back to article Congrats on keeping out the hackers. Now, you've taken care of rogue insiders, right? Hello?

It's exasperating how each high-profile computer security breach reveals similar patterns of failure, no matter the organization involved. One such reoccurring theme is that IT departments find it can be hard to stop employees going rogue, or spilling their login details into the wrong hands, ultimately leading to damage or …

  1. Anonymous Coward
    Big Brother

    Lemme guess...

    We're gonna need some kind of AI to check up on people all the time and report them to the authorities ?

    1. Anonymous Coward
      Anonymous Coward

      Re: Lemme guess...

      "We're gonna need some kind of AI to check up on people all the time and report them to the authorities?"

      But if that's the case, we'll need another AI to check up on that AI just to be safe.

    2. Rich 11 Silver badge

      Re: Lemme guess...

      Would the AI also have to keep an eye on the precogs?

    3. Spazturtle Silver badge

      Re: Lemme guess...

      Already exists, it is call "User behavior analytics".

    4. GnuTzu

      Re: Lemme guess... -- Analytics

      Well, we're already at the data analytics stage (often cloud based), and I take that as one of the precursors to A.I.

  2. Killfalcon

    One thing I've seen make a difference is recent regulatory changes insisting that all new documents have a defined confidentiality classification attached to them. With that, you can pick up when people send confidential details out, or 'declassify' documents, or attempt to make customer details non-confidential (using admittedly simple pattern matching to spot things like NI numbers).

    The main thing is that it gets everyone to think "this data is confidential, why does Bob need it?" slightly more often than "Bob wants a copy of the Koala report for Q2 2017, I've seen that somewhere".

    ...also you can mark emails "highly confidential" when you're saying unkind things about your third-party partners and be reasonably sure they won't get accidentally forwarded. *cough*

  3. imanidiot Silver badge

    Back to basics first

    If someone doesn't need access, they shouldn't have access. I see this go wrong in so many places. It's simply "more convenient" to grant blanket access to everything.

  4. Prst. V.Jeltz Silver badge

    The other day I managed to trip an alarm the networks team had set up by polling a bunch of machines using nMap and probing certain ports ( for legitimate reasons)

    They were quite pleased with my impromptu test drive of their security alert system!

  5. Anonymous Coward
    Joke

    Lets get real

    I installed one of these systems in a government office, once in a while it detected unusual patterns of hard work.

  6. Duncan Macdonald

    Infrequent activities ?

    Some jobs are only done infrequently (once per quarter or once per year or on an ad-hoc request). For an automated system to detect abnormal access but not give false alerts on infrequent valid access will be very difficult if not impossible.

    Also the case of worker 1 being unavailable for some reason and worker 2 having to take his/her place on a temporary basis will cause a big change in the access patterns for worker 2.

    There is also the question of who does the automated system report to - if the bad actor is the one who receives the reports then the system becomes useless.

  7. TRT

    And this following...

    the report about student hackers / gamers / dossers etc.

  8. Norman Nescio

    If you don't need to know...

    ...you need not to know.

    While it can be convenient, or even fun (in a a sense of curiosity) to have blanket access to data, if you simply don't have access, you can't be accused of mishandling it.

    However...The problem I have often found is that the processes for allowing only the necessary access to data are usually poor to the point of being unusable, and it is often not only expediency, but simply having the ability to do the job you are asked to that ends up with you having much more access than should actually be required.

    A case in point: the official way to get product information in a company I worked for was to use an appallingly clunky web-application. If, however, you were on good terms with the product management team, you could get a copy of the Excel spreadsheet which was used to populate the web-application's database. This meant you could get the necessary information extremely efficiently, but had the side effect of being exactly the document that could be saved to a USB drive and 'shared' with a competitor. Of course, no disgruntled salesman ever did that.

    As ever, a process that is easier to follow than avoid will get used. Make things too difficult, and people will find workarounds.

  9. Jo_seph_B

    I've been using Cisco StealthWatch recently. Got to say I'm impressed with it. Can detect this sort of threat very well. Not perfect, no tool is, but would alert me to anyone taking a large download of data from an internal server or uploading large datasets too. Plus all the other intelligence built in around C&C and regular threats. It'll even detect threats in HTTPS without the need to decrypt the traffic. It's linked to ISE and if configured could automatically disconnect the user. Although we don't quite yet have full confidence to let it loose on its own so still requires manual intervention for now. Worth a google of anyones time.

    1. Duncan Macdonald

      Amazing

      There is someone who trusts Cisco software!!!

  10. Anonymous Coward
    Terminator

    The logical application of UAM over UEBA

    The logical answer to misbehaving insiders is user activity monitoring (UAM) and/or user and entity analytics (UEBA)

    The logical answer is to encrypt all users data, failure to do so should be grounds for dismissal. Require a hardware security dongle present on the client to access that data. Given the nature of modern systems, relying on a firewall and deep packet inspection is just so much palliative medicine as in it won't prevent the patient from catching a 'virus'.

  11. a_yank_lurker

    Basic Security

    First rule of good information security is to limit access to confidential information on a need to know basis. If you do not need know the information you should never have access rights. Second rule differentiate between those who need access to the information and those who be able to change the information. If you need to use the information you should only have read only rights. Only those who will be actively entering/updating information should have write access.

    The rules are simple but often not applied because it requires the local PHBs to actually think and manage.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon