Securing What’s At Risk: A common sense approach to Insider Threats!

Posted by Geraldine Hunt on Tue, Aug 25th, 2015

You have heard of “insider trading”. Insider security threats are similar, except that they can involve the theft of information, intellectual property or  money, fraud, espionage and even the ransom or destruction of data.  Insiders are defined as present or former employees, contractors, or business partners. Edward Snowden was an insider when he leaked NSA secrets.  Rafal Los of Security Week explains, “The threat from insiders is very real, and in many cases an insider has significantly greater potential to harm an organization than an external attacker does.”

For businesses insider threats are among the most serious security challenges faced. You may have excellent security measures in place to limit access to your contractors or business partners. But they may not have the same provisos in place with their partner organizations. Make sure that any third parties are required to comply with the policies and security agreements that were laid out in your original contract. Better yet, do not permit subcontracting.

Keep in mind that providing application and network access is always a balancing act. If a business institutes security procedures that are too rigid, workers become frustrated attempting to complete their assigned tasks. On the other hand, if the procedures are lax, the business is at risk. Each business must find its own “sweet spot”; the correct right mix of security and convenience for its culture and workload.

People with higher privilege levels pose the highest threat from a security standpoint. These, of course, include many IT employees such as system administrators and domain administrators. However, a clever insider can escalate his/her privileges, starting out at a lower privilege level and increasing access capabilities as more resources are compromised. This is why, according to the United States Computer Emergency Readiness Team (CERT), about 50% of insider attacks used authorized accounts .

How do you know an employee is an insider threat?

You cannot always know, but some signs may tip you off. Be on the lookout for disgruntled employees who can consider an attack as a way to “get back” at management. According to CERT, most insider attacks occur during the month before and the month after an employee leaves the company. Audit recent employee access when notice is given. Depending on the employee’s privilege level, it may be a good idea to immediately block access to any company resources.

The difference between external and insider threats

External threats, no matter what form they take, appear at first glance to be more manageable than insider threats. Security professionals often make the following assumptions:

An insider has access to more information than an outsider. This is not necessarily the case. If an outsider compromises the CEO’s mobile phone, imagine the quantity and quality of data that is now at the outsider’s fingertips.
An insider has physical access to the offices and the network, so he/she must be more dangerous. An outsider often employs social engineering and reconnaissance techniques to gather an astounding amount of information about a firm. Masquerading as a copy machine or telephone repairman, for example, provides plenty of physical access as well.

Measures that secure assets against internal threats also protect against outsiders. This is due to the structure of a typical outsider attack. An outsider first engages in reconnaissance, probing for weaknesses that would allow a break-in. Then he/she actually access the resources of the firm’s network, sometimes with the help of someone inside your organization. Once the outsider is inside the network, he really is an “insider”.

Typical network security measures to protect against access are:

• Use defense in depth.
• Protect data at the source.
• Use encryption for data at rest as well as for data in motion.
• Use role-based access and privileged access management (PAM)
• Require use of a separate computer for administrator access to resources
• Use logging and monitor access to discern unusual patterns.
• Implement secure backup and recovery processes.
• Limit employee’s ability to use file transfer and peer-to-peer services

Business measures

It is key is to apply best business practices to the IT realm. These include:

• Clearly document and consistently enforce policies and controls.
• Separation of duties – Use checks and balances. If an employee or contractor has bad intentions, at least the damage would be limited in extent.
• Employ the rule of least privilege for all resources- Individuals should have access only to the information required to function efficiently, and no more.
• Control and monitor physical access to resources
• Correctly destroy and dispose of data, printouts, and documentation

Some larger organizations use honeypots. These are decoy systems established to trap an attacker and deflect the attack from the production system. There are many pros and cons to this technique ;this is explored in another article.

A combination of IT and business controls are required to protect against insider threats. Involve your contractors and business partners in the effort to be truly effective. Organizations need to carry out regular reviews of access privileges to avoid providing unnecessarily liberal access and therefore reduce potential points of weakness. You should trust your employees, but you must balance that trust with suitable business and network security controls. 

We'd love to hear what you think - are Insider threats something you mitigate against? If yes, how do you do that?