How to protect against the weakest link in cybersecurity – THE USERS

Cyberattacks continue to grow year over year. An astounding 5,126,930,507 breached records in 2021 represent an 11% increase in security incidents compared to 2020, based on IT governance analysis. Security professionals are in a constant battle to improve organizational security posture and prevent risks across all potential attack surfaces.

Web threats are, by far, the dominant attack vector for which Secure Web Gateways (SWGs) and NG Firewalls utilize URL/content filtering, advanced threat defense, and malware protection to defend users from internet-borne threats, as well as help enterprises enforce internet policy and regulation compliance. While security teams focus on the inbound threats from adversaries, they should also keep in mind in their risk assessments the weakest link in the security chain.

What is the Weakest Link in Cybersecurity?

Humans. People are fallible, and they make mistakes. Even with proper awareness and education by IT teams to online risks, we all can be tricked to click on a phishing link that seems legit. Adversaries are taking advantage of human nature and use social engineering attacks to play on our emotions and curiosity. They often invoke urgency so that people will not stop to think. In their haste, people act against the company’s and their own best interests. Employees also attempt to bypass security controls to gain access to websites that breach acceptable internet usage policies, such as adult content sites, gaming and gambling sites, and P2P file sharing websites. Rogue employees, or even overly enthusiastic employees with good intention, may try to circumvent the organization’s security restrictions to perform tasks or other assignments by downloading unauthorized applications, connecting to unsanctioned online applications and cloud services, or using public proxy servers or VPN services, all of which impose greater risk to the organization by extending the attack surface.

How to protect against the weakest link in cybersecurity

In this blog post, I will address the different ways organizations can improve their security posture from internal risks imposed by either rogue employees trying to bypass security controls, or compromised hosts with malware that tries to exfiltrate data.

What is a rogue employee?

A rogue employee undermines the organization by ignoring rules and policies. They might openly break these rules, without concern of being fired, or covertly subvert them to keep from being discovered. Their actions might be relatively harmless, or serious enough to pose a risk to the security of the organization’s data. In the worst cases, they may “open the door” to malware, or attempt to undermine the organization by giving data to a competitor or engage in corporate espionage.

Types of rogue employees

1. The over-motivated, ambitious, and resourceful individual: These employees are driven to get the job done. Their intention is good, and they feel that bending the rules is harmless as long as the job is done. Such an employee feels that the security rules are only obstacles that slow them down and they view these rules as only for less capable employees and resent having to comply with them.
2. Reckless employees: These employees are not trying to harm the organization intentionally. They violate rules and organizational policies because they’re either incapable of understanding them, don’t comprehend the outcome, or are just plain lazy. Such employees are the ones who leave their login ID and password on sticky notes pasted on the monitor or share sensitive data in emails for whatever reason.
3. Disgruntled employees: These employees may impose the greatest risk to the organization, as they hold a grudge and want to harm the organization either by stealing data or by leaking proprietary information. There are many cases of breaches caused by insider threats. Below are a few examples:

• • 5 real-life examples of breaches caused by insider threats
  • Danger in your ranks: 7 times employees caused damaging data breaches
  • Workers increasingly steal company data during ‘turnover tsunami’
  • Workers are stealing source code from their companies at 3 times the rate they were taking it last year

Ways to bypass security controls

As organizations utilize excessive restrictions to protect data and reduce the attack surface, the first thing users are going to do is look for a way around them, and then the security measures completely fail. Some of the tools available to circumvent security controls and organizational policy are web proxies and VPN. Both proxies and VPNs enable a high degree of privacy, allowing anonymous access to the internet. By doing so, the user is able to hide online activity and bypass any security policies, exposing the organization to malicious sites or data exfiltration. Let’s dive into the differences found in such anonymity tools.

Proxy

A proxy server acts as gateway between users and the internet. A proxy server has an IP address of its own, so internet traffic appears to be coming from somewhere else, hiding the source’s true IP address. Proxy is ideal for basic functions like anonymous web browsing and circumventing content restrictions. Proxy’s main advantage is performing IP masking and misdirection, making it good for the viewing of geographically limited content. Proxies allow users to bypass content restrictions, monitoring, or enforcement of website content restrictions.

