Top 5 Internal Data Security Threats and How to

Deal with Them

When considering cybersecurity strategies for data protection, guarding against external threats is usually the
first on the list. However, headline-grabbing cyberattacks account for only half of the root causes of data
breaches, according to the 2020 Cost of a Data Breach Report released by the Ponemon Institute and IBM
Security. The rest are due to internal security threats and system glitches.

The human factor is often the hardest to control and predict when it comes to data protection. Some companies
invest in employee training in hopes that a well-educated workforce, aware of the financial and reputational
consequences of data breaches, will be enough to increase vigilance and deter poor security practices. However,
the truth is, in many cases, organizations are only one careless employee away from a damaging security
incident. There is also always the potential danger of malicious insiders and disgruntled employees that want to
damage a company’s reputation or steal data on their way out of an organization.

But what are the most common insider threats that jeopardize a company’s data security? Let’s have a look at
the most prevalent five:

1. Phishing and social engineering

Phishing and social engineering attacks have become two of the most popular ways hackers infiltrate a network
and spread malware and ransomware. Although technically external threats, they rely on easy-to-scam
employees. Cybercriminals trick insiders into revealing their credentials or clicking infected links or
attachments by impersonating friends or other trusted sources or offering unexpected prizes from sought-after
brands. Once inside, they can easily compromise network security.

While antimalware and antivirus software can help prevent phishing attacks by identifying suspicious emails,
social engineering is best dealt with through security awareness training. Employees must be educated on how
outside attackers may approach them and how they need to react when they receive suspicious requests. An
understanding of social engineering is essential to prevent it. Know-how should also be put to the test to
identify any potential weaknesses among employees.

2. Data sharing outside the company

Employees sharing confidential company data such as intellectual property or sensitive information protected
under data protection laws like personally identifiable information (PII) or healthcare data, either publicly or
with third parties outside the company, can spell disaster. This usually happens out of carelessness: a reply all
button is hit instead of a simple reply, information is sent to the wrong email address, or something is
accidentally posted publicly.

These kinds of incidents are rarely helped by training as they represent human errors which we are all prone to.
Specialized software like Data Loss Prevention (DLP) tools can help organizations keep track of sensitive data
and ensure that its transfer, whether by email or other internet services, is limited or blocked altogether. Some
DLP solutions like Endpoint Protector offer the option of setting up different permissions and security policies
based on an employee’s department and working hours.

3. Shadow IT
The use of unauthorized third-party software, applications or internet services in the workplace is often hard to
trace by the IT department, which is where the term shadow IT comes from. The reasons for the prevalence of
shadow IT are fairly simple: employees use known applications for things like file sharing and messaging out of
habit because they improve their efficiency and lighten their workload or are more user-friendly than company-
authorized alternatives.

This is problematic because companies are, most of the time, unaware that this is happening, essentially
creating a blind spot in cybersecurity strategies. A further danger is the potential vulnerabilities of these third-
party services, which can lead to data leaks or security breaches, but also non-compliance with data protection
legislation which can lead to steep fines.

Shadow IT usually signals a failure on the company’s part to provide employees with the right tools to perform
their tasks. Organizations should have an open dialogue with their employees to understand their technological
needs and try their best to meet them. DLP tools can also help companies prevent employees from uploading
sensitive information to these unauthorized services. By monitoring these attempts, they can reach a better
understanding of shadow IT within their organization.

4. Use of unauthorized devices

A lot of data protection policies focus on data transfers outside the company network over the internet and fail
to consider another often used method: portable devices. USBs, in particular, have long been the bane of data
protection strategies. Easy to lose or steal but convenient to use, USBs have led to some disastrous data
breaches, such as the by now infamous Heathrow Airport security incident in which a careless employee lost a
USB with over 1,000 confidential files, including highly sensitive security and personal information.

The easiest way to prevent these kinds of breaches is to block employee access to USB and peripheral ports
altogether. However, there is no denying USBs’ usefulness in the workplace. For companies who still want to
use USBs, there are safeguards that can be implemented to address these cybersecurity threats. Chiefly among
them is enforced encryption of all files transferred onto USB sticks combined with a trusted devices policy that
would allow only trusted devices to connect to a company computer.

5. Physical theft of company devices

In today’s increasingly mobile work environment, employees often take their work computers and portable
devices out of the office. Whether working remotely, visiting clients, or attending industry events, work devices
frequently leave the security of company networks and become more vulnerable to both physical theft and
outside tampering.

Encryption is always a good solution to guard against physical theft. Whether it’s laptops, mobile phones, or
USBs, encryption removes the possibility that anyone who steals them can access the information on them.
Enabling remote wipe options can also help organizations erase all data on stolen devices from a distance.

What Are Internal Threats in Cyber Security?

What Are Internal Cyber Security Threats?
Shockingly, around 22% of cyber security incidents are caused by internal threats. However, companies too
often neglect to consider the risk of internal threats, even though they can result in critical data breaches.
Internal cyber security threats are threats posed by individuals that originate within an organisation itself. They
can be current employees, former employees, external contractors or vendors. Essentially anyone who has
access to company devices or data. This form of data breach involves an internal attacker accessing sensitive
company information with malicious intent. Attackers can include both current and former employees.

