More on Limiting Damage to Information Assets

M
  1. Intrusion Detection
  2. Honeypots: To Lure or Not To Lure
  3. Managing Access to Information Resources
  4. More on Limiting Damage to Information Assets
  5. Post Authentication Methods
  6. Usable Security? User Friendly Factors
  7. SQL Injection Explained
  8. Web Application Database Vulnerabilities to be Aware of

Establishing and enforcing policies that limit employee access to sensitive data and IT systems are one of the most effective mitigation strategies against a malicious insider (Brancik, 2008).  There are a number of strategies that organizations can implement in order to better secure their digital assets.  A good starting place would be to ensure that the security policies in place mandate robust access level controls via a roles-based authentication ensuring easier management and control of resources.  A Roles-Based Access Control (RBAC) enables the assignment permissions to users, who perform specific functions.  Vacca (2013).

In addition to this, the organization should enact specific policies that implement:

  • Principle of least privilege, where every program and every user of the system should operate using the least set of privileges necessary to complete the job.  Salzer & Schroeder (as cited in Schneider, 2003).  This will ensure only employees that really need to access the resource have authorization.
  • Separation of duties, to carefully manage the responsibilities and access levels of different employees that need access to a range of data administration functions, and those who are involved in security administration functions.
  • In certain situations systems warrant defense in depth strategies including but not limited to dual administrator controls should be implemented, where, for example, two system administrators may authorize sensitive operations.

In addition, employee access control should be tightly integrated with the Human Resources function.  Policies would need to be put in place in order to ensure that whenever an employee leaves the company, all access privileges are immediately suspended. When an employee changes roles,  his or her privileges should be assessed and updated as appropriate.

Finally, while the level of access employees have to systems will help deter damage, we also need to limit the impact of changes and updates to records that can be carried out within normal procedures.  Appropriate backup systems, logging, and auditing all need to be part of a security initiative to limit the overall damage any given person could cause.

References:

Brancik, K. (2008). Insider computer fraud: an in-depth framework for detecting and defending against insider IT attacks. Auerbach Publications. Books24x7 version.  Retrieved from http://common.books24x7.com/toc.aspx?bookid=26442

Schneider, F., B. (2003). Least Privilege and More. IEEE Security and Privacy, 1(5):55–59, September/October 2003. Retrieved from:http://www.cs.cornell.edu/fbs/publications/leastPriv.pdf

Vacca, J. (2013). Computer and Information Security Handbook. Burlington, MA: Morgan Kaufmann Publications

About the author

Ian Carnaghan

I am a software developer and online educator who likes to keep up with all the latest in technology. I also manage cloud infrastructure, continuous monitoring, DevOps processes, security, and continuous integration and deployment.

About Author

Ian Carnaghan

I am a software developer and online educator who likes to keep up with all the latest in technology. I also manage cloud infrastructure, continuous monitoring, DevOps processes, security, and continuous integration and deployment.

Follow Me