While most businesses are focused on preventing and mitigating external threats, there is often a greater danger their security teams need to worry about closer to home – insider threats. Contrary to popular belief, breaches occur not just at the hands of disgruntled employees, but also from non-malicious ones unintentionally as a result of ignorance.
Security teams tend to focus more on technologies and processes, often ignoring human element, which has emerged as the biggest challenge. There is always a huge price to pay when companies don’t invest in creating and improving employee awareness about their security policies.
“Insider threats are as old as walled cities, and the traitors within them – history books are filled with examples of people inside a defensive structure who find it to their advantage to compromise security. Indeed, insider threats are hardly an IT problem at all – they are primarily an organisational and personnel problem,” says Mike Lloyd, CTO, Redseal.
Marc Kassis, security director at Ingram Micro, says trends indicate that the majority of insider attacks are caused by accidental actions of employees. The consequences of these threats range from leakage of confidential data to non-availability of business-critical infrastructure.
“Addressing insider threats through the lens of technology alone is not sufficient. For instance, phishing and social engineering involve minimal technology exploits. The best technology controls can be bypassed by a well-crafted phishing mail. Hence, the need of the hour is a holistic approach to security, encompassing people and processes in addition to technology,” he adds.
Brian Chappell, senior director, Enterprise and Solution Architecture, BeyondTrust, says the Insider threat, while distinct, is also a massive part of the external threat pattern. “In virtually all successful outside attack patterns, once the attacker is through the initial layer of defence, they are, for all intents and purposes, an insider. They are using the same techniques and methods that are associated with the insider threat. Given that the initial defence is an ever-changing landscape, we also need to assume that it will be breached (if it hasn’t already happened).”
There are some typical patterns and trends found in insider threat cases. Werno Gevers, business development manager, Middle East, Mimecast, says there are broadly around three insider threat profiles which businesses need to understand. “First one is the compromised insider, when an external attacker takes over the accounts, credentials or systems of unsuspecting users through either phishing email or installation of various forms of malware. Second, is the case of the careless insider, who simply ignore or don’t fully understand their organisation’s security policies and rules.”
Then comes the malicious insider. Gevers says these threat actors either intend to profit personally from, or do damage to the organisation by stealing, leaking or compromising confidential data and employee or customer information. When they strike, malicious insiders can cause significant damage.
Thankfully, it seems that businesses now starting to recognise that the authorised users on their networks are a risk, and they’re taking steps to minimise that risk. However, the challenge is striking the right balance between insider threat protection and employee privacy.
“A balance is often hard to maintain. When looking at protecting employee privacy on the data collected, one important method is to build the proper process and procedures to control and compartmentalise access to the data. One example would be to put into place a dual authentication method where someone from human resources or legal is present to inspect the data. Of course this assumes that any solution has the ability to obfuscate data that might be sensitive or private,” says Thomas Fischer, global security advocate, Digital Guardian.
John Bambenek, threat manager. Fidelis Cybersecurity, says two major best practices greatly reduce the risks: separation of duties and least privilege. If insiders don’t have access beyond what their job can do, the amount of harm they could cause is greatly limited. Before any employee can do something ‘sensitive,’ there should be another approver in the chain of events which makes insider threats easier to detect.
How do you protect against insider threats? Admitting the problem exists is the first step to addressing it. If organisations and IT admins recognise the risk posed by internal users, they can take steps to mitigate or minimise that risk.
The best protection remains education and training employees to identify risky behaviour and malicious attacks. Ensuring that employees understand company policies on information usage and that these policies are easy to adhere to is paramount. Solutions that notify or prompt the user when an activity could potentially put the company at risk works most effectively, enabling the user to make informed decisions and learn in the process.
Systems are being breached with direct access via compromised credentials, which means your perimeter-based approach is no longer as effective as you once believed, since it focuses on networks, firewalls and devices “Implementing strong security controls and access policies are paramount to minimising the risk of loss – of credibility, revenue or even a dip in stock price as evidenced by the Day One market reaction to the recent Equifax breach,” says Kamel Heus, regional manager, MEA, Centrify. “Organisations should strive towards a state of zero trust through Just Enough Privilege, granted Just In Time. Central to this theme is migrating to a role-based access control (RBAC) model that is dynamic, using short-lived instead or long-lived privileges.”
Attackers will take the path of least resistance, and employees – and IT in many instances – will unwittingly help them, says Mohammed Al-Moneer, regional director, MENA, A10 Networks. There will always be employees who will fall prey to phishing, surf exploited sites, or use free Wi-Fi from a coffee shop to open the door for the attacker. Also, common infrastructure weaknesses are the ‘exploit of choice’ to land a beachhead within an organisation, such as using an SQL query to find cached credentials, or finding a publicly exposed unpatched server to exploit. And then there is always the fallback to first-initial-plus-last-name with password1234.
“The best way to prevent this is to slow attackers down by using good identity hygiene: implementing multi factor authentication, using longer pass phrases over passwords, deprecating expired employee accounts and monitoring access logs. However, the industry is making improvements in identity around trust by using multi-context analysis strategies that include time of access, country of origin, host computer in use, and other behavioural analyses to add weight to identity,” says Al-Moneer.
Miguel Braojos, VP, Global Sales Identity and Access Management Solutions, HID Global, highlights that ompartmentalisation, monitoring, and MFA are ideal approaches to curbing access to sensitive data and avoid unauthorised access for insiders. “Education is paramount if employees are to be aware of the phishing emails and emails containing ransomware. For outsiders, most attacks are financially motivated and it’s important that employees are aware of the basic signatures that come with malware. Companies need to practice basic security hygiene that could help in warding off a number of security breaches.”
Having a proactive insider threat protection framework entails proper planning, appropriated policies, reporting structure, and human and technological systems.