Cisco recently commissioned InsightExpress to examine security and data leak implications from business employees actions and inactions. The result is a Top 10 list of the most noteworthy behavioral findings, according to Cisco. IT personnel and business stakeholders must take action.

The table below lists the findings, states the potential impact, and prescribes one or more countermeasures.

1. Changing security settings on computers

• (Risk) Increases exposure to malware and hacker attacks that can disclose sensitive information/credentials and implant malware
• Lock-down security settings with an enterprise solution that continuously monitors and enforces policies on and off the enterprise network, and if necessary, supersedes privileges of end-users running PCs with admin rights

2. Use of unauthorized applications

• (Risk) End-user installed software is frequently unpatched and vulnerable to attacks that disclose sensitive information, implant malware and use PCs as attack platform.
• (Risk) End-users might install software laced with malware that disclose information and use PC as attack platform
• Deploy enterprise application control solution that operates on and off the enterprise network, and if necessary, can supersede end-user admin rights
• Monitor and/or block application launches from user-space (e.g., desktop, ‘My Documents’, etc.), a common home for unauthorized applications. This also blocks drive-by download attacks via web browser

3. Unauthorized network/facility access

• (Risk) Information disclosures and compromise of critical resources
• Implement two-factor authentication: PKI (included with Windows Server 2008), Smart Cards
• Implement Microsoft Network Access Protection, using either 802.1x or IPSec mode
• Enforce fine-grained resource access policies and logically compartmentalize server resources that cannot be readily PKI-enabled

4. Sharing sensitive corporate information

• (Risk) Employees that do not perceive a personal financial loss from information disclosures are major risk to the organization. No solution is 100%!
• Consider secure thin client computing that includes an IPSec client, two-factor PKI authentication, and no general purpose Internet access (content filtering)
• Where general purpose computing is unavoidable: audit, audit, audit!
• Ban removable media (write) and web based email, lock-down PCs, and then decide upon exceptions

5. Sharing corporate devices

• (Risk) Exposes organizations to greater potential for malware infestation and information disclosures
• Lock-down PCs with enterprise solution that fully operates on and off enterprise network
• Supplement PC anti-malware with non-signature-based tools, balancing security with usability
• Audit, audit, audit!

6. Blurring of work and personal devices, communications

• (Risk) Unknown computing devices risk information disclosures and may unwittingly be used to attack networked resources.
• Implement Microsoft Network Access Protection (NAP) to at least compartmentalize information assets into different ‘risk zones’.
• For handheld computer devices, seek out and require system health agents (SHA) to access anything from your NAP enabled intranet.
• By compartmentalizing and effectively regulating all possible conduits to your information assets, you stand a much better chance of implementing various forms of content filtering to prevent bad stuff from coming in and limit what may go out.
• Deploy USB computers. End-users boot their untrustworthy PC from these USB devices, rendering the health of these PCs moot. Its effectively a secure thin client on a stick (see item 4 above)

7. Unprotected devices, computers left logged on and/or unlocked

• Implement and enforce computer settings that automatically log-off idle PCs.

8. Storing logins and passwords on the computer or in obvious places

• (Risk) Compromised credentials lead to information disclosures
• Implement two-factor PKI-based authentication.
• Implement Microsoft NAP in 802.1x or IPSec mode, leveraging PKI smart cards
• PKI enable as many server based resources as practical
• For all other server based resources, rely on your Microsoft NAP implementation to compartmentalize them into ‘risk zones’ that require authentication

9. Losing portable devices containing data

• (Risk) Lost devices are most common source of data loss
• Implement disk encryption solution that automatically encrypts removable media.
• Device control solutions with very fine-grained options can be more trouble than worth.
• Limit handhelds’ access, leverage Microsoft NAP

10. Allowing unsupervised roaming around offices by non-employees

• (Risk) Information disclosures and malware implantations
• Physical security should be addressed by physical security professionals.

Posted: Tuesday, November 4th, 2008 - Security Applications
RSS 2.0 - Comment - Trackback