How to protect against the weakest link in cybersecurity THE USERS – Security Boulevard

Cyberattacks continue to grow year over year. An astounding 5,126,930,507 breached records in 2021 represent an 11% increase in security incidents compared to 2020, based on IT governance analysis. Security professionals are in a constant battle to improve organizational security posture and prevent risks across all potential attack surfaces.

Web threats are, by far, the dominant attack vector for which Secure Web Gateways (SWGs) and NG Firewalls utilize URL/content filtering, advanced threat defense, and malware protection to defend users from internet-borne threats, as well as help enterprises enforce internet policy and regulation compliance. While security teams focus on the inbound threats from adversaries, they should also keep in mind in their risk assessments the weakest link in the security chain.

Humans. People are fallible, and they make mistakes. Even with proper awareness and education by IT teams to online risks, we all can be tricked to click on a phishing link that seems legit. Adversaries are taking advantage of human nature and use social engineering attacks to play on our emotions and curiosity. They often invoke urgency so that people will not stop to think. In their haste, people act against the companys and their own best interests. Employees also attempt to bypass security controls to gain access to websites that breach acceptable internet usage policies, such as adult content sites, gaming and gambling sites, and P2P file sharing websites. Rogue employees, or even overly enthusiastic employees with good intention, may try to circumvent the organizations security restrictions to perform tasks or other assignments by downloading unauthorized applications, connecting to unsanctioned online applications and cloud services, or using public proxy servers or VPN services, all of which impose greater risk to the organization by extending the attack surface.

In this blog post, I will address the different ways organizations can improve their security posture from internal risks imposed by either rogue employees trying to bypass security controls, or compromised hosts with malware that tries to exfiltrate data.

A rogue employee undermines the organization by ignoring rules and policies. They might openly break these rules, without concern of being fired, or covertly subvert them to keep from being discovered. Their actions might be relatively harmless, or serious enough to pose a risk to the security of the organizations data. In the worst cases, they may open the door to malware, or attempt to undermine the organization by giving data to a competitor or engage in corporate espionage.

As organizations utilize excessive restrictions to protect data and reduce the attack surface, the first thing users are going to do is look for a way around them, and then the security measures completely fail. Some of the tools available to circumvent security controls and organizational policy are web proxies and VPN. Both proxies and VPNs enable a high degree of privacy, allowing anonymous access of the internet. By doing so, the user is able to hide online activity and bypass any security policies, exposing the organization to malicious sites or data exfiltration. Lets dive into the differences found in such anonymity tools.

A proxy server acts as gateway between users and the internet. A proxy server has an IP address of its own, so internet traffic appears to be coming from somewhere else, hiding the sources true IP address. Proxy is ideal for basic functions like anonymous web browsing and circumventing content restrictions. Proxys main advantage is performing IP masking and misdirection, making it good for the viewing of geographically limited content. Proxies allow users to bypass content restrictions, monitoring, or enforcement of website content restrictions.

The different proxy types include:

A Virtual Private Network, or simply VPN, gives you online privacy and anonymity by creating a private network from a public internet connection. A VPN is similar to a proxy server in that it makes internet traffic appear to be coming from a remote IP address. However, with VPNs, traffic runs through an encrypted tunnel between the remote VPN network and the users computer or device, making VPNs an effective solution for ensuring network security and anonymity.

A VPN from a reliable provider ensures users have a safe way to browse the internet, especially when using Wi-Fi at a public location such as airports, hotels, and cafs, but you actually may be logged into a Wi-Fi network created by cybercriminal who now can easily spy on your browsing and steal any personal information you used online.

VPNs have been used by the business sector for many years. Remote employees use VPNs to create a tunnel from their device to the organization over the internet. Once a VPN tunnel is established, users on the public network are able to send and receive data as if they were directly connected to the private network. VPN usage skyrocketed by 41% in a single month, according to industry research on how COVID accelerated the distributed workforce.

