Navigating Insider and Outsider Threats in the Cloud

Posted by Trevagh Stankard on Thu, Aug 5th, 2021

Cloud adoption increased dramatically in the last year, and many organizations have discovered the benefits of remote working. Employees have a better work/life balance, and they can save on gas and a commute. Organizations get the benefit of happier employees who can remain at home and stay productive. It limits the need for real estate, so it also costs the organization money to allow workers to stay home.

The downside to a work-at-home policy is the increase in cybersecurity risks. The cloud offers numerous benefits to organizations that want to offer a work-from-home benefit, but it means IT staff must be aware of the added security risk. Phishing, social engineering, privilege escalation, brute-force password attacks, and other exploits pose a threat to the organization’s cybersecurity posture. These threats can be both external and internal, but organizations can take the right precautions to ensure data privacy and security.

Monitoring and Blocking External Threats

Any cloud-based infrastructure is available to not only employees, but attackers if vulnerabilities exist on the network and can be exploited. Most hackers write scripts to find vulnerabilities, and good intrusion detection and brute-force monitoring systems will block continual probing from external threats.

Attackers also use reconnaissance methods to find vulnerabilities, including potential targets for phishing and social engineering. LinkedIn is commonly used to find organizational charts and high-privileged users such as HR staff and executives. With a list of potential victims, the attacker can then launch attacks either using email or voice calls.

If the organization has web applications, they can be used in potential exploits. Cross-site scripting (XSS), server-side request forgery (SSRF), SQL injection, and other web-based attacks could give threat actors access to sensitive data. Scripts to find these vulnerabilities might automatically exploit them, or an attacker can probe the server even further to find other cybersecurity issues.

External threats often lead to data breaches. For larger organizations, attackers could exfiltrate millions of records should they have enough time to silently steal data. Monitoring systems should be in place to find these threats, especially any systems where remote workers have access. Cloud infrastructure is inherently secure, but IT staff must configure it properly to detect and block common threats. Logging systems also help with investigations into the seriousness of a successful compromise, giving IT staff a way to understand what went wrong and the severity of the breach.

Avoiding Common Internal Threats

Employees are the weakest link in cybersecurity defenses. Even with monitoring systems in place, a sophisticated phishing or social engineering attack could bypass security and provide an attacker with access to data or financial theft. Phishing emails are often used in these attacks, and user training is not enough to stop them.

Compliance is also an issue with internal threats. Employees must know how to communicate, transfer, store, and safeguard user data. For example, an employee should not send a PowerPoint presentation in email to an external recipient if the presentation contains sensitive user data. Email is a risk for incoming and outgoing messages, and IT staff must know how to safeguard it from threats.

Training is a must in any organization, especially for common targets such as HR, financial, and customer service staff. Staff should know to always verify a caller and avoid making urgent decisions based on limited information from a caller. Training staff to identify social engineering via voice calls greatly reduces risk.

Filters to stop incoming phishing email messages are the best defense against malicious links and attachments. Attackers will often target key staff members who can run malware on the network, but low-privilege users are also a target. For example, an attacker might send a message to a user with a link to download malware or an attachment with macros that download it. Malware can be used to take over user devices, giving an attacker access to the internal network using the user’s device and account privileges.

Instead of relying on users to identify these malicious phishing email messages, filters block them from ever reaching the recipient’s inbox. They block users from seeing messages, and administrators can review them to identify false positives. Filters protect from numerous attacks that can be launched using email, so it reduces risk from ransomware, trojan malware, rootkits, stolen network credentials, data eavesdropping, and data theft.

Both internal and external threats should be addressed in an organization’s cybersecurity plan. Monitoring and intrusion detection can defend against external threats, but email filters and cybersecurity are paramount in good protection from phishing and social engineering.

Typical network security measures to protect against access are:

• Use defense in depth.
• Protect data at the source.
• Use encryption for data at rest as well as for data in motion.
• Use role-based access and privileged access management (PAM)
• Require use of a separate computer for administrator access to resources
• Use logging and monitor access to discern unusual patterns.
• Implement secure backup and recovery processes.
• Limit employee’s ability to use file transfer and peer-to-peer services

Business Measures

It is key is to apply best business practices to the IT realm. These include:

• Clearly document and consistently enforce policies and controls.

• Separation of duties – Use checks and balances. If an employee or contractor has bad intentions, at least the damage would be limited in extent.
• Employ the rule of least privilege for all resources- Individuals should have access only to the information required to function efficiently, and no more.
• Control and monitor physical access to resources
• Correctly destroy and dispose of data, printouts, and documentation

A combination of IT and business controls are required to protect against insider threats. Involve your contractors and business partners in the effort to be truly effective. Organizations need to carry out regular reviews of access privileges to avoid providing unnecessarily liberal access and therefore reduce potential points of weakness. You should trust your employees, but you must balance that trust with suitable business and network security controls. 

Protect your employees from phishing attacks with a combination of cybersecurity awareness training and anti-spam email protection. Learn more about the advanced spam protection solution. View SpamTitan Demo today.