Posted on by Insider Threatin
The 18th practice described in the newly released edition of the Common Sense Guide to Mitigating Insider Threats is Practice 18: Implement secure backup and recovery processes. In this post, I discuss the importance of establishing a secure backup and recovery process in your organization.
The CERT Division announced the public release of the fifth edition of the Common Sense Guide to Mitigating Insider Threats in December 2016. The guide describes 20 practices that organizations should implement across the enterprise to mitigate (prevent, detect, and respond to) insider threats, and provides case studies of organizations that failed to do so. The 18th of the 20 best practices follows.
Practice 18: Implement secure backup and recovery processes.
Despite the best defensive efforts an organization uses, attackers can still get through that defense. Since a determined and trusted insider knows the protective measures implemented by the organization and has access to the facilities, their attacks can swiftly disrupt the organization and cause crippling loss of data, unavailability of data or systems, or fraudulent activity, potentially before the organization realizes it. Data loss can involve encrypting data to facilitate fraud or deleting data to sabotage the organization.
The CERT Insider Threat Incident Corpus describes some incidents where the results of attackers' actions could not be undone because of faulty backup systems. Attackers can even attack the backup system, to magnify the impact, by deleting backups or stealing backup media. Resilient organizations prepare for such possibilities by devising, implementing, and testing their backup and recovery process to ensure it is effective.
To guard against an insider attack, organizations should consider the following actions related to their backup and recovery processes:
When reviewing your backup and recovery process, make sure you can achieve the following:
Refer to the complete fifth edition of the Common Sense Guide to Mitigating Insider Threats for a comprehensive understanding of the issues and recommendations mentioned in this post.
Check back next week to read Practice 19: Close the doors to unauthorized data exfiltration, or subscribe to a feed of the Insider Threat blog to be alerted when a new post is available.