There is a certain mystique around external threats to an organization. Threats that come from the outside often garner the most publicity and thus, often represent an outsized focus of an organization’s security team. But as any savvy cybersecurity professional knows, it’s often the threats that come from within that have the potential to cause the greatest damage – both financially and to a company’s reputation.
One does not need to understand highly complex technical topics to understand the dangers of a malicious insider threat. This type of threat affects all businesses of all sizes, both in terms of market power and workforce size. The difference between this threat vector and an external threat is that an insider has a much greater understanding of the weaknesses of an organization.
Sources of insider attacks
Insider threats can be sourced to anyone inside the organization with a wide variety of motivations. Any employee who has access to sensitive company data could potentially be a risk.
- Overly simple passwords
These days nearly every machine, program or portal in the workplace requires some password or passcode. The allure of a choosing a simple password or writing the password down is tempting for employees. But the danger of an overly simplified password or one that is easily accessed cannot be overstated. Simple passwords represent just one easy window into an organization’s network – an exploitation that requires no technical skills or advanced hacking tactics.
- Exploitation of access and poor account management practices are your enemy
Granting unnecessary access to employees and accounts that go unused make up a large attack surface for organizations. Insiders often try to exploit legacy user accounts of prior employees to exploit access privileges. Another way in could be to look for an employee who has changed jobs frequently within an organization. This type of user often accumulates a broad range of access privileges that can be exploited. These privileges may provide access to files or applications from previous titles and responsibilities that can, at the very least, give an attacker more insight into an organization to inform a targeted attack.
- Internal data exfiltration
Employees who plan to leave an organization may try to extract sensitive data or information before they formally notify management of plans to leave. This type of attack recently made headlines when former Google engineer Anthony Levandowski left the company for Uber. Before leaving Google, Levandowski allegedly extracted over 14,000 confidential and proprietary pieces of data from Google, which was then allegedly utilized by Uber. This type of threat is real, and without proper measures in place a firm may never know this happened. Even if the event is discovered, an organization may face a lengthy and expensive legal battle to recover its losses.
Protection strategies
It is just as important for organizations to secure the walls from within as it is to protect the perimeter. While it is nearly impossible to eliminate the risks associated with insider threats, there are steps that can be taken to mitigate them.
- Security awareness training
The human element is usually the weakest link in any organization’s security. Security awareness training is unarguably the most important step an organization can take to minimize this risk. It is important to educate all an organization’s users of the dangers of weak passwords, unapproved browsing practices, phishing attempts, etc. Training should be conducted frequently and updated regularly.
- Omnipresent access control
Depending on the organization, monitoring and maintaining access control can be simple or very complex. But in any case, this protection step is vital to enhance security and maintain adherence to compliance standards, especially for organizations in financial or healthcare industries. Maintaining strict access-revocation practices for users leaving the organization, removing unneeded access and reviewing current access to assets to enforce a policy of least-privilege are critical steps organizations can take to further enhance security. Additional requirements may be enforced upon an organization in accordance with industry regulations.
- Data and device monitoring
Organizations should monitor data transmissions, data stored on networks, as well as data on USB and other peripheral devices. While some industries may require data and device monitoring, many organizations may make this a priority to address potential insider threats. Organizations may also utilize a data-loss-prevention monitoring tool to identify attempted retrieval of sensitive data. Additionally, this tool will identify any unapproved devices used by an employee who may be unaware that the tool is a security threat.
- Proper network segmentation
Even if an employee has access to the internal corporate network, it does not mean that they should have free reign. Proper network segmentation is critical to ensure users have access to only the portions of the network that they need.
- Patching
Patching is another efficient way to mitigate the risk of insider (and outsider) attacks by “patching” security vulnerabilities. Patching should be kept up to date on internal and externally facing systems in cases of pivoting or privilege escalation.
- Data classification
Having a data-loss-prevention strategy in place is great, but it is hardly deployed on the entire network. If you don’t know where or what your sensitive documents are, you can’t properly deploy the DLP or see when data gets ex-filtrated.
- Third party and Cloud audit logging
Don’t wait until the last minute to reach out to third party or cloud providers to gather audit logs. This can be a time-consuming process, if the logs are available at all. Companies should know ahead of time in the logs are available, and implement compensating controls if necessary.
A balancing act
While insiders can represent a significant threat to an organization’s security posture, the right risk mitigation strategies and procedures can also make them a great asset. Balancing security and functionality for the user experience is critical to create and maintain a cyber- conscious culture and reduce the risk of insider threats impacting an organization.
This article was originally written and published by our friends at Reliaquest.Original article here.