direct consequence of this is that the largest secret surveillance program in US history, launched by the National Security Agency and the Federal Bureau of investigation in 2007, has been made public. In this process, the attackers (Snowden) came from within the US security departments, and they could steal confidential information without hacking, but only by using their official powers; and it was the US national security services that were attacked, which led to the destruction of the national security defense system and put the US government under pressure from public opinion.

The threat posed by the mole

Insiders are collectively referred to as "Insider" in the field of information, and the threats they pose are called internal threats (Insider Threat), corresponding to external threats. To be exact, an internal threat is an act that threatens the security of an enterprise or organization by insiders. According to the definition proposed by the US CERT in 2012:

Internal threats attackers are generally employees (active or outgoing), contractors and business partners of an enterprise or organization, who should have access to the organization's systems, networks, and data; an internal threat is an act in which insiders use legally acquired access rights to adversely affect the confidentiality, integrity, and availability of information in an organization's information system.

According to the American CERT Center, internal threats are mainly divided into three basic types of attacks: system destruction, intellectual property theft and electronic fraud, which are combined to form compound attacks and commercial espionage attacks. The leak mole mentioned in this article carries out the intellectual property theft attack.

A recent survey by McAfee, a security company, showed that 43 per cent of data leaks came from insiders, while Information Security Forum's survey showed 54 per cent. This shows that insider leaks have actually become the main cause of information leakage. Xu Jianzhuo, director of the Network Technology Research and Development Center of the Ministry of Public Security, said publicly: at present, the industries that cause the greatest harm from the disclosure of citizens' personal information are mainly banking, education, industry and commerce, telecommunications, express delivery, securities, e-commerce and other industries. as these industries have a large amount of personal information, insiders are more likely to disclose data.

How should the enterprise guard against the mole?

The mole comes from inside the security boundary of the enterprise, and can evade the detection of security devices such as firewalls, so it is convenient to obtain internal information and property of the enterprise, and because they have relevant knowledge about the enterprise, it is easier to carry out attacks. The mole is highly hidden, and the harm to the enterprise is more serious.

It should be noted that the mole usually does not commit a crime alone, but will come into contact with the upstream and downstream personnel in the information trading industry chain. Even if they complete the process of letter theft on their own, they will eventually need to contact others or other organizations to process the information in their hands. In the above-mentioned cases in which people inside the takeout platform leaked information, telemarketing groups, network operators, merchants and riders were all involved, colluding with people in the underground black market. turn a large amount of user data into the object of trading and profit.

There are not many systematic achievements in domestic internal threat research. We can refer to the policy of American CERT on internal threats and summarize some methods for domestic enterprises to refer to.

Measures that can be taken by enterprise management personnel:

Digital asset identification

As managers or people related to the enterprise security business, it is best to identify the enterprise digital assets in accordance with the ISO 55000 international standard. The ISO standard stipulates that:

Assets are objects, things or entities that have real or potential value to the organization. Asset management enables organizations to achieve asset value while achieving their goals.

While ISO 55000 focuses on physical asset management, its definition also applies to digital assets (including data). What goes beyond the value of "critical assets" is that if critical assets are seriously damaged, it will affect the continued operation of the organization.

There is no doubt that data is one of the most important assets of any organization in the world today, so it needs to be managed safely and efficiently. However, not all data are equal in business. Each enterprise is responsible for the data of its customers, partners, inventory, suppliers and its own business. The data circulating within the organization usually includes the company's financial data, operational data, customer's personally identifiable data, and some classified data.

The first step in preventing data disclosure is to identify and classify the data. Although the enterprise's IT professionals are familiar with how enterprise information systems work, they do not have a comprehensive understanding of the operations and processes of the entire business. At the moment, the managers of the enterprise should help the relevant professionals to make reasonable identification and classification.

Enterprise data is generally divided into the following categories: public data, internal data, classified data, and data required by compliance. Note the type of data associated with each process in the enterprise is important because attackers usually do not steal all categories of data, but target them. In many cases, attackers and insiders will obtain very specific data, therefore, after a reasonable classification of data, and then targeted protection, in order to effectively defend against threats.

Internal threat program

Internal threat is a very unique security problem faced by each organization, so special resources need to be allocated to solve this problem. It is best for competent enterprises to set up an organization-wide internal threat program with a unified vision and mission, including multiple roles, different responsibilities, and professional training. Participants in internal threat programs preferably include human resources, law, IT, engineering, data owners, and department heads. Most importantly, such programs should be open only to the most trusted employees in the enterprise.