There are many forms of data misuse by individuals that can pose a threat to organisations. They often rely on a
user having access to networks and assets to disclose, modify and delete sensitive information. Some of this
information could include:

1. Organisations security practices

2. Login credentials
3. Customer & employee data
4. Financial records

Due to the nature of internal cyber security threats, traditional preventative security measures are often rendered
ineffective.

Why Do People Carry Out Internal Security Attacks?

A. Malicious Activity

Individuals that pose a threat to an organisation may have very different goals from external cybercriminals.
The main motivations of internal threats include:

Fraud: The theft, modification or destruction of company data with the goal of deception.

Espionage: Stealing information for another organisation (generally a competitor).

Sabotage: The use of legitimate access to a company’s network/assets to damage or destroy the company’s
functionality.

Intellectual Property Theft: The theft of a company’s intellectual property, with the intention of either selling
or utilising the property.

Revenge: Employees who have been fired or otherwise made unemployed by a company may seek to damage
the company’s reputation by accessing sensitive information.

B. Negligent Practices

It’s important to note that not all internal threats are carried out by malicious parties. Many times internal
threats arise from employees who unintentionally or carelessly expose sensitive company information. This is
why employee training and education are critical in combating the risk of data breaches.

There are numerous ways in which employees can inadvertently contribute to data breaches:

Phishing or social engineering victims: Phishing involves an attacker sending fake communications to an
employee, usually posing as a legitimate company. The user is then persuaded to supply credentials or details,
through a fake login page or directly. By releasing sensitive credentials or data, users can inadvertently provide
3rd party criminals access to private systems. You can learn about the most common types of phishing attacks
here.

Using unauthorised devices: The use of unauthorised devices can pose a huge risk for security teams,
especially given the difficulty in monitoring them. USB sticks are an example of a seemingly harmless device
that employees might not consider to be a breach of security. However, an infected USB drive has the ability to
provide remote access to 3rd party hackers who can then attempt to access sensitive company data.

Using unauthorised software: As with unauthorised devices, employees may choose to use 3rd party software
for legitimate business purposes. The threat arises from illegitimate or pirated software that can include
malware and backdoors allowing access to attackers.

Loss of company devices: The loss of unsecured/unencrypted company hardware is an extremely common
cause of data leaks. Heathrow Aiport was fined £120,000 for “Serious” data protection failings when an
employee lost an unencrypted USB storage device containing highly sensitive information.

Improper Access Control: Managing access control is vital in combatting insider threats. Whether it’s
managing internal users’ access, third-party access or revoking ex-employees’ access, managing access is
critical. The process of managing access control can easily be overlooked but can cause huge issues if
incorrectly implemented.

How Can You Prevent Internal Threats?

Generally, internal threats can be avoided by thorough company-wide policies, procedures and technologies
that help prevent privilege misuse and mitigate the damage it can cause.

The core policies that a company should focus on to reduce the risk of internal threats include:

a) Regular Enterprise-Wide Risk Assessments: Knowing what your critical assets are, their
vulnerabilities and the potential threats posed can give a great insight into how to enhance your IT
security infrastructure. Combine this with the prioritisation of risks to continuously develop security.
b) Documentation of Policies and Enforcement: Generally policies and regulations should be accurately
documented to ensure efficient security software deployment. Policies should be created to personalise
what access certain employees may have to avoid the risk of all employees accessing confidential &
sensitive data. Access can often be assigned on a departmental basis.

The most effective policies to focus on include General Data Protection Regulations, password management,
and third-party access policies.

c) Physical Security: A professional security team guided by your instructions can help greatly reduce the
risk of internal threats. There are many layers to physical security which can help prevent malicious
people from entering areas within an organisation that they should not have access to:

i. Mantraps: An individual wanting to access a specified area must go through an initial door into a holding room.
Within this room, they are inspected from a window or camera before the second door is unlocked.
ii. Turnstiles/Gates: This efficient control is very common in office buildings and requires employees to tap their ID
pass on a reader, which will unlock the gate and allow them to pass through.
iii. Electronic Doors: These secure doors should be used throughout the facility, to limit the areas that a person can
access, based on their role. Only allowing certain people in specific areas not only reduces the risk of malicious
activity but can also help find the person accountable as the list of potential suspects is much shorter.
 d) Monitoring controls can be implemented to provide real-time monitoring and give security personnel
the ability to detect and respond to intruders or internal threats:

i. CCTV: This enables monitoring from multiple interconnected cameras across your site. This gives security teams
expanded visibility of on-site activity.
ii. Security Guards: While it’s of the utmost importance to have stringent policies in place, there also needs to be a
team that is trained in their use and maintenance so they can fully utilise the security controls and respond to
incidents.
iii. Intrusion Detection Systems: These systems have several different triggers that can generate alerts or set off
alarms, including thermal detection, sound detection, and movement detection. An example of this would be a
sound detection system that can recognise the sound of glass smashing (such as an intruder breaking a window to
gain access to the building) and trigger an alarm.