The different proxy types include:

• Forward Proxy – A forward proxy sits in front of clients and the internet. It is used to examine user requests and decides whether it should proceed with making a connection. A forward proxy is the most common form of a proxy server and is generally used to pass requests from an isolated, private network to the Internet. It provides IP address security for those in the network and allows for straightforward administrative control.

• Transparent Proxy – A transparent proxy gives users an experience identical to what they would have if they were using their home computer. Transparent proxies are ideal for companies that want to make use of a proxy without making employees aware they are using one. Their main advantage is in providing a seamless user experience. Transparent proxies are used primarily at large organization but are also present in the infrastructure of certain Internet Service Providers (ISPs) in order to reduce bandwidth by using caching and content filtering.

• Public Proxy – A public proxy is accessible by anyone free of charge. It works by giving users access to its IP address, hiding their identity as they visit sites. Public proxies are best suited for users for whom cost is a major concern and security and speed are not. Although they are free and easily accessible, they are often slow because they get bogged down with free users. When you use a public proxy, you also run an increased risk of having your information accessed by others on the internet.
• Anonymous Proxy – An anonymous proxy or anonymizer focuses on making internet activity untraceable. It works by accessing the internet on behalf of the user while hiding their identity and computer information. An anonymous proxy is best suited for users who want to have full anonymity while accessing the internet. There are many anonymous proxies available, ranging from free to premium paid proxies.

• High Anonymity Proxy – A high anonymity proxy is an anonymous proxy that takes anonymity one step further. It works by erasing your information before the proxy attempts to connect to the target site. A high anonymity proxy server is best suited for users for whom anonymity is an absolute necessity, such as employees who do not want their activity traced back to the organization. On the downside, some of them, particularly the free ones, are decoys set up to entrap users, accessing their personal information or data.

Virtual Private Networks (VPNs)

A Virtual Private Network, or simply VPN, gives you online privacy and anonymity by creating a private network from a public internet connection. A VPN is similar to a proxy server in that it makes internet traffic appear to be coming from a remote IP address. However, with VPNs, traffic runs through an encrypted tunnel between the remote VPN network and the user’s computer or device, making VPNs an effective solution for ensuring network security and anonymity.

A VPN from a reliable provider ensures users have a safe way to browse the internet, especially when using Wi-Fi at a public location such as airports, hotels, and cafés, but you actually may be logged into a Wi-Fi network created by cybercriminal who now can easily spy on your browsing and steal any personal information you used online.

VPNs have been used by the business sector for many years. Remote employees use VPNs to create a tunnel from their device to the organization over the internet. Once a VPN tunnel is established, users on the public network are able to send and receive data as if they were directly connected to the private network. VPN usage skyrocketed by 41% in a single month, according to industry research on how COVID accelerated the distributed workforce.

Common VPN Protocols

1. PPTP – Point-to-Point Tunneling Protocol is one of the oldest VPN protocols in existence. Developed in the mid-90s by Microsoft. PPTP provides fast data speeds, it’s widely supported in many applications but lacks modern security features.
2. L2TP/IPSec – Layer 2 Tunnel Protocol is the successor of PPTP VPN protocol. This protocol does not provide any encryption or privacy out-of-the-box and is frequently paired with security protocol IPsec. Once implemented, L2TP/IPsec is extremely secure and has no known vulnerabilities.
3. OpenVPN – OpenVPN is an open-source protocol that allows developers access to its underlying code. This protocol has grown in popularity due to its use of (virtually unbreakable) AES 256-bit key encryption with 2048-bit RSA authentication and a 160-bit SHA1 hash algorithm.
4. SSTP – Secure Socket Tunneling Protocol utilizes 2048-bit SSL/TLS certificates for authentication and 256-bit SSL keys for encryption. SSTP is popular due to its full integration with every Microsoft operating system since Windows Vista SP 1. The biggest drawback to SSTP is that it is basically a Microsoft-developed proprietary protocol and developers do not have access to the underlying code
5. Wireguard – Wireguard is the latest protocol that promises to be faster and more efficient, compared to other VPN protocols. WireGuard chooses smart, modern cryptographic primitives with secure defaults. Plus, it’s very small and simple in relation to older protocols.

There are many VPN services out there from free to premium VPN with ultra-speed connectivity. VPN services aren’t without their drawbacks, though. While they’re meant to protect your privacy, a VPN provider can see your web traffic and, in some cases, log it.

