Senior Support Executive
NNT - New Net Technologies
Safeguarding against insider dangers in cybersecurity is among the leading issues that organizations are encountering today. Whether that risk results from ignorance, oversight or is made with harmful intent, utilizing these techniques will significantly help secure your organization.
When people think of insider threats, their minds typically go to rogue or disgruntled employees that are intentionally performing a malicious act. What organizations do not consider in their IT security strategy is that employees could be posing an insider threat due to their ignorance, lack of knowledge or negligence.
An insider threat is a malicious threat to an organization that comes from a person or persons within the company. These insider threats could include employees, former employees, contractors, vendors or business associates who have access to inside information concerning security, location of data, and the computer systems within the organization for one reason or another.
These organizations need to be prepared for anything. Fortunately, there are specific tactics to deal with those incidents and protect against future insider threats. Before diving into those tactics, take a look at the dangers and consequences of insider attacks.
Organizations must understand the role of data in today’s environment. Protecting data is no longer just IT’s responsibility. It is the responsibility of every internal person to protect their data. With insider threats representing the primary vector for 60 percent of data breaches, organizations need to scrutinize the threats walking through their door every day with as much rigor as they show when securing the perimeter from external attackers.
Develop and perform insider threat awareness training and periodic security training for all employees. Train all new employees, vendors and contractors in security awareness before giving them access to any computer system. Perform your own phishing attacks on their mailboxes or make social engineering attacks by phone. Be sure to provide additional training for anyone who doesn't pass these tests. Encourage employees to report security issues and train them on how they can help reduce the insider threat.
Work with HR to develop a strong user termination procedure to protect your organization legally and technologically from former employees. These should include:
- Disabling the departing employee’s account.
- Disabling the user’s email logins.
- Changing all shared account passwords that the departing user knows.
- Terminating access to voicemail. Forwarding phone and voicemail to the user’s manager.
- Terminating VPN and Remote Desktop access.
- Informing company staff that the user is no longer employed there.
- Changing all shared account passwords that the departing user knows.
- Etc. Etc.
While the term “Insider Threat” has actually somewhat been co-opted to define strictly malicious actions, there is a specified range of insider threats. Not all insider threats are alike and differ greatly in inspiration, recognition, access degree and also intent.
With each kind of insider threat, there are various technological as well as non-technical controls that organizations can embrace in order to bolster discovery and prevention. Gartner identifies these insider threat dangers into 4 specific classifications:
- The Goof
- The Pawn
- The Partner
- The Lone Wolf
Goofs do not act with harmful intent, however, take purposely and possibly harmful activities. Goofs are ignorant or arrogant individuals that believe they are exempt from protection plans, whether it be out of ease or inexperience. Ninety-five percent of organizations have staff members who are actively attempting to bypass security controls and also almost 90 percent of insider cases are brought on by goofs. An instance of a goof could be an individual who shops unencrypted directly recognizable information (PII) in a cloud storage space for easy access on their devices, despite knowing that to be against security policy.
Pawns are staff members that are manipulated into carrying out destructive tasks, usually accidentally, through spear phishing or social engineering. Whether it's an unwitting employee downloading malware to their workstation or a customer revealing qualifications to a third party acting to be an aid or helpdesk worker, this vector is among the more comprehensive targets for assaulters looking to create damage to the company.
One instance entailed Ubiquiti Networks, which was a sufferer of a spear-phishing assault in which emails from senior execs directed workers to move $40 million to a subsidiary's checking account. The staff members were unaware at the time that the emails were spoofed as well as the savings account was regulated by scammers.
Collaborators are users who cooperate with a third party, oftentimes competitors and nation-states, to use their access in a way that intentionally causes harm to the organization. Collaborators typically use their access to steal intellectual property and customer information or to cause disruption to normal business operations.
The Lone Wolf
Lone wolves are entirely independent and act maliciously without external influence or manipulation. Lone wolves are especially dangerous when they have elevated levels of privilege, such as system administrators or DB admins. A classic example of a lone wolf is Edward Snowden, who used his access to classified systems to leak information relating to cyber espionage at the NSA.
As mentioned, privileged accounts represent high value targets for insiders. It is important for organizations to adopt a privileged access management monitoring stance for data about access to privileged accounts into your SIEM. User behavioral analytics can detect things such as abnormal login attempts, out of hours logins or multiple failed logon attempts and generate an alert where appropriate for a security analyst to evaluate.
You can also use your SIEM to monitor sensitive data areas in order to see who has accessed what data by utilizing object level auditing within Windows and Linux systems. This can all be coordinated with correlations and alerts to security analysts to review and either keep for later analysis or be escalated for further review.
Use Continuous File Integrity Monitoring combined with continuous configuration hardening assessment and reporting is the only true solution for maintaining secure systems. Using branded checklists such as the CIS Benchmarks are a great source of hardening best practices. They are not the only option available. In fact, manufacturer provided checklists are generally a more focused source of vulnerability mitigation best practices for the appliances and network devices etc. Remember that there may be a wide choice of checklists using different terms and language, but that ultimately there is only one way to harden any particular system. What is more important is that you apply the hardening measures appropriate for your environment, balancing risk reduction against operational and functional compromises and that you monitor those systems and devices for any drift or change from the standard your organization sets.
NNT provides the ultimate protection against all forms of cyberattacks and data breaches with its SecureOps™ strategy. This unique approach blends established best practices for security and IT service management to deliver an all-inclusive solution that identifies unknown and potentially malicious events in real-time to assist with the mitigation and protection from Insider Threats. By combining the essential prescribed security controls with advanced threat prevention, detection and intelligent change control technology, organizations can rest assured that systems are secured and fit for purpose, with any deviations from this state intelligently analyzed, recorded and alerted for review.