e) Security controls that act as deterrents include warning signs and barbed wire. Their purpose is to
deter potential attackers and make them less likely to attempt to gain entry:

i. Warning Signs: Signs such as “DO NOT ENTER” and “You Are Trespassing” can be enough to make people
turn around, as they have been informed that any further activity may be illegal.
ii. Fences: Chain-link metal fences are very common practice, with barbed or razor wire on top. This creates a
barrier that can’t be climbed over and requires more effort for attackers to bypass, slowing them down, and giving
more time for them to be detected.
iii. Security Lighting: Lighting is used to prevent low visibility areas caused by darkness, which could allow an
intruder to bypass security controls such as CCTV and Security Guards. Lighting the areas in conjunction with
cameras is a great deterrent and monitoring solution.

f) Monitor and Control Remote Access from all Endpoints: Deploy and properly configure wireless
intrusion detection and prevention systems, as well as a mobile data interception system. Regularly
review whether employees still require remote access and/or a mobile device. Ensure that all remote
access is terminated when an employee leaves the organisation.
g) Harden Network Security: Configuration of a firewall specifically designed for your organisation can
help mitigate the risks of internal threats. This can include blacklisting all hosts and ports and then
whitelisting only the ones that are required improving monitoring capabilities and reducing the
movement of an internal threat. Configuring and implementing a DMZ (demilitarised zone) will ensure
no critical systems interface directly with the internet. Segmenting a network is another effective method
as this helps to prevent users from freely traversing a network.
h) Recycle Hardware and Documentation Properly: Before discarding or recycling a disk drive,
completely erase all of its data to ensure it is no longer recoverable – insiders may attempt to recover
deleted data if not erased in the correct manner. If you are wanting to dispose of an old hard drive that
could have potentially contained sensitive information destroying it physically would be the best
approach to take.
i) Threat Awareness & Security Training for all Employees: Train all new employees and contractors
in security awareness before giving them access to any computer system. This should be set up as a
standard procedure.

Train and test your employees against social engineering attacks and sensitive data left out in the open.

A good example would involve performing your own phishing attacks on their mailboxes or conducting social
engineering attacks. Encourage employees to report security issues and train them on how they can help reduce
internal threats. Consider offering incentives that reward those who follow security best practices.

Unfortunately, it’s difficult to entirely eliminate the risk of internal threats completely however implementing
an internal threat detection solution is the strongest defence.
 j) Develop Employee Termination Process: Develop a strong knowledge base or automated procedure
for the termination of employees’ access to organisation systems.

Data Security
What is Data Security?
Data security is the process of protecting corporate data and preventing data loss through unauthorized access.
This includes protecting your data from attacks that can encrypt or destroy data, such as ransomware, as well as
attacks that can modify or corrupt your data. Data security also ensures data is available to anyone in the
organization who has access to it.

Some industries require a high level of data security to comply with data protection regulations. For example,
organizations that process payment card information must use and store payment card data securely, and
healthcare organizations in the USA must secure private health information (PHI) in line with the HIPAA
standard.

But even if your organization is not subject to a regulation or compliance standard, the survival of a modern
business depends on data security, which can impact both the organization’s key assets and private data
belonging to its customers.

Why is Data Security Important?

The Ponemon Institute’s Cost of Data Breach Study found that on average, the damage caused by a data breach
in the USA was $8 million. 25,575 user accounts were impacted in the average data incident, which means that
beyond financial losses, most incidents lead to loss of customer trust and damage to reputation.

Average cost of data breaches is the highest in the USA.

Lawsuits, settlements, and fines related to data breaches are also on the rise, with many governments
introducing more stringent regulations around data privacy. Consumers have much more extensive rights,
especially in the EU, California, and Australia, with the introduction of GDPR, CCPA, APP, and CSP234.

Companies operating in regulated industries are affected by additional standards, such as HIPAA for healthcare
organizations in the USA, and PCI/DSS for organizations processing credit card data.

In the past decade, social engineering, ransomware and advanced persistent threats (APTs) are on the rise.
These are threats that are difficult to defend against and can cause catastrophic damage to an organization’s
data.

There is no simple solution to data security—just adding another security solution won’t solve the problem. IT
and information security teams must actively and creatively consider their data protection challenges and
cooperate to improve their security posture. It is also critical to evaluate the cost of current security measures,
their contribution to data security, and the expected return on investment from additional investments.

Data Security vs Data Privacy

A. Data privacy is the distinction between data in a computer system that can be shared with third parties (non-
private data), and data that cannot be shared with third parties (private data). There are two main aspects to
enforcing data privacy:

i. Access control—ensuring that anyone who tries to access the data is authenticated to confirm their identity, and
authorized to access only the data they are allowed to access.
ii. Data protection—ensuring that even if unauthorized parties manage to access the data, they cannot view it or
cause damage to it. Data protection methods ensure encryption, which prevents anyone from viewing data if they
do not have a private encryption key, and data loss prevention mechanisms which prevent users from transferring
sensitive data outside the organization.

B. Data security has many overlaps with data privacy. The same mechanisms used to ensure data privacy are
also part of an organization’s data security strategy.

The primary difference is that data privacy mainly focuses on keeping data confidential, while data security
mainly focuses on protecting from malicious activity. For example, encryption could be a sufficient measure to
protect privacy, but may not be sufficient as a data security measure. Attackers could still cause damage by
erasing the data or double-encrypting it to prevent access by authorized parties.

