Brian Jackson - Fotolia
Few people like to think about the potential for security attacks from colleagues and business partners, yet the insider threat remains a significant one for many organisations.
Someone with authorised access to an organisation’s systems is inevitably the most difficult to detect and often the most damaging to the business.
People within an organisation, such as employees, ex-employees, contractors and business associates, inevitably have inside information about its security practices, information and computer systems. If they become unhappy with their employer or find themselves in financial difficulty, there may be little to stop them exploiting their privileged position to steal or damage information or systems.
Motives for insider attacks vary considerably: financial gain, revenge, a feeling of entitlement, even ideological objectives. The hacker may have been a loyal employee for many years, but then found themselves in debt with no obvious way out. They may have been threatened or bribed by criminals, or persuaded to break the rules by activists with a political agenda. In some circumstances, they may even have taken the job with the deliberate intention of compromising your organisation.
Recent research from both government and private industry has highlighted several key weaknesses that make organisations vulnerable to such attacks:
- Poor management practices
- Poor use of auditing functions
- Lack of protective security controls
- Poor security culture
- Lack of role-based personnel security risk assessment
- Poor pre-employment screening
- Poor communication between business areas
- Lack of awareness of ‘people risk’ at a senior level
- Inadequate corporate governance
Read more about the insider threat
- This survey of 500 cyber security professionals offers insight into the state of insider threats and solutions to prevent them.
- University of Greenwich data breach highlights the dangers of insider threats.
- Malicious employees are usually the focus of insider threat protection efforts, but accidents and negligence are often overlooked data security threats.
- This report from analyst group Quocirca looks at the challenges faced by organisations when it comes to the insider threat and the protection of sensitive information.
Consider the following example. A senior employee copies sensitive files from a secure server to the My Documents folder on their laptop in order to work at home. An automatic process backs up each user’s My Documents folder to another server whenever they are connected to the corporate network. Unfortunately, the backup server has poorly configured access permissions, allowing a malicious insider to access the otherwise secure files – and steal them.
So how do we minimise this risk? There are five key areas we need to address: staff vetting, education, protective controls, detective controls and security testing.
Many organisations do minimal and inconsistent checks on potential new employees. Worse, few conduct proper checks on contract staff, temporary workers and businesses in their supply chain.
Staff should be vetted prior to employment, based on the level of access they will have to sensitive information and whether they will have privileged system access – as is the case for IT staff. Third-party vetting services are widely available and inexpensive when compared with the potential impact of a security breach.
Minimum checks include credit and directorship searches, address verification, employment references, and verification of education and professional qualifications. More detailed checks should include employment gap analysis, criminal record checks, passport integrity checks, UK driving licence verification and identity verification.
Policy and education
A general lack of adherence to security policies and practices by employees is quite common, yet management are either unaware of these problems or fail to deal with them effectively.
Examples of the most common issues are sharing of passwords, not locking computers, allowing others to use logged-on computers, sensitive materials being left on desks, and a failure to enforce restricted access to secure areas.
It is not enough to write a set of policies and then insist on regular computer-based training. An investment in a well-designed awareness programme is essential, using every possible means of communicating key messages. Story-telling with relevant examples and personal impact will get better results than boring, bald facts.
Despite the controls available to every organisation, the same problems appear every time a security review is conducted, with the discovery of excessive access permissions, multiple copies of valuable data, access for staff who have left the business, inadequate remote access controls and excessive third-party access.
Consider this checklist to improve your protective controls:
- Encrypt valuable information – don’t rely on simple logons and passwords
- Audit and fix excessive access permissions – allow access on a ‘need to know’ basis only
- Locate and remove unnecessary copies of valuable data
- Minimise information held on workstations and laptops
- Revoke all access for staff who have left the business
- Prevent privilege escalation by improving password quality and applying patches
- Secure all remote access by deploying multifactor authentication and VPNs
- Audit and control third parties, and segregate and limit their access
The most common problems with detective controls include poor logging and alerting, an absence of formal incident reporting and response, high-risk staff being ignored, and no regular staff stress reviews. In particular, human factors seldom feature in an organisation’s security detection plans, yet they are the most significant indicators of a potential problem.
This checklist will help ensure early detection:
- Analyse the logs from workstations, servers, applications, file transfer, removable devices, mobile devices and perimeter devices
- Implement formal incident reporting and response processes, and communicate this to all staff
- Provide a whistleblower facility to encourage incident reporting
- To pre-empt a potential incident, manage staff who have poor relationships with colleagues, suffer from absenteeism or display antisocial behaviour
- Conduct regular stress assessments with all staff, with more frequent reviews for those with privileged access
- Consider investing in network and application behavioural analysis tools
Testing and reviews
Businesses seldom conduct their own internal reviews and tests unless compelled to do so by regulatory requirements. Some regular, basic checks can reduce the likelihood of an insider attack by reducing your vulnerabilities.
These checks are:
- Audit the access permissions for each sensitive or valuable information asset
- Search your network for duplicate copies of important data and similar files
- Test the access permissions for some sample users
- Check for active accounts that should be disabled
- Look for missing policies
- Seek out missing procedures
Finally, get some independent help to conduct a threat and risk analysis, followed by simulated attacks (red team testing) to exercise your protective and detective controls.