The Weakest Link – Insider Threats

Article by Ron Frechette

Last month’s article, Defense in Depth, focused on building various defense strategies that range from protecting our security perimeter down to the sensitive data we are trying to protect.  We mentioned three primary types of attack scenarios we must be aware of when thinking about a defense in depth strategy.  The first two, Script Kiddies and Skilled Hackers were covered extensively. The third, Insider Threats, is a topic we decided to dedicate our entire August article to due to the importance and increased number of adverse incidents we have seen emerge recently.

What is an Insider Threat?

An insider threat is a threat to a group or company that comes from people within the organization, such as employees, former employees, vendors, contractors, or business associates, who have access to inside information concerning the organization’s security practices, data, and computer systems. There are two types of insider threats, malicious and unintentional.  Malicious threats can include interruption of computer systems, intellectual property (IP) theft, client data theft, espionage, and fraud for financial gain.  Unintentional threats include overall bad judgment, be a victim of a phishing attack, downloading malware, unintentional aiding and abetting, and having credentials stolen.

The Inside Attacker

Inside attackers are without a doubt the largest threat to any organization. They usually have credentials that provide them legitimate access to computer systems. These credentials are intended to provide access to perform their duties and could also be abused to harm the organization. Inside attackers are often familiar with the organization’s data and intellectual property as well as the systems that are in place to protect them. This makes it easier for the inside attacker to evade any security controls of which they are aware. If they have something to gain, there’s not much to prevent them from doing the wrong thing.

Having physical access to data means that the inside attacker does not need to hack into the organizational network through the outer perimeter by navigating through firewalls; rather they are in the building already, often with direct access to the organization’s internal network. Insider threats are harder to defend against than attacks from outsiders since the insider already has legitimate access to the organization’s information and assets.

Statistics on Insider Threats

A report published on the insider threat in the U.S. financial sector gives some statistics on insider threat incidents.

  • 80% of the malicious acts were committed at work during working hours
  • 81% of inside attackers planned their actions beforehand
  • 33% of inside attackers were described as “difficult”
  • 17% of inside attackers were “disgruntled”
  • 74% of inside attackers were identified after an incident
  • 81% of inside attacker’s motives were for financial gain
  • 23% of inside attacker’s motives were for revenge

27% of inside attackers were experiencing personal financial difficulties at the time of incident

Eight Ways to Minimize Insider Threats

Insider threats can never be totally eliminated as a risk to any organization.  There are, however, some best practices you can put in place to minimize the risk:

  1. Develop an Information Governance program that makes the expectations of management clear for all employees. Information governance provides business intelligence that drives security policies and controls for employees that are doing something that they shouldn’t.
  2. Conduct thorough employee background checks before making any hiring decisions.
  3. Implement a forensics data analytics solution that includes artificial intelligence and machine learning technologies. This solution analyzes insider behaviors and generates risk rankings within the user population of your network.
  4. Have an Incident Response and Recovery plan in place. This will allow you to response to potential threats, both internally and externally within minutes, not days.
  5. Initiate a Separation of Duties policy that requires actions by at least two people to complete a given task. This creates the need for complicity and reduces the opportunity for one individual to breach the security system.
  6. Implement a formal Security Awareness Training program – education is critical to mitigating the risks of insider threats from both malicious and unintentional attacks.
  7. Set up Access Controls – the concept of least privilege should be implemented. Nobody should have access to anything that they do not undoubtedly need to do their job.
  8. Rotating assignments limits an individual to a given role for a particular period of time. Doing this can prevent an individual from becoming indispensable or prevent the individual from learning a system so well that they are able to find faults that would allow fraud or abuse to go undetected.

In closing, battling insider threats is an organizational issue that continues to grow and requires a detailed plan of action. Implementing these types of best practices will help you gather the intelligence needed to prevent internal attacks and gain visibility into the high-risk users within your organization.

For more information on how you can implement these types of controls into your organization, send me a tweet @GoldSkyRon.  Until next month… wishing you a safe and prosperous journey in cyberspace!

Questions? Send me a tweet: @GoldSkyRon or email ron.frechette@goldskysecurity.com

GoldSky Security offers small and medium sizes business cybersecurity solutions across the US and currently has offices in Orlando, Florida and in Denver, Colorado.

Sources:

https://en.wikipedia.org/wiki/Insider_threat

http://www.pearsonitcertification.com/articles/article.aspx?p=2218577&seqNum=2

https://www.us-cert.gov/sites/default/files/publications/Combating%20the%20Insider%20Threat_0.pdf