Data Security Risks

Below are several common issues faced by organizations of all sizes as they attempt to secure sensitive data.

1. Accidental Exposure

A large percentage of data breaches are not the result of a malicious attack but are caused by negligent or
accidental exposure of sensitive data. It is common for an organization’s employees to share, grant access to,
lose, or mishandle valuable data, either by accident or because they are not aware of security policies.

This major problem can be addressed by employee training, but also by other measures, such as data loss
prevention (DLP) technology and improved access controls.

2. Phishing and Other Social Engineering Attacks

Social engineering attacks are a primary vector used by attackers to access sensitive data. They involve
manipulating or tricking individuals into providing private information or access to privileged accounts.

Phishing is a common form of social engineering. It involves messages that appear to be from a trusted source,
but in fact are sent by an attacker. When victims comply, for example by providing private information or
clicking a malicious link, attackers can compromise their device or gain access to a corporate network.

3. Insider Threats

Insider threats are employees who inadvertently or intentionally threaten the security of an organization’s data.
There are three types of insider threats:

 Non-malicious insider—these are users that can cause harm accidentally, via negligence, or because they are
unaware of security procedures.
 Malicious insider—these are users who actively attempt to steal data or cause harm to the organization for
personal gain.
 Compromised insider—these are users who are not aware that their accounts or credentials were compromised
by an external attacker. The attacker can then perform malicious activity, pretending to be a legitimate user.
 4. Ransomware

Ransomware is a major threat to data in companies of all sizes. Ransomware is malware that infects corporate
devices and encrypts data, making it useless without the decryption key. Attackers display a ransom message
asking for payment to release the key, but in many cases, even paying the ransom is ineffective and the data is
lost.

Many types of ransomware can spread rapidly, and infect large parts of a corporate network. If an organization
does not maintain regular backups, or if the ransomware manages to infect the backup servers, there may be no
way to recover.

5. Data Loss in the Cloud

Many organizations are moving data to the cloud to facilitate easier sharing and collaboration. However, when
data moves to the cloud, it is more difficult to control and prevent data loss. Users access data from personal
devices and over unsecured networks. It is all too easy to share a file with unauthorized parties, either
accidentally or maliciously.

6. SQL Injection

SQL injection (SQLi) is a common technique used by attackers to gain illicit access to databases, steal data, and
perform unwanted operations. It works by adding malicious code to a seemingly innocent database query.

SQL injection manipulates SQL code by adding special characters to a user input that change the context of the
query. The database expects to process a user input, but instead starts processing malicious code that advances
the attacker’s goals. SQL injection can expose customer data, intellectual property, or give attackers
administrative access to a database, which can have severe consequences.

SQL injection vulnerabilities are typically the result of insecure coding practices. It is relatively easy to prevent
SQL injection if coders use secure mechanisms for accepting user inputs, which are available in all modern
database systems.

Common Data Security Solutions and Techniques

There are several technologies and practices that can improve data security. No one technique can solve the
problem, but by combining several of the techniques below, organizations can significantly improve their
security posture.

Data Discovery and Classification

Data detection is the basis for knowing what data you have. Data classification allows you to create scalable
security solutions, by identifying which data is sensitive and needs to be secured. Data detection and
classification solutions enable tagging files on endpoints, file servers, and cloud storage systems, letting you
visualize data across the enterprise, to apply the appropriate security policies.

Data Masking

Data masking lets you create a synthetic version of your organizational data, which you can use for software
testing, training, and other purposes that don’t require the real data. The goal is to protect data while providing a
functional alternative when needed.
Data masking retains the data type, but changes the values. Data can be modified in a number of ways,
including encryption, character shuffling, and character or word substitution. Whichever method you choose,
you must change the values in a way that cannot be reverse-engineered.

Identity Access Management

Identity and Access Management (IAM) is a business process, strategy, and technical framework that enables
organizations to manage digital identities. IAM solutions allow IT administrators to control user access to
sensitive information within an organization.

Systems used for IAM include single sign-on systems, two-factor authentication, multi-factor authentication,
and privileged access management. These technologies enable the organization to securely store identity and
profile data, and support governance, ensuring that the appropriate access policies are applied to each part of the
infrastructure.

Data Encryption

Data encryption is a method of converting data from a readable format (plaintext) to an unreadable encoded
format (ciphertext). Only after decrypting the encrypted data using the decryption key, the data can be read or
processed.

In public-key cryptography techniques, there is no need to share the decryption key – the sender and recipient
each have their own key, which are combined to perform the encryption operation. This is inherently more
secure.

Data encryption can prevent hackers from accessing sensitive information. It is essential for most security
strategies and is explicitly required by many compliance standards.

Data Loss Prevention (DLP)

To prevent data loss, organizations can use a number of safeguards, including backing up data to another
location. Physical redundancy can help protect data from natural disasters, outages, or attacks on local servers.
Redundancy can be performed within a local data center, or by replicating data to a remote site or cloud
environment.

Beyond basic measures like backup, DLP software solutions can help protect organizational data. DLP software
automatically analyzes content to identify sensitive data, enabling central control and enforcement of data
protection policies, and alerting in real-time when it detects anomalous use of sensitive data, for example, large
quantities of data copied outside the corporate network.

