Following the recent CERT research on unintentional insider threats from social engineering, IS Decisions share their experience on how organisations are helping prevent security breaches that stem from credentials-based-attacks.
Unintentional Insider Threats from Social Engineering
The CERT Insider Threat Center recently published its research on unintentional insider threats focusing on the use of phishing and/or social engineering as a means to implement malware or gain access to credentials.
They determined that many incidents initiated through phishing and other social engineering are not carried out by using software, but by acquiring and misusing the victim’s credentials to secured systems. Recommendations for mitigating UITs stemming from phishing and other social engineering incidents point to the best practices in the Common Guide to Mitigating Insider Threats.
On publishing their report they also requested additional mitigation strategies from the industry.
In addition to helping implement many CERT best practices, this blog post highlights how organizations that deploy UserLock on their Windows Network, benefit from further protection against the threat of compromised passwords.
1. Help users protect the access and resources that are entrusted to them
UserLock Version 8 (now available in beta) sees a new notification system that alerts users when their own credentials are used, successfully or not, to connect to the network. This real-time alert allows users themselves to assess the situation and inform their IT department who can react immediately to any fraudulent use of compromised credentials.
Informed employees are an important line of defense in mitigating insider threats. With stolen or compromised account credentials responsible for several massive data breaches, who better than the user to judge whether an access attempt is ‘normal’ or part of a compromised attack?
2. Apply further restrictions to users when accessing the network
When credentials are compromised, such an attacker is likely to login from an abnormal location at an unusual time. UserLock’s ability to extend access restrictions for all authenticated users helps avoid these credentials-based attacks. For example, restrictions by physical location (workstation or device, IP range, department, floor building…) and setting usage/connection time limits.
In addition preventing concurrent logins with UserLock reduces network vulnerability. It makes it impossible for rogue users to use valid credentials at the same time as their legitimate owner, wherever they are based.
3. Better detect suspicious access behavior
In addition to controls and restrictions, by monitoring (in real-time) all end-users activity to pick up any strange login behavior, UserLock can further help identify when an account has being compromised.
A risk indicator (available with Version 8) assigned to each user evolves according to the users actions when accessing or attempt to access the network. Activity deemed as a ‘risk’ or ‘high risk’ is clearly flagged, alerting administrators in real-time about suspicious, disruptive or unusual logon connections. (For example, a large number of concurrent sessions, users with many denied logons, user accounts not subject to safety rules…)
For companies looking to offer more protection against the insider threat, UserLock helps in the detection, the prevention and rapid response to inappropriate network access. What’s more it helps disseminate good behavior, encouraging users themselves to protect the access that is entrusted to them and avoid the breaches from compromised accounts.