Ten Ways to Protect Your Network From Insider Threats - Page 2

 By Paul Rubens
Page 2 of 2   |  Back to Page 1
Print Article

6. Monitor databases

"Monitoring data sources, not exit points, is the most cost effective solution," says Amichai Shulman, head of the application defense center at California-based data security company Imperva. "You need strong monitoring to let you put your finger on anomalous behavior or behavior that goes against your policies, in real time. The key is to be able to react in a timely manner, not wait until the data has got out." If a user normally accesses order data one record at a time, and then suddenly accesses hundreds of records in one go, or starts accessing different applications or databases to those that they normally use, then this anomalous behavior should be detected and investigated immediately, he says.

7. Use honeytokens

A honeytoken is a piece of made-up data, such as a particular meaningless string, that can be inserted into a database where it should never be accessed under normal circumstances. If your monitoring systems detect that the honeytoken is accessed then this is clearly not normal business behavior and may provide a warning that database records are being accessed (or copied) maliciously. You can also configure intrusion detection systems to alert administrators if packets containing the honeytoken travel over your network.

8. Monitor sensitive records closely

While honeytokens should never be accessed, certain sensitive records (such as the salary of the CEO) may be accessed legitimately, but only rarely, and by a very small group of people (such as those working in the HR department.) When such records are accessed, steps should be taken to verify who accessed them and why -- even if the records appear to have been accessed by someone with the authority to do so. The reality may be quite different: a disgruntled employee accessing the records from an unattended computer in the HR department, for example.

9. Watch your DBAs

38 percent of insider attacks are carried out by IT administrators or superusers, according to Verizon's 2009 Data Breach Investigation Report. Database administrators have enormous powers over your database, so particular care needs to be taken to ensure that you are in a position to detect any malicious behavior on their part. "If you have a good database management system, controlled by a security officer rather than a DBA, then you can check that a DBA is accessing structural changes to your database without actually accessing the data," says Shulman.

10. Use rights management systems

Insiders pose a greater threat than outside hackers because they have access credentials to your data. But you can reduce the threat any insider poses by ensuring they only have access to data they need to carry out their day to day duties. A good rights management system will enable you to compare any employee's data access rights with the data they actually need, and flag any unnecessary rights that can be removed.

This article was originally published on May 18, 2010
Get the Latest Scoop with Networking Update Newsletter