Governance, Risk, and Compliance (GRC)

GRC is a methodology that can help improve data security and compliance:

 Governance creates controls and policies enforced throughout an organization to ensure compliance and data
protection.
 Risk involves assessing potential cybersecurity threats and ensuring the organization is prepared for them.
 Compliance ensures organizational practices are in line with regulatory and industry standards when processing,
accessing, and using data.

Password Hygiene
One of the simplest best practices for data security is ensuring users have unique, strong passwords. Without
central management and enforcement, many users will use easily guessable passwords or use the same
password for many different services. Password spraying and other brute force attacks can easily compromise
accounts with weak passwords.

A simple measure is enforcing longer passwords and asking users to change passwords frequently. However,
these measures are not enough, and organizations should consider multi-factor authentication (MFA) solutions
that require users to identify themselves with a token or device they own, or via biometric means.

Another complementary solution is an enterprise password manager that stores employee passwords in
encrypted form, reducing the burden of remembering passwords for multiple corporate systems, and making it
easier to use stronger passwords. However, the password manager itself becomes a security vulnerability for the
organization.

Authentication and Authorization

Organizations must put in place strong authentication methods, such as OAuth for web-based systems. It is
highly recommended to enforce multi-factor authentication when any user, whether internal or external,
requests sensitive or personal data.

In addition, organizations must have a clear authorization framework in place, which ensures that each user has
exactly the access rights they need to perform a function or consume a service, and no more. Periodic reviews
and automated tools should be used to clean up permissions and remove authorization for users who no longer
need them.

Data Security Audits

The organization should perform security audits at least every few months. This identifies gaps and
vulnerabilities across the organizations’ security posture. It is a good idea to perform the audit via a third-party
expert, for example in a penetration testing model. However, it is also possible to perform a security audit in
house. Most importantly, when the audit exposes security issues, the organization must devote time and
resources to address and remediate them.

Anti-Malware, Antivirus, and Endpoint Protection

Malware is the most common vector of modern cyberattacks, so organizations must ensure that endpoints like
employee workstations, mobile devices, servers, and cloud systems, have appropriate protection. The basic
measure is antivirus software, but this is no longer enough to address new threats like file-less attacks and
unknown zero-day malware.

Endpoint protection platforms (EPP) take a more comprehensive approach to endpoint security. They combine
antivirus with a machine-learning-based analysis of anomalous behavior on the device, which can help detect
unknown attacks. Most platforms also provide endpoint detection and response (EDR) capabilities, which help
security teams identify breaches on endpoints as they happen, investigate them, and respond by locking down
and reimaging affected endpoints.

Cloud Security

In an enterprise environment, cloud security should be a critical part of the organization’s security strategy. An
effective strategy involves protecting cloud infrastructure, cloud workloads, and the data itself.
Cloud computing is composed of three types of environments: public clouds (e.g. infrastructure as a service
(IaaS)), private clouds hosted by an individual organization, and hybrid clouds which are a mixture of both.

Cloud security technologies are commonly divided into two types – security solutions and best practices
provided by the cloud provider, such as Amazon Web Services (AWS) and Microsoft Azure, and security tools
procured and managed by the customer. In the public cloud, cloud security is a shared responsibility. The cloud
provider takes responsibility for securing the infrastructure, and the customer is responsible for securing data
and workloads.

Some traditional security tools can be used in a cloud environment, such as identity and access management
(IAM), data loss prevention (DLP), web application firewalls, and intrusion detection and prevention (IDS/IPS).

In addition, there are several cloud-specific security tools:

 Cloud access security brokers (CASBs) – a cloud resource deployed between cloud customers and cloud
services, acting as a gatekeeper to enforce the organization’s security policies and improve visibility into cloud
usage.
 Cloud workload protection platforms (CWPPs) – protects cloud workloads like VMs, applications, and data
consistently across hybrid environments.
 Cloud security posture management (CSPM) – a platform that can monitor cloud systems for security and
compliance problems, primarily cloud misconfigurations such as improper permissions or authentication. CSPM
not only alerts about these problems but can also remediate many of them automatically.

Zero Trust

Zero trust is a security model introduced by Forrester analyst John Kindervag, which has been adopted by the
US government, several technical standards bodies, and many of the world’s largest technology companies. The
basic principle of zero trust is that no entity on a network should be trusted, regardless of whether it is outside or
inside the network perimeter.

Zero trust has a special focus on data security, because data is the primary asset attackers are interested in. A
zero trust architecture aims to protect data against insider and outside threats by continuously verifying all
access attempts, and denying access by default.

Zero trust security mechanisms build multiple security layers around sensitive data—for example, they use
microsegmentation to ensure sensitive assets on the network are isolated from other assets. In a true zero trust
network, attackers have very limited access to sensitive data, and there are controls that can help detect and
respond to any anomalous access to data.

Penetration Testing

Penetration testing, also known as pen testing, is a method of evaluating the security of a computer system or
network by simulating an attack on it. The goal of pen testing is to identify vulnerabilities in the system that an
attacker could exploit, and to determine the effectiveness of the system’s defenses against these vulnerabilities.

