Ten Ways to Protect Your Network From Insider Threats - Page 2
6. Monitor databases
"Monitoring data sources, not exit points, is the most cost effective solution," says Amichai Shulman, head of the application defense center at California-based data security company Imperva. "You need strong monitoring to let you put your finger on anomalous behavior or behavior that goes against your policies, in real time. The key is to be able to react in a timely manner, not wait until the data has got out." If a user normally accesses order data one record at a time, and then suddenly accesses hundreds of records in one go, or starts accessing different applications or databases to those that they normally use, then this anomalous behavior should be detected and investigated immediately, he says.
7. Use honeytokens
A honeytoken is a piece of made-up data, such as a particular meaningless string, that can be inserted into a database where it should never be accessed under normal circumstances. If your monitoring systems detect that the honeytoken is accessed then this is clearly not normal business behavior and may provide a warning that database records are being accessed (or copied) maliciously. You can also configure intrusion detection systems to alert administrators if packets containing the honeytoken travel over your network.
8. Monitor sensitive records closely
While honeytokens should never be accessed, certain sensitive records (such as the salary of the CEO) may be accessed legitimately, but only rarely, and by a very small group of people (such as those working in the HR department.) When such records are accessed, steps should be taken to verify who accessed them and why -- even if the records appear to have been accessed by someone with the authority to do so. The reality may be quite different: a disgruntled employee accessing the records from an unattended computer in the HR department, for example.
9. Watch your DBAs
10. Use rights management systems
Insiders pose a greater threat than outside hackers because they have access credentials to your data. But you can reduce the threat any insider poses by ensuring they only have access to data they need to carry out their day to day duties. A good rights management system will enable you to compare any employee's data access rights with the data they actually need, and flag any unnecessary rights that can be removed.