Some of my coworkers think I'm unnecessarily paranoid. Perhaps I am. I read stories like those about the breach of Sony Pictures Entertainment, where "insiders" allegedly helped the attackers get into the Sony network. Once there, they expanded their operations until they had reportedly compromised every significant business system in the place. The hundreds of gigabytes of stolen Sony information are evidence of their success. Whether these alleged insiders intentionally cooperated with the attackers or were duped by the attackers in some way is irrelevant. A sufficiently motivated and skilled attacker could leverage your remote workers without their knowledge, and use their systems as a jumping-off point into your network. Paranoid or not, that's a potential risk.
I find that it's a worthwhile exercise to read the details of every reported security breach, and then to ask myself several questions, like:
- How did the attackers get into the network?
- Could attackers use that same approach to break into our own network?
- If so, what measures can we implement to stop it?
- If attackers got in this way, how could we detect it?
- If they get in, how can we limit the damage they do?
- If we were already breached, how would we be able to determine forensically where they got in?
- How should we respond as an organization if a breach like this takes place?
I will also ask other questions based on the specific details of a security breach. For example, attackers in the attack on Sony Pictures Entertainment allegedly had help from an "insider" there. Based on this piece of information, I'm inclined to ask questions like:
- Are we monitoring for the use of administrator accounts from outside our LAN?
- Should we have two-factor authentication on administrator accounts?
- Should we have it on every account?
- When employees leave the organization, are we identifying all the accounts they might have had access to and disabling them or resetting the passwords on them?
- Should we be building profiles of user behavior (e.g., administrator account 1 only ever logs in between 8am and 5pm - so flag it for follow-up if we see that account used at midnight)?
In fact, if you're considering any kind of security improvements in your organization, I'd encourage you to read as many published reports of the Sony breach as you can find. It's a great learning exercise. I'd also suggest reading the Council on Cybersecurity's Critical Security Controls document. It provides good framework for evaluating the controls you have in place, identifying those you might need, and prioritizing them.
This paranoia of mine has served me well. I've developed a few tools based on the details of published attacks, malware analyses, etc., that have helped us avoid a few disasters already. One tool caught a Cryptolocker process that slipped past our antivirus software, within minutes of it infecting the user's system. We were able to terminate it and clean up the mess before it damaged anything important. We've also caught several other "zero-day" malware items.
The trick in leveraging your paranoia as I do is to always balance the level of effort and expense against the amount of risk and damage a potential weakness represents. The CSC document linked above can be a big help here.