By Jason Matlock
The greatest threat to an organization’s security is often its own employees. Consider that insider threat resulted in 71 percent of reported cyberattacks in the healthcare industry and 57 percent of reported cyberattacks in the financial services industry in 2016, according to IBM research.
In both of those industries, the majority of the attacks depended on the actions of employees who had no malicious intent but had unintentionally compromised the network security of their organizations. However, insider threats can also be more sinister. In this article, we will define the different types of insider threats and explain how to curtail them.
Recognizing insider threats
Insider threats are classified as either active (intentional) or passive (unintentional). The difference is whether the perpetrator is acting in a malicious manner or instead has been duped into taking an action that could allow outside parties to gain network access. Passive insider threats involve users who are ill-informed or working in an environment with a poor security posture. These are the people and users who fall victim to social engineering, the use of deception to gain information to be used for fraudulent purposes.
To demonstrate this comparison, a malicious employee might seek to steal information for financial gain or to embarrass the company. Conversely, a passive threat could occur when a user clicks on a link in a phishing email or is tricked into revealing security credentials to a hacker posing as someone else from within the organization.
Fighting insider threats
To combat insider threats, organizations can provide security awareness training to educate workers. For instance, employees can learn how to spot phishing emails and how to look for signs of other employees who may have malicious intentions.
This is where employee buy-in comes into play. It is crucial to make sure a team member knows why it is important to alert someone in IT about phishing attempts or suspicious phone calls trying to solicit information. Cyberattacks can be very damaging, both monetarily and regarding reputation. Employees need to understand why it’s so important to be diligent.
Building a safe culture
It is important for an organization’s IT and human resources departments to build a cooperative relationship. IT should be notified immediately when an employee leaves the company in order to terminate access privileges. This prohibits disgruntled ex-employees from accessing the network from outside the office in order to cause mischief.
If a security mistake does happen (“Whoops, I clicked on the wrong thing!”), the employee must feel safe in notifying the organization of the error immediately. A team member trying to cover up a faux pas out of fear is the result of the wrong culture and can cost the company valuable time in minimizing the effects of a breach. We all make mistakes — it’s important that when a person is in doubt, they have a process in place to follow without fear of being punished.
On a network level, organizations should ensure regular users have appropriately limited access privileges and are not given administrative control by default.
Segregating critical systems can also help protect the network. In the event of a malware infection, if one computer is infected and compromised, segregating the limits of the system what an attacker can access.
Monitoring user activity can allow companies to spot suspicious activity. For instance, large amounts of traffic leaving the network could be a sign of data being stolen. Logging all instances of failed and successful access to sensitive files should be at the top of the list. This will require defining the critical assets on your network and making sure to utilize controls as to who can access those assets. Keep in mind though, that logging is just one part of the process. It’s great to have logs, but if no one is reviewing those logs, it’s as if they didn’t exist in the first place.
Many companies let third-party businesses have access to certain aspects of their networks. These third parties should also be monitored. Often, these third-party actors have the same access and insight into your company’s operations as your own employees, but many companies don’t provide the same level of oversight to these third-parties as they do their own employees. Be sure to employ the same security controls here, such as restricting the level of access they have, and monitoring their activity on the network. Be sure you have clearly defined policies in place that describe the “how, what, when” of how the third-party will act on your network.
Network security should involve a layered approach and not rely on a single type of technology. This could include the use of data loss prevention programs, firewalls, or intrusion prevention systems (IPS). Make sure there are secure, preferably offsite, backups of all the organization’s data. Test backups on a regular basis to make sure they work.
In addition, when an employee is traveling with a laptop, it is critical to ensure the laptop data is encrypted. This cuts down on the risk of losing data if the laptop is stolen.
System monitoring and upkeep also play an important role in maintaining proper information security posture. Being able to determine if a network attack is related to an active or passive threat helps an organization’s IT department to more quickly assess how to respond.
• Make sure all computers on a network can detect malicious codes, utilizing antivirus programs and host intrusion prevention systems.
• Keep all operating systems updated and patched.
• Keep logs of user activity on the network to watch who is accessing what types of files.
• Monitor VPN access to the network to check if employees are logging in at odd times such as early in the morning when they normally wouldn’t be working.
• Provide an anonymous way for employees to report if their coworkers begin acting suspiciously.
A cautionary tale
As part of the services offered by my company, we assess an organization’s vulnerability to social engineering. During one such assessment, our security analyst called the chief financial officer of a company after spoofing their phone ID so it appeared to be an internal call from within the organization.
With just a little prompting, the CFO revealed his user name and network password to the security analyst. That kind of attack emphasizes the importance of user awareness training and the need for both regular employees and management to take ownership of information security.
Organizations must put cybersecurity policies in place and ensure that all employees are aware of what those policies contain. In order for the policies to be effective, senior management must understand them and stand behind their enforcement. Through proper policies, education, and training, organizations can repair what has become the weakest link in information security — their own people.
About the Author
Jason Matlock is a security analyst for Sword & Shield Enterprise Security Inc. Headquartered in Knoxville, Tennessee, Sword & Shield specializes in security, risk and compliance assessment, managed security services, enterprise security consulting, security incident response and forensics, and technical solutions. It will host the EDGE2017 Security Conference, Oct. 17-18, 2017.