You have heard of “insider trading”. Insider security threats are similar, except that they can involve the theft of information, intellectual property or money, fraud, espionage and even the ransom or destruction of data. Insiders are defined as present or former employees, contractors, or business partners. Edward Snowden was an insider when he leaked NSA secrets. Rafal Los of Security Week explains, “The threat from insiders is very real, and in many cases an insider has significantly greater potential to harm an organization than an external attacker does.”
For businesses insider threats are among the most serious security challenges faced. You may have excellent security measures in place to limit access to your contractors or business partners. But they may not have the same provisos in place with their partner organizations. Make sure that any third parties are required to comply with the policies and security agreements that were laid out in your original contract. Better yet, do not permit subcontracting.
Keep in mind that providing application and network access is always a balancing act. If a business institutes security procedures that are too rigid, workers become frustrated attempting to complete their assigned tasks. On the other hand, if the procedures are lax, the business is at risk. Each business must find its own “sweet spot”; the correct right mix of security and convenience for its culture and workload.
People with higher privilege levels pose the highest threat from a security standpoint. These, of course, include many IT employees such as system administrators and domain administrators. However, a clever insider can escalate his/her privileges, starting out at a lower privilege level and increasing access capabilities as more resources are compromised. This is why, according to the United States Computer Emergency Readiness Team (CERT), about 50% of insider attacks used authorized accounts .
You cannot always know, but some signs may tip you off. Be on the lookout for disgruntled employees who can consider an attack as a way to “get back” at management. According to CERT, most insider attacks occur during the month before and the month after an employee leaves the company. Audit recent employee access when notice is given. Depending on the employee’s privilege level, it may be a good idea to immediately block access to any company resources.
External threats, no matter what form they take, appear at first glance to be more manageable than insider threats. Security professionals often make the following assumptions:
An insider has access to more information than an outsider. This is not necessarily the case. If an outsider compromises the CEO’s mobile phone, imagine the quantity and quality of data that is now at the outsider’s fingertips.
An insider has physical access to the offices and the network, so he/she must be more dangerous. An outsider often employs social engineering and reconnaissance techniques to gather an astounding amount of information about a firm. Masquerading as a copy machine or telephone repairman, for example, provides plenty of physical access as well.
Measures that secure assets against internal threats also protect against outsiders. This is due to the structure of a typical outsider attack. An outsider first engages in reconnaissance, probing for weaknesses that would allow a break-in. Then he/she actually access the resources of the firm’s network, sometimes with the help of someone inside your organization. Once the outsider is inside the network, he really is an “insider”.
It is key is to apply best business practices to the IT realm. These include:
Some larger organizations use honeypots. These are decoy systems established to trap an attacker and deflect the attack from the production system. There are many pros and cons to this technique ;this is explored in another article.
A combination of IT and business controls are required to protect against insider threats. Involve your contractors and business partners in the effort to be truly effective. Organizations need to carry out regular reviews of access privileges to avoid providing unnecessarily liberal access and therefore reduce potential points of weakness. You should trust your employees, but you must balance that trust with suitable business and network security controls.
We'd love to hear what you think - are Insider threats something you mitigate against? If yes, how do you do that?
Sign-up for email updates...