Published on December 10th, 2016 | by Guest0
Practical Guide: How to Prevent Insider Threat
Nowadays, everybody is aware of the danger of internal threats to information security. Several times a year we hear news reports about a new high profile data breach caused by malicious insider. The most recent example that comes to mind is the Washington State Health Care Authority (HCA) breach from February 9, 2016, when the data of more than 90 000 patients was misused by an employee.
Most of these reports are coming from government institutions, however this does not mean that private companies are not susceptible to malicious threat coming from within. In fact, insider attacks are something that businesses all over the world experience every day, but many of them choose to not publicize such attacks if at all possible, since it can easily damage their reputation and lead to a loss of clients and investors.
Insider attack in itself is an umbrella term that covers many types of malicious actions, from a completely intentional data theft or fraud committed for profit, to sabotage for making a point or getting back at a company, to industrial espionage, to even honest inadvertent mistakes. The thing that all of these actions have in common is the fact that they all are committed by employees with legitimate access to inner workings of you company. Often said employees are managers, database operators, programmers or IT specialist, working with sensitive data, infrastructure or critical system settings.
Effectively dealing with such a variety of threats from within the organization is a complex and layered process that requires commitment on the part of the company. Using the right internal threat management software will lend you some results, but for truly preventing and detecting insider threats, your very approach to employee management should be designed in a specific manner.
Making sense of all the tips and recommendations for dealing with insider threats can be hard and time consuming. This is why we took all the best practices and distilled them to six large, yet necessary steps that we combined into this practical guide How to Detect Insider Threats. By following these six steps and incorporating them into your company IT security, you will be able to effectively prevent insider threats and will have all the necessary measures in place for an efficient detection and response to a potential insider attack.
Step 1. Understand insider threats
In order to make your security truly effective, you need to first understand the nature of insider threat and what different types of them exist. Internal threats to information security are coming from insiders that are usually defined as people, who have legitimate access to restricted information and critical infrastructure of your company.
There are three main groups that can be classified as insiders:
- Current employees – first group that comes to mind, your current employees have legitimate immediate access to all your sensitive data. The biggest danger among them pose users with privileged accounts. Such users have the highest level of access and usually enjoy a high level of trust from the company, putting them in the best position to commit malicious actions and get away with it.
- Third parties – modern companies are usually affiliated with a wide range of different people and organizations. Subcontractors, service providers and business partners all have access to your corporate network and sensitive data that they can use to conduct malicious actions.
- Former employees – while technically they lose their legitimate access upon termination, not all companies bother to properly delete inactive credentials. If former employee finds that their credentials are still working, they can use them to conduct malicious actions. Another potential danger is a backdoor or a logic bomb (malicious software that fires off automatically after a set period of time) that former employee may leave behind in order to gain access to the system or sabotage normal business operations long after they leave.
It is also important to understand the common reasons for committing insider attacks. In some cases, changes to employee behavior can give your security personnel some hints as to what they are planning and will allow them to prevent insider attack before the damage was done.
- Corporate espionage – employees can be recruited by a competing company via blackmail or bribery in order to transfer your sensitive data to them. Instances of corporate espionage can be very hard to detect. If employee makes many unexpected trips or suddenly has an influx of money, it may be a time to worry.
- Personal financial gain – employee can steal client database to sell it on a black market or start a competing business. In this case, they will often brag to their colleagues about this, which can help prevent the attack.
- Revenge for perceived injustice – disgruntled employees can conduct malicious actions to get back at the company for perceived injustice toward them. Malicious actions out of revenge are often designed to bring as much damage to the company as possible and to interrupt regular business procedures.
- Inadvertent mistakes – in many cases, insider attack turns out to be a simple mistake on the part of an employee, whether it is to click on a link in a suspicious email opening your company to a hacker attack, tell their password to a colleague, or to send sensitive data to the wrong person. Possibility of such unintentional threats should be accounted for and their prevention should be included as a part of a general insider attack prevention strategy of your company.
Understanding the nature of insider attacks is an important step that will help you conduct a more thorough risk assessment and define main weaknesses of your security.
Step 2. Employ secure approach for managing employees and credentials
You should organize your work process and assign credentials in such a way as to limit the number of privileged accounts, restrict access to sensitive information as much as possible and create an unfavorable working environment for malicious actions.
In order to achieve this, there are two major principles that you should follow:
- Principle of least privilege – each new account by default should be created with the lowest level of privileges possible. The level of privileges should only be raised if it is necessary. This way you limit the number of privileged accounts inside your organization and make sure that all of them have specific purpose and are constantly in use.
- Principle of separation of duty – duties inside the organization should be divided between individuals as much as possible, promoting collaboration whenever a complex task needs to be solved. Statistically, employees are much less likely to conduct malicious actions when they are collaborating with other employees. For example, actions, such as backup and restoration of data should be separated between different people if possible.
The two aforementioned principles work together to minimize opportunities for insider attacks and strengthen overall data security posture of your organization.
