Spotted a data breach in your call center? You’re already too late.
Whether managed by the company or outsourced, organizations must better secure information, appropriate access and confidentiality within the call center.
No matter what the industry, consumers and businesses trust organizations to look after their data. No more so when dealing with agents and customer service representatives who have access to vast amounts of this data.
This trusted access for agents to cardholder data, personal details or medical records helps ensure the best customer experience. It also however, makes the contact center agents a prime target for a security breach.
Spotting any type data breach is difficult
Security breaches typically fall into one of three categories:
· Malicious Agents – These are your call-center employees that have shifted their loyalty from the organization to themselves, and are engaged in some kind of inappropriate activity (such as data theft) that benefits themselves over the organization.
· Careless or Exploited Agents – These are your unwitting participants in phishing and social engineering scams. They take the bait and help to infect endpoints with malware that may be the attack (as in the case of ransomware) or simply provide a foothold for further actions by criminal online organizations.
· The External Attacker – Today, this is likely more a member of an organization than a loner. These individuals leverage hacking, social, malware, and many other toolsets to create a way into your network. Once inside, they work to take on one or more sets of elevated credentials to provide them with greater access and an ability to move about the network in an attempt to identify valuable data.
If you think about any of these cyberattack scenarios the usual methodology is to try and detect the attack/infection, and then to react with an incident response plan.
The problem with this methodology when considering a data breach, is that the average cost/record in a data breach (which includes the cost of investigation, legal, PR, remediation, etc.) is $141 – that’s per record (2017 Ponemon Institute Study). So, even a “small” data breach of only 1000 records, will cost an average of $141,000.
In fact, sometimes the challenge with a breach is to know they even happened at all. Also according to the Ponemon Institute, it takes on average 191 days to discover a breach.
Spending all your (limited) time trying to monitor every last bit of the network, looking for anything that looks out of place is a failing proposition. It's a pretty costly mode of operation; it requires significant IT time and resources to put proper detection mechanisms in place, will likely raise an initial set of false positives that need to be fine-tuned, and necessitates reports and meetings to ensure the detection is actually working.
Why not simply better understand the problem at hand and work to prevent it from happening in the first place. You are far better off running and monitoring solutions that offer automated controls in addition to threat identification and real time response.
In short, should something fall outside a set of established restrictions, your solution should automatically take action before the damage is done – not only when IT intervenes.
Initial access to the network
Take initial access to your network – the logon itself, to be more specific.
Nearly all threat actions require a logon using internal credentials. Endpoint access, lateral movement between endpoints, external access via VPN, remote desktop access, and more all share the common requirement of a logon.
If the organization is concerned that users may be sharing passwords, or that an external attacker may one day compromise a user's credentials, they may choose to leverage logon audit data provided by Windows. It's a viable source of information, providing the audit detail from each endpoint is centralized. You'd need a SIM or SIEM solution in place to analyze the log data looking for anomalies like the same user logging onto several machines within a few minutes, or a user logging on after hours, along with some sort of pre-configured notification email.
But, even with all this in place, it still takes time for the audit date to catch up, and for notifications to be received – all the while, the user has already logged on!
So, your reaction? It's a tad bit late – and in cases of a data breach or an external attacker compromising an endpoint with malware, the cost of your "detect and react" plan may be much more than just IT's time.
Detecting and preventing attacks with logon management
The concept of
logon management centers around four primary functions – all working in concert to maintain a secure environment:
· Policy & Restrictions – Establishes who can logon when, from where, for how long, how often, and how frequent (simultaneous sessions). It can also limit specific logon types (such as console- and RDP-based logons).
· Real Time Monitoring & Reporting – Every logon is monitored and tested against existing policies to determine if a logon should be allowed. Reporting helps ensure detailed insights for any investigations.
· IT Alerting – Notifies IT of inappropriate logon activity and failed attempts.
· Immediate Response – Allows IT to interact with a suspect session, to lock the console, log off the user, or even block them from further logons.
In essence, logon management makes the logon itself a scrutinized and protected event. It provides a protective layer at the logon, which logically exists before action occurs, to stop the threat entirely.
No logon, no threat.
The ability to successfully logon (and remain logged on) becomes more than just whether the right credentials are used. It will detect an abnormal access attempt based on the customized and granular logon policies that are set for that particular account (employee). It will act accordingly - either denying or approving the logon - and alert IT if stipulated.
Some of the potential scenarios that are now thwarted include:
· Genuine but compromised logins from exploited users are now useless to malicious insiders or would-be attackers.
· Careless user behavior such as password sharing, shared workstations left unlocked or logging into multiple computers simultaneously is now eradicated.
· Access to any data/resource is now always identifiable and attributed to one individual user. This accountability discourages an insider from acting maliciously and makes all users more careful with their actions.
· Suspicious activity is alerted on offering IT the chance to instantly react.
No technology can completely eliminate the chance of an attack, but there is a way to drastically reduce the potential risks. Logon management offers greater control for admins and completely restricts various careless user behaviors.
About the Author François Amigorena is the founder and CEO of
IS Decisions, and an expert commentator on cybersecurity issues.
IS Decisions is a provider of infrastructure and security management software solutions for Microsoft Windows and Active Directory. The company offers solutions for user-access control, file auditing, server and desktop reporting, and remote installations.
IS Decisions’ main solution UserLock makes it easy for Customer Contact Centers to secure user sessions and stop unauthorized user access that leads to fraud, data security breaches and non-compliance issues.
Its customers include the FBI, the US Air Force, the United Nations and Barclays — each of which rely on IS Decisions to prevent security breaches; ensure compliance with major regulations; such as SOX and FISMA; quickly respond to IT emergencies; and save time and money for the IT department.