E-Handbook: Crafting an insider threat program: Why and how Article 2 of 3

beebright - Fotolia

This article is part of our Essential Guide: How to deal with Identity and access management systems

The cyber threats lurking within every company

Insider threats have been around for a long time, but it is only recently that people have begun to acknowledge the true danger they pose

This article can also be found in the Premium Editorial Download: Computer Weekly: Data danger: Cyber threats lurk inside every company

Unlike conventional cyber attacks, which seek to breach the defences of a network, insider threats circumvent these defences because they originate from within the network.

“Insider threat is absolutely the major threat facing organisations,” says Colin Tankard, managing director of Digital Pathways. “In the worst-case scenario, [companies] get a bad infection and you have to go back to the cold metal, where you have to wipe everything out and rebuild, and that can cost a fortune.”

While most companies have a robust defence mechanism against external threats, many neglect to consider internal threats that may be lurking within their own systems. This leads to a distinct weakness within their network defences.

“Your firewalls and content-checking are all looking at information going in and out of the building, not information staying on and moving around the network,” says Tankard. “That is where a lot of organisations do not think about network security.”

Insider threats are an increasingly real danger facing companies. In one such incident in August 2016, UK-based accounting software firm Sage had the payroll details, including bank account and salary information, of more than 200 customer companies leaked through the actions of one of its employees.

Criminal entrepreneurs are quite prepared to plant people inside major organisations to blackmail or bribe employees,” says BT Security head Mark Hughes.

While fraudulent behaviour by employees is one obvious aspect of this danger, insider threats can originate from diverse sources that can be broken down into three distinct areas:

  • Employees: Rogue members of staff, or those who unwittingly cause an incident through errors.
  • External contractors: Since many companies now outsource part of their operations, third parties can gain access to sensitive information on the network.
  • Malicious applications: Compromised systems within the network that have been co-opted to perform other tasks detrimental to the company.

The danger of insider threats from company employees is possibly the most prevalent, but also the easiest to manage.

The US financial company Wells Fargo fired more than 5,000 employees in September 2016 for creating fake accounts. If the company had monitored its internal network traffic more thoroughly, and checked that processes were followed correctly, it might have saved itself millions of dollars in litigation and non-compliance penalties.

This internal monitoring could have been achieved through user behaviour analytics. These tools, such as ObserveIT, enable companies to monitor user behaviour to detect any dangerous and possibly malicious actions by their own users. User behaviour analytics does not just monitor people, it can also detect any unexpected behaviour and network traffic by applications.

User behaviour analytics

Establishing user behaviour analytics is a two-part process. The first stage establishes how the network should operate through defining policies and what needs protecting. This is followed by directing the tool to which employees it needs to monitor.

User behaviour analytics evolves over time, as the tool increasingly understands normal network behaviour and acceptable use. This allows a focus on any behaviour that does not fall within normal or acceptable parameters.

Once companies have identified inappropriate behaviour on their networks, they have one of two options.

The first is to respond instantly, either through a message informing the user that the action they are about to take, such as using cloud storage to send information or emailing a database, is not considered acceptable by the company. “We find that just by doing that education, you can eliminate 80-90% of insider threat, which are mistakes that people are making,” says Tankard.

Wait and see

However, some companies may choose to wait and see whether the employee is deliberately acting maliciously and whether others are involved.

It is not just their own staff that companies need to monitor – they must also ensure external contractors are monitored.

Vulnerability consultant Chris Clemson gives an example: “A Manchester-based internet company was having trouble with a contractor claiming that the IP belonged to him, and that if he didn’t get a pay rise, the firm would not be allowed to use his software. The company told him to go away, and he then proceeded to delete all the backups and uninstall MySQL, Apache, and so on, from its servers.

“Luckily, the dozy person did not realise that the bash command ‘history clear’ doesn’t actually delete the bash history file, so I managed to get evidence of all his ‘rm ...’ and ‘rpm -e’ commands, and the company managed to start legal proceedings against him.”

As well as deploying user behaviour analytics tools, companies also need to ensure their Active Directory listings and passwords are maintained and updated properly. There have been several instances of employees leaving companies, yet still being able to access their company email account for days, if not weeks, afterwards.

Read more about the insider threat

When a former employee has been removed from payroll, there is often a delay before the network administrators remove the person’s profile from the network. This can allow the former employee to view sensitive information that they are no longer cleared to see, or even to sell access or information to a rival company.

Senior support analyst Charles Lister says: “IT workers often know the passwords to accounts/systems, which are not easy to change. For example, I know passwords to service accounts and BIOS [basic input/output system] passwords. Clearly, if I misused what I know, it would kill my IT career. Some people are either arrogant enough to think they cannot be caught, or angry enough to do it anyway.”

As well as the additional password security it offers, two-factor authentication is another tool companies can use to protect themselves from insider threats. Since the dongle, which employees need to access the network and emails, is returned along with any company hardware (phones, laptop, and so on), this means employees can no longer gain access to the network after they have left, even if their account is still active.

Similarly, companies need to be careful when administrating user access rights, rather than simply appending additional access permissions as employees progress through the company, otherwise known as privilege creep.  So, if somebody has held several posts within a large company and moved departments, they may have access to each of the departments they have worked with, rather than having their rights to each department revoked after they have moved.

Compromised devices

Another source of insider threats is malicious applications installed on compromised devices. Although these devices may be low-risk in themselves, the fact that they are located on the network makes them an ideal point from which to access sensitive information stored on a company server. 

Sometimes even the most innocuous devices, such as ventilation systems and keyboard connectors, have been carriers of malicious applications. There have been reports of a fridge being part of a spam network, and, as such, it could easily be subsumed for other malicious activities. And in October 2016, reports emerged about the hijack of internet-connected security cameras and other devices to mount powerful distributed denial of service (DDoS) attacks.

Companies therefore need to change the default passwords for all their systems. “You would be amazed at how many bits of hardware are left with their factory default passwords,” says Lister.

Ideally, companies should consider operating a dual network, one for company data (email, documents, records, and so on) and the other for non-essential network devices, ensuring that the two have an air gap.

Companies that manage confidential data often take measures such as banning personal devices, including mobile phones, cameras, tablets, SD cards and memory sticks, from their offices. Not only could these devices be used to carry confidential data, but they may be carrying a malicious payload.

Personal devices

Despite the risks, some companies allow personal devices to be connected to their networks. “Corporations often encourage people to bring their own devices to work, or take work devices home,” says network engineer Peter Gatehouse. “Even things like USB keyboards can contain nasty surprises in the connector, with hacks being loaded when they are connected.”

However, as network architect Chris Johnson explains: “Technical measures can only go so far, and developers and system administrators both have the skillset and access to circumvent them.”

Ultimately, insider threats are more of a people problem, rather than a technological one. There have been several instances of ransomware being downloaded after employees have inadvertently clicked on a link in an apparently legitimate Email, which subsequently encrypted the company’s data.

Educating staff in taking a sceptical approach to emails, regardless of how legitimate they appear to be, is one step, as well as explaining the various strategies employed by telephone scams that are designed to infiltrate computers.

Despite the threat facing companies from external sources, companies must be just as vigilant for attacks emerging from within their networks. Employing user behaviour analytics and ensuring the active directory is carefully administrated will ensure networks are protected against insider threats.

“At the end of the day, it’s a people problem,” says Johnson. “Company policies and legal frameworks are the backstop to enforce it, but a happy and motivated staff is likely to be the best way to prevent it becoming a problem.”

Read more on Hackers and cybercrime prevention

Data Center
Data Management