The main purpose of the internal threat project is to establish relevant information, protocols and mechanisms to detect, prevent and respond to internal threats. Internal threat projects should include tasks, detailed budgets, management structures and shared platforms.

The main work of the internal threat project is as follows:

Compliance and process Oversight Committee: responsible for reviewing the organization's existing workflows and recommending changes before data breaches occur

Reporting mechanism: office politics, group behavior and a range of other factors may prevent employees from reporting suspicious behavior. Therefore, it is necessary to set up a confidentiality mechanism to protect employees who report suspicious persons and prevent whistleblowers from retaliation.

Incident response plan: if an internal threat has occurred and the data has been leaked, it is not enough to fire the employee and report it to the authorities. If you have an internal incident response plan, managers will have a better understanding of how alerts are identified, managed, and escalated. In addition, the specific time frame of the behavior and process of internal threats can also be reflected in the corresponding plans for internal events.

Professional training: internal threat training details the security awareness training plan for all personnel in the organization. However, people directly involved in insider threat programs need to receive more specialized training to better detect and mitigate internal threats

Infrastructure: this part is primarily the infrastructure to detect, prevent, and respond to internal threats, including technologies to assist management in achieving its mission. Deployed technologies should be reviewed periodically for the best choice.

A typical internal threat project consists of a total of 13 components, in addition to the above important links, others include: civil liberties protection, communication framework, internal threat program support policies, data collection tools, supplier management and risk management integration.

Security Review and Supervision (HR)

When hiring people, it is best to conduct a detailed background check on the candidates. Although companies will also tune when hiring, but when it comes to cyber security, the investigation of the recruitment process is only the first step in personnel review. The most important thing to pay attention to is criminal history and employment experience. Sometimes, the people who pose internal threats are likely to be spies for commercial or political purposes, and they can win trust and enter the enterprise through various channels.

The NIST Network Security Framework recommends that organizations set a risk level for each position. The higher the level of risk, the more trust and security prerequisites are required for the job. When hiring new people into riskier positions, regulators should supervise their high-risk behavior. In addition, it is best to record all abnormal events and analyze behavioral trends. Behavior analysis and risk analysis are important technologies that need to be used in this process.

The human resources department should also prepare a termination agreement so that employees can be dismissed at any time if they behave suspiciously. The agreement should require managers to conduct exit interviews, provide final performance reviews, and discuss final salary arrangements. IT professionals in the enterprise should delete the accounts of all outgoing employees. For employees who are privileged users before leaving, all shared passwords should be changed after they leave. The human resources department needs to clarify the regulations related to intellectual property rights to the former employees again.

Form a healthy corporate culture

This part seems to have little to do with internal threats, but there is evidence that working in a high-pressure environment may make employees develop a negative attitude and make them more likely to make mistakes. If managers do not pay attention to these negative emotions and effects and take mitigation measures, then employees will feel neglected, or even reduce their loyalty to the business. In this case, they are more likely to do things that are not conducive to the development of the enterprise, or even implement actions that pose a threat to the enterprise. Therefore, setting reasonable business assessment standards, creating a good working atmosphere and a healthy corporate culture will also help to enhance the trust of employees and reduce the internal threats that the enterprise may encounter.

Supplier management processes and policies

In order to deal with complex internal threats, in addition to taking preventive measures within the enterprise, the security management of suppliers and business partners is also an important part. Still sell platform information leakage as an example, one of the network operation company is the supplier link of the leak. Therefore, enterprises also need to set up supplier management processes and rules and draw up a series of agreements for accountability and supervision in the process of cooperation between enterprises and suppliers. The supplier management process and rules mainly rely on the enterprise management to formulate. If there is no relevant detailed plan, the security personnel of the enterprise can only put out the fire after the threat occurs, but can not prevent it.

The supplier management process mainly includes four stages: definition, standardization, control and integration. The definition phase is mainly used to identify the most critical suppliers in the organization, where the key criterion is that if there is a problem in the relationship with the supplier, the operation and revenue of the enterprise will be negatively affected. The specification involves the designation of a security focal point for each cooperating supplier, whose responsibilities are to maintain compliance knowledge, perform the audit process, promote secure communications, provide training, track contracts and all documents, and implement oversight.

The key elements that should be included in the supplier policy are the right to review security controls, suppliers' compliance with regulatory requirements, safety performance reports, and timely reporting of any data breaches. The final stage is integration, which focuses on data collection, analysis, and verification. The information collected needs to be combined with the existing security practices and audit procedures of the enterprise in order to play a better role.

