Author: Morey Haber, chief technology officer, BeyondTrust
By definition, an Insider Threat is an internal persona behaving as a threat actor; with or without their knowledge.
Insider Threats occur for a variety of reasons. This includes aspects of a human persona looking to hurt or gain an advantage against an organization.
An old-school example of this type of threat is client lists, and is still relevant today, by the way.
A salesperson, executive, or other persona planning to leave an organization might photocopy or print client lists and orders before leaving the organization, to have a competitive edge when they start with a new employer.
Regardless of their intent, it’s the digital aspect of an Insider Threat that warrants the most attention.
Consider the following threats to your business:
– How many people have access to sensitive information in mass?
– Are all accounts valid people that are still employed or relevant?
– How often do you change the passwords for sensitive accounts?
– Do you monitor privileged access to sensitive systems and data?
You should answer these questions. Here is why:
1-Only administrators (not even executives) should have access to data in mass. This prevents an insider from dumping large quantities of information, or an executive’s account being hacked and leveraged against the organization
2-Users should never use administrative accounts for day-to-day usage like email. This includes administrators themselves, in case their accounts are compromised too. All users should have standard user permissions
3-All access to sensitive data should be restricted to valid employees only. Former employees, contractors, and even auditors should not have access to this sensitive data on a daily basis. These accounts should be removed or deleted per your organization’s policy
4-Employees come and go. If the passwords are the same, as people leave and new hires are acclimated, the risk to sensitive data increases since former employees technically still have known passwords to the company’s sensitive information
5- Monitoring privileged activity is critical. This includes logs, session monitoring, screen recording, keystroke logging, and even application monitoring. Why? Well if an Insider is accessing a sensitive system to steal information, session monitoring can document their access and how they extracted the information and when
If you think that following these steps will protect you from Insider Threats, you are wrong.
Wrong and right assumptions
This assumes the threat actor is coming in from the front door to steal information or conduct malicious activity.
Insider Threats can also evolve from traditional vulnerabilities, poor configurations, malware, and exploits.
A threat actor could install malicious data capturing software, leverage a system missing security patches, and access resources using backdoors to conduct similar types of data-gathering activity.
Insider Threats are about stealing information and disrupting the business and can use tools that compromise an unsuspecting employee.
We need to realize Insider Threats come from, essentially, two sides: excessive privileges and poor security hygiene.
To that end, all organizations should also regularly perform these tasks to keep their systems protected:
-Ensure anti-virus or endpoint protection solutions are installed, operating, and stay up to date
– Allow Windows and third-party applications to auto update or deploy a patch management solution to deploy relevant security patches in a timely manner
-Utilize a vulnerability assessment or management solution to determine where risks exist in the environment and correct them in a timely manner
-Implement an application control solution to allow only authorized applications to execute with the proper privileges to mitigate the risk of rogue, surveillance, or data collection utilities
-Where possible, segment users from systems and resources to reduce “line of sight” risks
While these seem very basic, the reality is that most businesses do not do a good job at even the most basic security. If they do, the risk of Insider Threats can be minimized by limiting administrative access and keeping information technology resources up to date with the latest defences and security patches.
Insider Threats are not going to go away.