Tor in a nutshell

While Proxies and VPNs are good tools to remain anonymous and circumvent any organizational/governmental restrictions, Tor stands out first in the line when we compare the level of anonymity provided by various tools. Tor, or The Onion Router, is an open-source privacy network that enables anonymous web browsing. The worldwide Tor computer network uses secure, encrypted protocols to ensure that users’ online privacy is protected. Tor users’ digital data and communications are shielded using a layered approach that resembles the nested layers of an onion.

Tor technology was initially developed and solely used by the U.S. Navy to protect sensitive government communications. The network was later made available to the public as an open-source platform, meaning that Tor’s source code is accessible to everyone. Tor is upgraded and enhanced by volunteer developers in the Tor network. (source: https://www.torproject.org/about/history/)

Using a distributed network of nodes on the Internet, Tor provides anonymity to users. Internet Service Providers (ISPs), governments, and corporations can’t know which sites you’ve been visiting. Authorities also cannot censor content or know your location.

Tor is able to do this because it hides your IP address and the addresses of sites you visit. Your packets are bounced across multiple nodes, with each node having only information about the previous and next hops along the route. Moreover, Tor nodes are run by volunteers without any centralized control. Tor is a network service, not a peer-to-peer service like BitTorrent.

The easiest way to use Tor is to use the Tor Browser, but there are many other services and software based on Tor. Due to the extreme anonymity Tor provides, it’s also been widely used by cyber criminals conducting illegal activities in the deep and dark web. Unless your organization is involved with analyzing the dark web using Tor for security research, Tor access should be blocked and no one in the organization should have any reason to search there.

Tor Building Blocks

Proxy vs. VPN vs. Tor Summary

How to Stop Rogue Employees from Harming Your Business

Security professionals in charge of applying security measures need to find the balance between “over-security,” which impacts productivity and may result in frustrated employees or inspire over-enthusiastic employees to bypass the restrictions, and “less-security,” which may expose the organization to cyber risks. It is important for IT to strike a balance between not excessively clamping down on users’ activities while simultaneously educating users to stay secure and use IT infrastructure responsibly.

Education and training

Employee security awareness training and education about cyberthreats are crucial to minimize damage from phishing emails and opening suspicious links, the impact of ransomware attacks on the organization, and the risk of sensitive data falling into the wrong hands. Some of the practices you should perform include:

• Explaining the warning signs of a cyberattack, how to spot phishing and ransomware attempts, and other suspicious activities. Explain what they should do when these threats come across their computer screen.
• Setting up mock “phishing” emails to see who takes the bait. This will teach employees to better scrutinize emails.
• Making sure all employees are thoroughly trained on security for their individual computers.
• Explaining to employees that a data breach could mean the loss of their job.

Monitoring and Access Enforcement

I remember taking the Google phishing quiz a few month ago and I admit that I missed a few phishing cases. Even a trained eye can be fooled in regard to the legitimacy of a phishing website or a phishing email. So, monitoring and policy enforcement is essential. Goes without saying that web security, content filtering, and firewall policies should be in place to block malicious content.

A good practice is to block access to proxies, VPNs, and Tor. An application control system can be implemented to prevent the installation of the Tor browser, for example. Even if someone did manage to install it, using the network security system rules can be set to detect Tor traffic. Additionally, access to public proxies and VPNs should be restricted. There is no reason for an employee to use such services besides going to online apps or services that aren’t allowed by organizational policy, or in attempts to exfiltrate data and hide their tracks.

The Allot Traffic Management and Assurance platform is an inline network solution for checking and inspecting each packet in the network. Its Deep Packet Inspection (DPI) engine and classification logic are powered by machine learning and AI. Additionally, dedicated data and security researchers optimize, update, and create new detection logic to detect the most obfuscated proxies, VPNs, and Tor traffic out there. Our recent research is able even to detect applications and types of activities varying from file transfer, streaming, or web surfing within encrypted links (stay tuned for more info about it later on), enabling security professionals to gain visibility and control on everything that is running in the network.

Allot’s solution for traffic management and enforcement can also be used to detect and block any activities done over proxy, VPN, or Tor, and complement any security device already in place. Since the Allot engine inspects every packet on the network layer, it provides another layer of protection, detecting unauthorized traffic and stopping it. Please contact us for more information.

In short, security awareness training, constant monitoring and enforcement, and access restrictions are all strategies you can employ to stop rogue employees.