Penetration testers use a variety of tools and techniques to test the security of a system. These may include
network scanners, vulnerability scanners, and other specialized software tools. They may also use manual
methods such as social engineering or physical access to the system.

Penetration testing is an important part of an organization’s overall security strategy. It helps organizations
identify and fix vulnerabilities before they can be exploited by malicious actors, and it can help organizations
improve their defenses against future attacks.
Database Security
Database security involves protecting database management systems such as Oracle, SQL Server, or MySQL,
from unauthorized use and malicious cyberattacks. The main elements protected by database security are:

 The database management system (DBMS).

 Data stored in the database.
 Applications associated with the DBMS.
 The physical or virtual database server and any underlying hardware.
 Any computing and network infrastructure used to access the database.

A database security strategy involves tools, processes, and methodologies to securely configure and maintain
security inside a database environment and protect databases from intrusion, misuse, and damage.

Big Data Security

Big data security involves practices and tools used to protect large datasets and data analysis processes. Big data
commonly takes the form of financial logs, healthcare data, data lakes, archives, and business intelligence
datasets. Within the big data perimeter there are three primary scenarios that require protection: inbound data
transfers, outbound data transfers, and data at rest.

Big data security aims to prevent accidental and intentional breaches, leaks, losses, and exfiltration of large
amounts of data. Let’s review popular big data services and see the main strategies for securing them.

AWS Big Data

AWS offers analytics solutions for big data implementations. There are various services AWS offers to
automate data analysis, manipulate datasets, and derive insights, including Amazon Simple Storage Service
(S3), Amazon Kinesis, Amazon Elastic Map/Reduce (EMR), and Amazon Glue.

AWS big data security best practices include:

 Access policy options—use access policy options to manage access to your S3 resources.
 Data encryption policy—use Amazon S3 and AWS KMS for encryption management.
 Manage data with object tagging—categorize and manage S3 data assets using tags, and apply tags indicating
sensitive data that requires special security measures.

Azure Big Data

Microsoft Azure cloud offers big data and analytics services that can process a high volume of structured and
unstructured data. The platform offers elastic storage using Azure storage services, real-time analytics, database
services, as well as machine learning and data engineering solutions.

Azure big data security best practices include:

 Monitor as many processes as possible.

 Leverage Azure Monitor and Log Analytics to gain visibility over data flows.
 Define and enforce a security and privacy policy.
 Leverage Azure services for backup, restore, and disaster recovery.

Google Cloud Big Data

The Google Cloud Platform offers multiple services that support big data storage and analysis. BigQuery is a
high-performance SQL-compatible engine, which can perform analysis on large data volumes in seconds.
Additional services include Dataflow, Dataproc, and Data Fusion.

Google Cloud big data security best practices include:

 Define BigQuery access controls according to the least privilege principle.

 Use policy tags or type-based classification to identify sensitive data.
 Leverage column-level security to check if a user has the right to view specific data at query time.

Snowflake

Snowflake is a cloud data warehouse for enterprises, built for high performance big data analytics. The
architecture of Snowflake physically separates compute and storage, while integrating them logically.
Snowflake offers full relational database support and can work with structured and semi-structured data.

Snowflake security best practices include:

 Define network and site access through IP allow/block lists.

 Use SCIM to manage user identities and groups.
 Leverage key pair authentication and rotation to improve client authentication security.
 Enable multi-factor authentication.

Elasticsearch

Elasticsearch is an open-source full-text search and analytics engine that is highly scalable, allowing search and
analytics on big data in real-time. It powers applications with complex search requirements. Elasticsearch
provides a distributed system on top of Lucene StandardAnalyzer for indexing and automatic type prediction,
and utilizes a JSON-based REST API to Lucene features.

Elasticsearch security best practices include:

 Use strong passwords to protect access to search clusters

 Encrypt all communications using SSL/TLS
 Leverage role-based access control (RBAC)
 Use IP filtering for client access
 Turn on auditing and monitor logs on an regular basis

Splunk

Splunk is a software platform that indexes machine data, makes it searchable and turns it into actionable
intelligence. It pulls log files from applications, servers, mobile devices, and websites, aggregates them, and
provides rich analysis features.

Splunk security best practices include:

 Preventing unauthorized access by defining RBAC, data encryption, and obfuscation of credentials.
 Using SSL/TLS encryption for data ingestion and internal Splunk communications.
 Hardening Splunk instances by ensuring they are physically secure and do not store secrets in plaintext.
 Using audit events to track any changes to Splunk system configuration.

Data Lake
A data lake is a centralized repository that allows you to store all your structured and unstructured data at any
scale. It is a way to store a massive amount of data in its raw and granular form. Data lakes are often used to
store data that will be used for big data analytics, machine learning, and other advanced analytics applications.

Data lakes are designed to store large amounts of data in a cost-effective and scalable way. They can store data
from a variety of sources, such as log files, sensor data, and social media feeds, as well as structured data from
relational databases. Data lakes can store data in its raw form, or it can be transformed and cleaned before it is
stored.