Safety awareness training

Nowadays, domestic enterprises have gradually realized the importance of safety awareness training. In addition to the general safety awareness training, enterprises should also carry out targeted training for different groups in order to achieve the best results.

First of all, there is training for the leadership and management. the method mentioned above cannot be implemented without the participation of the management. Only when the management is aware of the seriousness of the internal threat and has the awareness of prevention, can the internal defense of the enterprise be implemented smoothly. It is best for security professionals to summarize threat intelligence on a regular basis and report it back to management so that they can understand the serious impact of these threats on the financial position and reputation of the company, and then attract their attention.

The second is the training of security professionals in the enterprise, who are directly responsible for security business, but there may be some misunderstandings. They need to be made aware that security tools are not everything and that it is even more difficult to guard against internal threats. Security tools are just static solutions to dynamic problems. But people are always changeable, and they can always find ways to crack or bypass tools. Therefore, security professionals cannot rely on tools to rest easy, they must always be prepared to face all kinds of changes. In addition, they should also be aware that if something goes wrong, the best way is to report it in time rather than deliberately cover it up. Even if the management does not take it seriously, it should assume its responsibility as a security professional, face the problem directly and try its best to solve the problem.

Finally, it is a good way to train and assess ordinary employees regularly, post posters or broadcast promotional videos in a conspicuous position of the company, and cultivate employees' safety awareness and safety habits imperceptibly.

Technical precautions

In addition to the above theoretical level, certain measures can also be taken at the technical level to guard against internal threats. Here are some common methods:

Encrypted storage, business management of data: that is, the person in charge of a business can only see part of the data within a certain range.

Hierarchical data management: that is, if lower-level business personnel want to query certain data, they must obtain temporary authorization from their superiors or relevant business managers.

Collaborative data management and internal traffic control

Internal threat Detection based on Honeypot and Honeymark

Implement BYOD policies to enhance authentication and identification

Enhanced user behavior analysis (UBA)

The regulatory authorities also act as swords.

In addition to the lack of corporate security awareness and lax supervision, the most important reason for the rampant domestic mole is the temptation of profiteering and the low cost of crime. Therefore, in recent years, regulatory authorities have gradually stepped up legislation and law enforcement to curb the proliferation of insiders from the perspective of law and supervision.

In the "interpretation of several issues concerning the Application of laws in handling Criminal cases of infringing upon Citizens' personal Information," issued by the "two High Courts", it is clearly stipulated that for citizens' whereabouts information, communication content, credit information, and property information, as long as more than 50 items are illegally obtained, sold or provided, the circumstances are serious. For accommodation information, communication records, health physiological information, transaction information and other personal information that may affect personal and property safety, the standard is more than 500. For other citizens' personal information, the standard is more than 5000.

As for the "mole" of the industry, the "explanation" lowers the standard of conviction. The interpretation stipulates that if the personal information of citizens obtained in the performance of their duties or the provision of services is sold or provided to others, and the quantity or amount reaches more than half of the relevant standards stipulated in judicial interpretation, it can be determined as "serious circumstances" as stipulated in the criminal law, which constitutes a crime.

Also know that it is a criminal offence to divulge a citizen's personal information. The Criminal Law Amendment (7) stipulates that:

If the staff of financial, telecommunications, transportation, education, medical and other units, in violation of state regulations, sell or illegally provide to others the personal information of citizens obtained by their units in the course of performing their duties or providing services, if the circumstances are serious, it can constitute a crime. Sellers illegally collect information about ordering customers and resell them as "commodities" wantonly, which seriously infringes upon civil rights and should be investigated and punished by law.

Of course, our country also has corresponding regulations on the information security norms that enterprises should abide by. The Network Security Law clearly requires that "network operators should keep the user information collected by them strictly confidential, and establish and improve the user information protection system", and "should take technical measures and other necessary measures to ensure the security of the personal information they collect and prevent the leakage, destruction and loss of information." Otherwise, a warning, fine, revocation of business license and other penalties may be made. It is the legal responsibility of the operator to strictly keep the private information of the customer.

With the enhancement of security awareness of citizens and enterprises, with the continuous refinement of legislation, and with the continuous improvement of various measures and processes, the situation of insider leakage may be alleviated. However, "people are always the weakest link." in the battle of attack and defense, we can only move forward non-stop.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.