There are many VPN services out there from free to premium VPN with ultra-speed connectivity. VPN services arent without their drawbacks, though. While theyre meant to protect your privacy, a VPN provider can see your web traffic and, in some cases, log it.

While Proxies and VPNs are good tools to remain anonymous and circumvent any organizational/governmental restrictions, Tor stands out first in the line when we compare the level of anonymity provided by various tools. Tor, or The Onion Router, is an open-source privacy network that enables anonymous web browsing. The worldwide Tor computer network uses secure, encrypted protocols to ensure that users online privacy is protected. Tor users digital data and communications are shielded using a layered approach that resembles the nested layers of an onion.

Tor technology was initially developed and solely used by the U.S. Navy to protect sensitive government communications. The network was later made available to the public as an open-source platform, meaning that Tors source code is accessible to everyone. Tor is upgraded and enhanced by volunteer developers in the Tor network. (source: https://www.torproject.org/about/history/)

Using a distributed network of nodes on the Internet, Tor provides anonymity to users. Internet Service Providers (ISPs), governments, and corporations cant know which sites youve been visiting. Authorities also cannot censor content or know your location.

Tor is able to do this because it hides your IP address and the addresses of sites you visit. Your packets are bounced across multiple nodes, with each node having only information about the previous and next hops along the route. Moreover, Tor nodes are run by volunteers without any centralized control. Tor is a network service, not a peer-to-peer service like BitTorrent.

The easiest way to use Tor is to use the Tor Browser, but there are many other services and software based on Tor. Due to the extreme anonymity Tor provides, its also been widely used by cyber criminals conducting illegal activities in the deep and dark web. Unless your organization is involved with analyzing the dark web using Tor for security research, Tor access should be blocked and no one in the organization should have any reason to search there.

Security professionals in charge of applying security measures need to find the balance between over-security, which impacts productivity and may result in frustrated employees or inspire over-enthusiastic employees to bypass the restrictions, and less-security, which may expose the organization to cyber risks. It is important for IT to strike a balance between not excessively clamping down on users activities while simultaneously educating users to stay secure and use IT infrastructure responsibly.

Employee security awareness training and education about cyberthreats are crucial to minimize damage from phishing emails and opening suspicious links, the impact of ransomware attacks on the organization, and the risk of sensitive data falling into the wrong hands. Some of the practices you should perform include:

I remember taking the Google phishing quiz a few month ago and I admit that I missed a few phishing cases. Even a trained eye can be fooled in regard to the legitimacy of a phishing website or a phishing email. So, monitoring and policy enforcement is essential. Goes without saying that web security, content filtering, and firewall policies should be in place to block malicious content.

A good practice is to block access to proxies, VPNs, and Tor. An application control system can be implemented to prevent the installation of the Tor browser, for example. Even if someone did manage to install it, using the network security system rules can be set to detect Tor traffic. Additionally, access to public proxies and VPNs should be restricted. There is no reason for an employee to use such services besides going to online apps or services that arent allowed by organizational policy, or in attempts to exfiltrate data and hide their tracks.

The Allot Traffic Management and Assurance platform is an inline network solution for checking and inspecting each packet in the network. Its Deep Packet Inspection (DPI) engine and classification logic are powered by machine learning and AI. Additionally, dedicated data and security researchers optimize, update, and create new detection logic to detect the most obfuscated proxies, VPNs, and Tor traffic out there. Our recent research is able even to detect applications and types of activities varying from file transfer, streaming, or web surfing within encrypted links (stay tuned for more info about it later on), enabling security professionals to gain visibility and control on everything that is running in the network.

Allots solution for traffic management and enforcement can also be used to detect and block any activities done over proxy, VPN, or Tor, and complement any security device already in place. Since the Allot engine inspects every packet on the network layer, it provides another layer of protection, detecting unauthorized traffic and stopping it. Please contact us for more information.

In short, security awareness training, constant monitoring and enforcement, and access restrictions are all strategies you can employ to stop rogue employees.

Read this article:
How to protect against the weakest link in cybersecurity THE USERS - Security Boulevard