Here are some common data lake security best practices:

 Implement access controls: Data lakes should have strict access controls in place to ensure that only authorized
users can access the data. This can include authentication, authorization, and data encryption.
 Use data masking: Data masking is the process of obscuring sensitive data in a way that makes it unreadable to
unauthorized users. This can help protect against data breaches and ensure that sensitive data is not accidentally
leaked.
 Monitor data access: It’s important to monitor who is accessing data in the data lake and what they are doing
with it. This can help identify any potential security issues and prevent unauthorized access to sensitive data.
 Implement data classification: Data classification is the process of categorizing data based on its sensitivity and
value. This can help organizations understand which data is most important to protect and prioritize their security
efforts accordingly.
 Use data encryption: Data encryption is the process of encoding data so that it can only be accessed by those
with the proper decryption key. Encrypting data in a data lake can help protect against data breaches and ensure
that sensitive data remains secure.
 Use data governance frameworks: Data governance frameworks provide a set of policies and procedures for
managing data within an organization. They can help ensure that data is properly classified, protected, and used in
an appropriate manner.
 Regularly review and update security measures: It’s important to regularly review and update data lake
security measures to ensure that they are effective and aligned with the latest security threats. This may include
implementing new technologies or modifying existing security protocols.

Securing Data in Enterprise Applications

Enterprise applications power mission critical operations in organizations of all sizes. Enterprise application
security aims to protect enterprise applications from external attacks, abuse of authority, and data theft.

Email Security

Email security is the process of ensuring the availability, integrity, and reliability of email communications by
protecting them from cyber threats.

Technical standards bodies have recommended email security protocols including SSL/TLS, Sender Policy
Framework (SPF), and DomainKeys Identified Mail (DKIM). These protocols are implemented by email clients
and servers, including Microsoft Exchange and Google G Suite, to ensure secure delivery of emails. A secure
email gateway helps organizations and individuals protect their email from a variety of threats, in addition to
implementing security protocols.

ERP Security

Enterprise Resource Planning (ERP) is software designed to manage and integrate the functions of core
business processes such as finance, human resources, supply chain, and inventory management into one system.
ERP systems store highly sensitive information and are, by definition, a mission critical system.
ERP security is a broad set of measures designed to protect an ERP system from unauthorized access and ensure
the accessibility and integrity of system data. The Information Systems Audit and Control Association (ISACA)
recommends regularly performing security assessments of ERP systems, including software vulnerabilities,
misconfigurations, separation of duties (SoD) conflicts, and compliance with vendor security recommendations.

DAM Security

Digital Asset Management (DAM) is a technology platform and business process for organizing, storing, and
acquiring rich media and managing digital rights and licenses. Rich media assets include photos, music, videos,
animations, podcasts, and other multimedia content. Data stored in DAM systems is sensitive because it often
represents company IP, and is used in critical processes like sales, marketing, and delivery of media to viewers
and web visitors.

Security best practices for DAM include:

 Implement the principle of least privilege.

 Use an allowlist for file destinations.
 Use multi-factor authentication to control access by third parties.
 Regularly review automation scripts, limit privileges of commands used, and control the automation process
through logging and alerting.

CRM Security

Customer Relationship Management (CRM) is a combination of practices, strategies, and technologies that
businesses use to manage and analyze customer interactions and data throughout the customer lifecycle. CRM
data is highly sensitive because it can expose an organization’s most valuable asset—customer relationships.
CRM data is also personally identifiable information (PII) and is subject to data privacy regulations.

Security best practices for CRM include:

 Perform period IT risk assessment audits for CRM systems.

 Perform CRM activity monitoring to identify unusual or suspicious usage.
 Encourage CRM administrators to follow security best practices.
 Educate CRM users on security best practices.
 If you operate CRM as SaaS, perform due diligence of the SaaS provider’s security practices.

What are external threats?

External threats come from bad actors – individuals or organizations – outside of your organization whose aim
is to exploit the vulnerabilities in your system for illicit access. What they do with that access varies greatly,
from installing various types of malware (such as malware, ransomware, or a virus) to simply attacking your
system until something breaks (such as DDoS or Brute Force attacks). A common goal for a cyberattack is to
gain access to sensitive data and resell it on the dark web. After infiltrating your system, the attackers may
remain undetected for a long time, with a report stating that it takes 280 days on average to identify and contain
a data breach.

Types of external threats

External threats come in many forms. Here are some of the most common ones:
Malware

Malicious software (malware) is a catchall term for software created for the detriment of a computer system.
These are three of the most common forms of malware:

Spyware

After gaining access to your organization’s system, spyware gathers information in your database and sends it
to third parties. These data can be used to steal login credentials and gain confidential customer data that can be
sold in the black market.

Ransomware

A ransomware attack encrypts your files and storage devices, thus rendering them inaccessible. Attackers
usually demand a sum of money in exchange for a key that lets you re-access your files.

Ransomware attacks are gaining popularity, with a reported 62% increase of recorded attacks in 2020 versus the
previous year.

Viruses

A virus is a small line of code or a simple program that spreads by infecting files in a computer (or network
router) hard drive, then copying itself and attempting to send it to other computers in the network. Viruses can
alter your computer’s programming in a wide range of ways, but by definition, users usually have to take some
form of action to install them.