Step 3. Conduct thorough risk assessment
Risk assessment is the necessary process that allows to identify all the weak points in your current security and give you a clear understanding of what needs to be improved.
There are three major steps to risk assessment:
- Identifying a potential threat
- Identifying how vulnerable your organization is to this threat
- Identifying how much damage would be done in case of this type of an attack
Received information will give you a clear understanding of what security measures should be implemented and how their implementation should be prioritized.
Risk assessment should be conducted periodically as well as anytime when a major changes to security or network infrastructure are introduced. Insider threats should be examined as an integral part of your risk assessment process. As a result, you should get a clear understanding of the effectiveness of your insider threat prevention and protection measures and how to strengthen them accordingly.
Overall, results of a thorough risk assessment should be used to build and revise general company security strategy, including protection from both insider and outsider threats.
Step 4. Work on employee security awareness
In many cases, security breaches are directly caused by employees neglecting simplest security rules and practices. Such neglect more often than not comes from the fact that majority of employees are poorly educated in the matters of cyber security. Employees are often either completely unaware of certain security practices, or are willingly breaking them in favor of their own convenience, without realizing the severity of consequences that can follow.
The only way to remedy this situation is to conduct security awareness training in order to familiarize your employees with the latest security trend and make them aware of how they affect the cyber security of your company. This will help to significantly reduce the number of mistakes made by employees (since if they are aware of the severe consequences of their actions, it will prompt them to be more careful) and protect them from social engineering. They will know to not only ignore the links in spam emails, but also to report a fellow co-worker, who asks for a password from their account, or brags that he plans to start a competing business.
Also by making your employees aware of the security measures you are taking against insider threats, you are enlisting them on your side, creating a healthy working environment based on trust and deterring some of them from conducting malicious actions.
Step 5. Employ secure password and account management procedures
Using shared or default accounts is a prevalent practice in many organizations. However, this may allow certain employees to obtain access to privileged accounts that they do not supposed to have. Prohibiting use of shared accounts is necessary for reliable security.
You should also make sure that your accounts are thoroughly secured by unique complex passwords that are changed on a regular basis. It is also necessary to immediately change any default passwords that your company may use for any software or hardware. Such passwords are usually public and will allow both hackers and malicious insiders to easily take control of the system. Another important thing to do is to prohibit password sharing between employees, as well as the use of a single password across multiple accounts. This way you are not only making it harder for malicious user to get their hands on credentials of other employees, but also are thoroughly protecting your data from cyber security attacks by outsiders.
Another way to strengthen your account security and make sure that account is used by a correct person is to implement a secondary authentication. Such system, implemented with either mobile devices or more sophisticated physical tokens can be used to reliably confirm the identity of the person trying to log in and serves as a safety net in case the password has been compromised.
Step 6. Conduct employee monitoring
Employee monitoring is a great prevention and detection tools that will help you effectively deter malicious insiders and ensure integrity of your sensitive data. Professional monitoring software will give you a full visibility into what users are doing, providing you with the ability to quickly detect insider attacks, establish a culprit and issue a timely response.
- Monitor user actions. Many companies limit themselves to access monitoring or built-in login capabilities of software and systems that they are using. However, in most cases this is not enough, as user will be able to easily disguise their malicious actions as a regular work and alter or disable most internal logs. It is best to conduct thorough user action monitoring using dedicated monitoring solutions. Such software will be thoroughly protected from tampering and will be able to produce comprehensive record of user actions, allowing you to efficiently detect insider attacks.
- Monitor privileged users. Users with privileged accounts are usually directly working with sensitive data or critical system settings and have all the tools necessary to conduct malicious actions, while disabling any default monitoring. It is important to use monitoring software that are specifically designed to handle such users and cannot be disabled regardless of the level of privilege user has.
- Monitor third parties and remote users. Various third parties, such as service providers and subcontractors are not necessarily have the same level of security from both insider and outsider threats as your organization. In this case, action monitoring is your best bet at reliably protecting your data from any misuse. When sensitive data is accessed remotely, whether by third parties, or by your own employees, make sure that it is transferred only while encrypted and that all remote sessions are fully monitored. This will allow you to prevent insider network attacks and make sure that remote employees are not misusing sensitive data.
- Use custom alerts or behavior analysis tools. One of the biggest challenges of action monitoring is the efficient processing of a large amounts of data you receive. More affordable monitoring solutions, such as Ekran System, usually employ customizable alert systems that can be used to create alerts best suited for your particular situation. Such alerts will fire upon particular suspicious events, allowing your security personnel to check for data breaches or misuse. Some solutions use more sophisticated behavior analysis systems that try to detect suspicious events automatically. Such systems are convenient to use and can give good results, although they are much more expensive and tend to produce many false positives.
When creating this practical guide on how to prevent insider threats, we went through many recommendations and best practices employed by security professionals, as well applied our own experience in the matter. Resulting six steps are the basic, yet the most important ones you can take in order to thoroughly protect your company from insider threats. We hope that this guide was useful to you and gave you a good idea on how to improve security posture of your organization.