The Insider Threat: How To Mitigate The Top Three Human Risks To Your Company’s Information Systems.
We lock our systems and networks down, we install the latest and greatest Intrusion Detection/Prevention Systems (IDS/ IPS), and we have the best physical security at all of our physical locations.
Yet, we still have a risk for breach. It is the human factor, and it will always be your weakest link. As long as we have business, we will have people who run them. Moreover, as long as we have people, we will have the risk of insider threat.
We look at the definitions of insider threats, the differences between the two major types, and the top three insider threats facing small and medium sized businesses based on industry research as of 2018. We also give you tips you need to secure your business against them.
What is an insider threat, and better yet, what is an “insider” in this case?
An insider is anyone with various levels of authorized access to your information systems. This list can include; regular, part time and temporary employees, contractors, vendors, and even clients who have access to a deeper portion of your information than the surface layer. There are two types for the most part; we can consider them “malicious” and “benevolent”
What are the differences between the two?
It can be, but let us differentiate the two main types, the “malicious” and the “benevolent”.
Malicious Insider – These are the malicious and deliberate threats. The malicious insider may have goals of a one-time payout from selling information. They may wish to deliberately compromise or map systems for later attacks from another entity. They may wish to steal secrets to give to competitors.
Benevolent Insider – These are the average everyday employees that go about their business of making the widgets, or writing the programs, or selling the products for the business. They have no ulterior motives, and are just doing their jobs their threat is from accidental misuse, or exploitation by a malicious actor.
The biggest differences are motivations, and deliberation. The malicious threat is knowledgeable and deliberate in their actions. The benevolent, is not usually knowledgeable of their actions that may cause harm, especially not of the consequences, and they have no deliberate sinister motives.
Many of the threat vectors, the ways the systems can be compromised, can overlap. The differences in how they are dealt with between the two are important.
Wow, so how do I keep “insiders out?
Well, as we mentioned before, people make your business run. You can mitigate, or lessen the chance of a system compromise happening before it becomes a breach however. You can also lessen the impact of a compromise or breach, and minimize the time it takes to recover with some of these tips.
We have them broken out by the most common threats and vectors, and what you can do to mitigate each threat to an acceptable risk level. Remember, each business and information system is unique, and its best to consult with an expert to determine the approach to cyber risk remediation that is best for you.
Just like with any threat you will need a suite of security that works together across all defense layers, and helps to lessen the chances of realization, and barring that, reduces the impact from any risk. A good managed security service provider (MSSP) can help you create a layered defense in depth that can defend your information systems no matter their size or configuration.
What Is The Biggest Threat?
Social Engineering – Social engineering is a derivative of human behavior, human intelligence collection, and other psychological understanding. We are mostly familiar with phishing, in which a malicious source sends an email with the hopes that someone clicks on a link unawares.
The other, less frequent, but more effective way when done well is real time interaction. Either face to face, or over other media, a social engineer can contact an employee, and impersonate an authority figure, or other personnel, and gain immediate access to your information systems.
What Can We Do About It?
This is the big one, honestly. The easiest way to infiltrate a system is to get the user credentials and login (passwords), and the most tried and true method is to simply ask. According to a former Human Intelligence Collector with over 15 years of experience.
“In the fields of Human intelligence Collection (HUMINT) and Social Engineering, there are several universal truths. One of these is the use of cognitive biases, or “bugs in the human hardware/ software”, to gain recent, relevant, and actionable information. Another is that nearly everyone says, “That won’t work on me”…usually right before it does.”[i]
This means there are several methods and techniques that manipulate a person into trusting the social engineer.
To combat a social engineer, at least a good one, boils down to education and vigilance. Educate your employees on the methods of phishing, vishing, and other social engineering techniques. Set policies within the organization to prohibit the sharing of passwords, choosing of weak credentials, and giving information through unauthorized channels. Give them the tools to recognize sites that are official vs. those that are malicious.
Let them know to immediately report any suspicious activity, even from a seemingly trustworthy (perhaps a fellow insider) source. Train well and train often.
We can, using threat intelligence and analysis, understand the most recent types of attacks that social engineers will use to get in. Finally, and most importantly, we can use behavioral analytics to determine a baseline for the information system activities within the organization, and create alerts that trigger at the pre-determined thresholds. A local HR account that normally sends 3 or 4 emails a day, suddenly sending 200+ with attachments totaling over 5 GB for instance.
These types of behaviors along with network mapping and log management from a reputable MSSP can mean the difference between an insider getting your most valuable information and keeping your network safe.
A good social engineer does not need much to get in, but can be handled as long as you develop your training programs, and teach your employees to resist!
What Is The Threat?
Bring Your Own Device (BYOD) – An employee can bring in a personal device and connect to the network environment without a proactive solution to immediately identify and block unauthorized devices in a timely manner. BYOD devices can connect to the network and access shared drives using login credentials to exfiltrate sensitive data to personal devices without detection.
The same employee can install malware using a BYOD allowing command and control of engineering assets from a corporate network entry point.
What Can We Do About It?
Management should create or expand their network access controls, and data loss prevention (DLP) controls This will keep users from accessing things like company emails with confidential data without logging and company ability to block things like downloads, or specific emails.
A well-managed Security information and event management (SIEM) tool can help you get the baseline of normal activity for your network. Using automated security orchestration can help your security section nip any suspicious activity in the bud.
Finally, and this is important in all aspects of the human factor, make sure your employees are appropriately trained and made aware of the nature of cyber threats as it relates to privacy and data protection. They must also understand that they should act as an extension of their organization’s security team.
What Is The Threat? –
Data Loss Through Removable Media -Employees with access to removable media are able to access sensitive Aptar data with credentials, and exfiltrate sensitive information using unauthorized devices not approved by Aptar.
What Can We Do About It?
This is an issue with knowing what devise should, and more importantly, should not be on your networks, then comes monitoring and detection. Again, a SIEM solution can help with that part. The next step should be to implement a Host-based Intrusion Detection System (HIDS)/Host-based Intrusion Prevention System (HIPS). Your security team or MSSP can help you integrate these and other security services into a strong 360 degree security plan.
In addition, you should consider blocking or disabling USB ports by default and enabling them on a case-by-case basis. If this is not possible, at the least, consider implementing rules to scan removable media through a DLP solution.
So What Does All This Mean?
The bottom line with the insider is to understand the person, and their motivations. Then understand how they would want to attack your business in the case of a malicious insider, and where they are unaware of policies, and threats, and how to keep data safe in the case of benevolent employees.
Train your employees and strengthen them as a link in the chain that protects your sensitive data and the bottom line of your business.
These are the top three insider threats based on industry research. Your business might face other threats, it is always best to have an independent assessment and remediation plan to understand the risks to your business.
Get your IT security team, or your MSSP to help you understand these threats in the context of your environment.