Should we worry more about insiders or outsiders?
I’ve been having a little bit of a debate with a colleague of mine. Walking into an environment with only the most basic security measures in place (patch management, AV, moderately restrictive firewall policies), where should you focus your time? Obviously, the complete picture needs to be dealt with, but would you spend more time hardening against external attacks, or against an insider threat?
I am of the opinion that, once you have the basics in place, you need to focus on the insiders, such as DBAs that have unrestricted access, network admins who use one shared administrative account to administer everything, and users who have local administrative privileges. Many of the problems you are defending against on the outside are black and white issues - Do I need to disable any services on this web server? What ports should I allow through this firewall? What should I log and where should I log it? And so on.
On the other hand, decisions to restrict access to insiders come up against a lot more resistance, both for business and political reasons. No one wants to be told they shouldn’t be trusted with the level of access they have, it’s an affront. Also, there are many more complicated situations for internal users. Maybe restricting write access to USB for all users would be a great security measure, but what about the admins who need to transfer data back and forth? All these problems have solutions, but the time it takes to resolve them makes it necessary to dedicate a larger portion of your time to these efforts.
Maybe I’m way off base here. I’m not saying external threat mitigation is a cakewalk. It’s just that after the basics are taken care of, I think more effort is required to secure things from the internal perspective. Ok, I’m ready…tell me why I’m wrong.
If you enjoyed this post, please consider to leave a comment or subscribe to the feed and get future articles delivered to your feed reader.
Comments
No comments yet.
Leave a comment