IT security teams at firms and organizations are mainly focused on protecting corporate networks against outsider intrusions, unaware of the dagger aimed at their backs, i.e. insider threats. What’s the use of erecting walls and building fortifications around your networks when the threat is coming from within?
In fact, as many surveys and researches prove, more than 50 percent of security incidents and data breaches result from insider threats rather than outside malicious users using clever tricks to slip past network defenses. Other studies show that insider threats are becoming more frequent and organizations are ill-equipped to detect and block them.
Moreover, with the rise of social media, cloud, mobility and big data, insider threats are becoming harder to identify and attackers are finding more ways to blend into the network traffic and exfiltrate sensitive information without being discovered.
What makes insider threats especially dangerous to block and challenging to discover is the fact that they do not manifest any sort of illegal behavior and employ completely legitimate processes and functionalities of systems to cause their mayhem. In many cases, the transgressors don’t even know they’re harming their own organizations.
The first step to fighting insider threats is to know where the dangers lurk. Here are the main categories of insider culprits to look out for in your organization.
Inadvertent users are employees that break security rules in blissful ignorance, oblivious to the harm they’re causing their company. These are usually users who are behind schedule, in a rush to get tasks done, and will do anything to avoid risking their jobs and carriers, including breaking a few of those pesky security rules that the IT team is overly protective about. After all, what harm can come from overlooking security practices every once in a while? It just doesn’t become a habit, right?
Also fitting in this category are users that aren’t well-versed in security principles and walk into social engineering traps such as spear phishing and baiting. Unfortunately, many of these people have access to sensitive information and are given administrative privileges to system resources as a result of poor security practices exercised within their firms. Attackers usually seek out careless employees or executives and take advantage of their ignorance in order to spread malware in a targeted company’s network or to gain access to sensitive information such as user credentials.
2016 so far has seen many serious data breaches that have stemmed from negligence on the part of users and employees.
Also of concern is the propagation of BYOD work models, where employees bring their personal smartphones and tablets to work and use them to process and store sensitive information. Organizations that do not employ proper MDMs and administrative tools risk to become the victim of the carelessness of employees who lose their devices or fail to protect them from cyber-attacks.
Educating employees at all levels about the general cybersecurity principles is a vital first step to mitigate risks caused by inadvertent users, but organizations also need to employ tools that enforce security rules such as preventing users from sending sensitive information like credit card numbers in unencrypted format.
Disgruntled employees are people who have left a company (or have been fired), but still have their old privileges. As they usually hold a grudge against the company, disgruntled employees will take advantage of their access to former accounts and resources to exact revenge on their former employers, and will either personally proceed to cause damage or conspire with other hackers to stage the attack.
A stark example was the hacking of Los Angeles Times website by the hacking group Anonymous in 2013 was carried out with the cooperation of Matthew Keys, a former employee of the company who gave his login credentials to the attackers.
Another notable case was the Ashley Madison hack, which was allegedly made possible by the resources available to a former employee. The damage caused was the information of over 30 million users spilled on the internet, which resulted in shattered lives, blackmail cases and several suicides.
Damage caused by disgruntled employees can be minimized and stopped altogether through the use of proper tools and adherence to best practices. For instance, unless web applications are meant to be accessed from public networks, firewalls should be used to limit access. Even if public networks are allowed access, you should reconsider whether access to user accounts with administrative privileges can be limited to specific IP ranges and networks.
Also, it should become the policy of every company to automatically disable accounts that belong to employees who leave the company. Also take note that many employees tend to stick to personal email accounts (Gmail, Yahoo, etc.) as backup to their corporate accounts. The passwords to those accounts must be reset and the accounts themselves dissociated from the user’s personal email.
Malicious insiders are employees who continue working for the organization, but are secretly conducting destructive activities or sending sensitive and classified information such as company secrets or military intelligence to other parties.
Malicious insiders are extremely hard to track because they are usually tech-savvy, know their trade and are trained to conceal their activity. For the most part, they have administrative privileges or have clearance to access sensitive information without raising alarm.
One of the most famous cases that fits in this category is the Edward Snowden leaks, which triggered a global chain reaction, transformed the cybersecurity and privacy landscape forever, and had repercussions that affected some of the biggest tech companies across the world.
At its heart, the entire episode started with an NSA tech guy who decided to use the resources within his reach to take action against his employers and reveal classified information to the world.
(Note: I’m mentioning this solely from a technical perspective, and not to pass judgment on Ed’s deeds or decide whether the nature of his decisions were malicious or not. Here, “malicious insider” means someone who harms the organization they’re working for.)
In order to prevent malicious insiders from leaking information or taking off with company data, organizations should adopt an approach that comprises both security practices and preventative tools. For instance, limiting the number of people who have access to sensitive resources and applying auditing controls can help spot culprits before they deal their damage.
Also, the use of security tools such as Data Loss Prevention (DLP) solutions can help automate the tasks and minimize the risks. DLPs tag and classify sensitive data and stop anything proprietary from leaving the company or agency. The more sophisticated tools block and control behaviors that pose threats to the organization based on user, event and data type. This effectively helps to prevent damage while allowing normal users to go about their business as usual without feeling discomfort.
Trusted third parties – AKA quasi-insiders – are people or companies who aren’t part of your organization but have access to your private networks and resources in order to provide services or carry out specific tasks. The requirement is to open up a channel to your internal network for the outside party.
Since securing such channels are attributed with a lot of trouble and headaches, many organizations carelessly give unlimited access to the trusted third parties or give them more than is necessary in order to avoid future problems.
In most cases, the third parties themselves don’t carry out malicious actions, but their access channels are broke into and used by other malicious parties in order to gain a foothold into the targeted company’s networks. They will guise their actions as the trusted third party in order to carry out their evil deeds.
In order to protect against third-party threats, organization should be very careful when opening up network ports and interfaces. There are many tools that can secure your channels without adding much overhead and IT complications. Setting up a VPN and making proper use of firewalls, web application firewalls, and intrusion detection systems can block most known attacks.
Also, as a general practice, companies should keep tabs on who has access to their networks from outside and periodically check to make sure whether every access channel to their networks is still needed and necessary.
Every organization is under attack… from inside. It should be recognized as an undeniable reality of today’s online business landscape, which is turning every more complicated with the wide adoption of cloud, mobility and distributed platforms. It’s only a matter of time before disaster strikes for your organization – unless you’re vigilant and employ the right practices and tools to protect yourself.
I’ll be writing about this soon, with a focus on new tools and technologies that assist organizations in spotting and stopping insider threats. Please share your experience and innovations in the comments.
IMAGE SOURCE: PYMTS.COM