Hacking

Hacking refers to the activities that exploit a computer system’s vulnerabilities to gain illegitimate access to a
system. Here are the three of the most common forms of hacking:

DDoS Attacks

A Distributed Denial-of-Service (DDoS) attack is a type of attack that overwhelms a system’s capacity by
sending massive bot traffic to the victim’s IP address. This will severely cripple the functionality of the system
and thus hamper its operations and accessibility.

Session Hijacking

Session hijacking is a type of attack where a hacker replaces the session token of the client or the server with
their own, gaining access to the user’s web browsing session. As a result, the server believes it is still
communicating with a client during the attack while the hacker steals whatever data they can gain access to,
which is typically cookie data, login credentials, or any other data accessed while the session is compromised.
Accessing websites that utilize SSL (HTTPS) protocols is a strong preventative measure against this type of
attack, as is not accessing the internet via unsecured WiFi hotspots.

Man-in-the-Middle Attack

After embedding themselves into the victim’s system, the attackers in a man-in-the-middle attack interrupt the
existing conversation or transaction, intercepting confidential data or inserting malicious data or links to the
other parties in the conversation. This can be viewed as a form of digital eavesdropping and is a common
method for credential theft. It can be significantly hindered or even stopped by utilizing out-of-band
authentication methods, such as the Q5id Proven Identity solution.

Social Engineering

A social engineering attack is a technique that hackers use to deceive unwitting people into revealing
confidential information such as login credentials or credit card information, which can be used to commit fraud
or gain unauthorized access to a system.

Phishing

Phishing is an attack where a criminal sends a fraudulent message that looks like it came from a legitimate
source via email or phone to steal data, credit card numbers, and login credentials.

This type of attack is one of the most common that businesses experience. According to a report, 22% of all
data breaches involved phishing attacks.

Brute Force Attack

A brute force attack aims to obtain your login credentials to gain access to a system. Hackers can either use
keyloggers or a bot that creates endless possible password combinations to force their way into your system.

Drive-by Download Attack

Drive-by download attacks are a common form of spreading malware where attackers use an insecure website
to plant malicious code that can get automatically downloaded when an unwitting person visits the website. The
malware may come in the form of spyware, keyloggers, or trojan viruses.

What are internal threats?

An internal threat in cybersecurity originates from someone inside the organization who can exploit its system
to cause damage or to steal assets. They can be employees, contractors, or vendors who can accidentally (or
intentionally) expose your system to threats.

Internal threats are on the rise, with one report stating that the frequency of incidents stemming from insider
threats rose by 47% from 2018 to 2020.

Types of internal threats

Here are the most common ways insiders can damage your computer system:

Employee sabotage and theft

To satisfy a personal grudge, disgruntled employees or estranged contractors with access to company data and
IT hardware can damage or delete them. They can also use confidential company data and take them to a
competitor who has poached them.

Poor access control management

Inside actors may use security vulnerabilities or poorly configured access control in your system to gain access
to a level they do not have authorization for. They may use this to destroy data, steal assets, or conduct
espionage.

Accidental or intentional loss or disclosure of data

An employee disclosing data or login credentials to outsiders due to human error or malicious intent can expose
your company’s data to bad actors. Accidental causes of this may come in the form of an employee sending
classified information to a wrong email address or publically posting sensitive information on social media.
Intentional loss or disclosure of data is typically indicative of a much larger problem.

Unauthorized devices accessing your network

Unauthorized devices like USB flash drives and personal laptops can be used to steal data. These devices may
also be loaded with malware that can infect other devices if they are plugged into a computer in your system.

Theft of physical devices

Accidental loss or theft of mobile devices and laptops containing sensitive information may expose your data to
outsiders. It can also give unauthorized access to outsiders, especially if your employee is still logged in to
applications in the device.

Downloading malicious content

According to reports, as much as 40% of employee internet activity is not work-related, which means that the
chances of an unwitting employee accidentally downloading harmful content are high.

How to protect your organization from these threats

While it is impossible to completely seal off your system from both internal and external threats, you can reduce
the chances of attacks occurring and mitigate the damage done when they do. Here are some ways to protect
your company against cyber threats.

Educate your workforce on cybersecurity threats

According to a report, 46% of cybersecurity incidents are caused by employee negligence. This is why it is
crucial to educate your workforce about cybersecurity best practices to prevent easily avoidable mistakes from
happening.

Closely manage permissions and privileges

Establish a hierarchy in permissions and accessibility, and embrace a policy of Least Privilege to minimize how
much data is potentially exposed to any given employee.

Implement a device management policy

Device management gives an organization an easy way to protect and secure company data and hardware by
controlling the access authorization of devices and sensitive information by granting them to the right
employees. It also helps your organization limit which devices can access your internal networks, limiting
potential threats.
Get essential cyber hygiene software

Ensure that each computer in your system has essential cybersecurity software such as antivirus, anti-malware,
and a robust firewall to protect against common cyber threats.

Remove access privileges of ex-employees

Remove a former employee’s access to your database to prevent a particularly disgruntled one from damaging
your system in revenge. It would also be best to change passwords every time there are personnel changes in
your company.

Perform a penetration test

Whitehat hackers perform a penetration test to uncover vulnerabilities in an organization’s system that should
be patched to prevent malicious hackers from exploiting them. PenTests should be done regularly, especially
when significant changes are made to the system.