The security industry for years has been discussing the “insider threat.” This is nothing new; it is an old-school attack that has been made public due to the nature, quantity, and sensitivity of the data being stolen electronically.
Years ago, these attacks occurred on a regular basis, but did not have the same labels or stigma they have today. I am not saying they were acceptable back then. We just need to be realistic about what an Insider Threat is and acknowledge that it has been going on in various forms for hundreds of years.
By definition, an Insider Threat is an internal persona behaving as a threat actor. Regardless of the techniques they are using, they are not behaving in the best interest of the company, potentially breaking the law, and exfiltrating information they do not have permission to possess.
A classic example of this type of threat is client lists—an Insider Threat that’s still relevant today, by the way. A sales person or executive that is planning to leave an organization may photocopy or print client lists and orders before leaving the organization in order to have a competitive edge when they start with a new employer. The volume of paper potentially would have to be substantial in order to make an impact, but leaving with confidential information on printed paper is still an Insider Threat.
Obviously, they were not leaving with file cabinets of material, but today with electronic media and the internet, that volume of data could easily be egressed without anyone noticing. And, as a reminder, that file cabinet of sensitive information can easily fit on a USB thumb drive in a person’s pocket. Therefore, we now have a label for this type of threat, and Insider Threats are becoming more relevant. It still makes security professionals sick to their stomachs because the crime is old, but the methods and volume are now something to consider and require a new strategy to protect against.
Insider Threats occur for a variety of reasons. This includes aspects of a human persona looking to hurt or gain an advantage against an organization. Regardless of one's intent, it’s the digital aspect of an Insider Threat that warrants the most attention. Human beings will do the most unusual things in the most dire of situations, but if they are not permitted to, many of the risks of Insider Threats can be mitigated. Consider the following for your business:
- How many people have access to sensitive information in mass? This is not using a program to retrieve one record at a time, but rather who has direct access to the database or can run a report to dump large quantities of information from a query.
- Are all accounts valid people that are still employed or relevant?
- How often do you change the passwords for sensitive accounts?
- Do you monitor privileged access to sensitive systems?
In fairness, answering these questions honestly could be opening a Pandora’s box. You should, however, answer them if you care about Insider Threats. Here is why:
- Only administrators (not even executives) should have access to data in mass. This prevents an insider from dumping large quantities of information or an executive’s account being hacked and leveraged against the organization.
- Users should never use administrative accounts for day-to-day usage like email. This includes administrators themselves in case their accounts are compromised too. All users should have standard user permissions.
- All access to sensitive data should be for valid employees only. Former employees, contractors, and even auditors should not have access on a daily basis. These accounts should be removed or deleted per your organization’s policy.
- Employees come and go. If the passwords are the same as people leave and new hires are acclimated, the risk to sensitive data increases, since former employees technically still have known passwords to the company’s sensitive information.
- Monitoring privileged activity is critical. This includes logs, session monitoring, screen recording, keystroke logging, and even application monitoring. Why? If an insider is accessing a sensitive system to steal information, session monitoring can document their access and how they extracted the information and when.
If you think that if you follow all of these steps to protect against Insider Threats you will be safe, you are wrong. This assumes the threat actor is coming in from the front door to steal information or conduct malicious activity.
Insider Threats can also evolve from traditional vulnerabilities, poor configurations, malware, and exploits. A threat actor could install malicious data-capturing software, leverage a system missing security patches, or access resources using backdoors to conduct similar types of data gathering activity.
Insider Threats are about stealing information and disrupting the business, but depending on the sophistication of the threat actor, they can use tools that traditionally are associated with an external threat. We have seen this with recent breaches at the CIA, NSA, Yahoo, and even the Swift Network Banking Systems.
Therefore, we need to realize Insider Threats come from essentially two categories: excessive privileges (covered above) and poor security hygiene (vulnerability management). To that end, all organizations should also regularly perform these tasks to keep their systems protected:
- Ensure anti-virus or endpoint protection solutions are installed, operating, and stay up-to-date.
- Allow Windows and third-party applications to auto update or deploy a patch management solution to deploy relevant security patches in a timely manner.
- Utilize a vulnerability assessment or management solution to determine where risks exist in the environment and correct them in a timely manner.
- Implement an application control solution to allow only authorized applications to execute with the proper privileges to mitigate the risk of rogue, surveillance, or data collection utilities.
While these seem very basic, in reality, most businesses do not do a good job at even security basics. If they do, the risk of Insider Threats can be minimized by limiting administrative access and keeping information technology resources up-to-date with the latest defensives and security patches.
Insider Threats are not going to go away. They have been around for hundreds of years, however, the medium and techniques for stealing information have evolved with modern technology. The goal is the same; stop the data leakage and be aware that an insider has multiple attack vectors to achieve their goals.
As security professionals, we need to mitigate the risks at source. A briefcase of paper is still an Insider Threat, but not as relevant as a USB stick with your entire database of client information.
