[BreachExchange] Insider threats: Who is the biggest IT security threat in your organisation?
Audrey McNeil
audrey at riskbasedsecurity.com
Tue Sep 6 19:19:47 EDT 2016
http://www.itproportal.com/features/insider-threats-who-
is-the-biggest-it-security-threat-in-your-organisation/
It is an undeniable fact that in today's digital world, we are all pretty
much reliant on information technology and the Internet to run our
businesses. It is also a fact that it is not 'if' - but 'when' will our IT
Infrastructure and Business Applications be under attack? Before you even
begin to address the dark world of cybercrime or state sponsored attacks,
plotting to compromise your IT systems; you should first remember that
‘cyber security begins at home.’
By home, I mean: the business owners, their senior managers, their staff,
and their third party contractors. It is a salient point that security
breaches by staff or third party contractors - whether malicious or
accidental – are one of the largest sources of cyber-attacks on an
organisation's systems.
Cyber criminals will seek out the weak points in your organisation as these
present the easiest opportunities for attack – such weaknesses could
already be present in your organisation.
How can I ensure my systems are safe from 'within'?
Before we look at solutions, we must understand the various ways in which
employees - and contractors - can be responsible for security breaches.
Careless Employees - Obvious examples of careless behaviour include: staff
who use weak passwords, staff who surf unauthorised websites, and staff who
click on links or open attachments in suspicious emails. Then there are
staff who don't take proper care of their personal or company devices,
providing opportunities for them to fall into an unauthorised pair of hands
(this is most often a relative).
Vengeful Ex-Employees -This happens more than you might think; as
ex-employees believe they can inflict damage without getting caught. This
is especially so if the ex-employee had access to systems, networks and
databases with privileged passwords.
BYOD (Bring Your Own Device) – As well as the risk of loss or theft of
personal devices, the mere fact that an organisation's confidential or
sensitive information is shared to or copied onto personal devices creates
an inherent risk of theft. Passwords on personal devices are often weaker
than those used at the workplace, making them vulnerable to hacking. A
recent survey suggested that two thirds of global companies have suffered
some kind of security breach caused by employees' mobile devices.
Unauthorised devices to the network - Many employees don’t think twice
about connecting their own devices to the company IT infrastructure; BYOD,
USB sticks, webcams, etc. This can facilitate the introduction of malware
into the organisation’s systems, or provide an entry point for a hacker.
Third Party Service Providers - service providers are often an important
part of your extended team but can pose a risk if their security practices
are not as rigid as your own. It is not unusual for contractors to use a
single or shared password for all their employees to access a client's
system - and often the password used is weak, to facilitate memorising and
passing it around to new staff.
This makes the potential theft of login details relatively simple - often
simply by guessing. An alarmingly high percentage of data breaches can be
attributed to remote 3rd party access channels; and let's not forget the
possibility of the contactor having a rogue employee.
7 Steps To Minimise The Risk Of Insider Threats
Employee vetting - All staff must be thoroughly vetted for honesty. For
sensitive positions, police criminal checks should be undertaken. You must
also ensure that your 3rd party contractors have similarly vetted their own
staff.
Training and education - Have well-documented procedures that provides
training for all staff. Educate them on the need for strong security and
the implications of careless or bad password management. Awareness and
training exercises should include education about scams such as phishing
and key logger scams. Consider introducing a password management system and
deploy validated encryption as part of your strategy. In highly sensitive
situations you might consider the introduction of two-step authorisation.
Introduce a strict password cancellation policy for ex-staff - Ensure that
proper procedures are in place so that all passwords are immediately
cancelled for any employee leaving the company.
Have a clear BYOD policy - This should be a carefully written document that
spells out exactly what employees can and can't do with their devices. This
will include such FAQ's as: Can they download company documents, emails or
business data? Can they download personal applications onto company
networks? Implement systems to monitor mobile devices. This will reduce
risks if a device is lost or stolen. Encryption and containerisation of
data on devices can also form part of an overall solution.
Introduce a 'no tinkering’ policy - No unauthorised tinkering with the
company's systems should be allowed and specifically no devices, USBs etc.
should be connected without first being checked by your IT security team.
Insist that all third Party Contractors have acceptable security procedures
- All service providers must implement "best practice" as far as password
security is concerned. Monitor the contractor's security procedures and
immediately cancel all access passwords as soon as a provider has ceased
working for you.
Monitor and Report – Violations of the policies can be monitored and
actions taken to identify and stop real damage from occurring. While tools
and techniques can be quite complex, to manage out the numerous
false-positives (security events that are benign) much can be done by
simply monitoring for internal threat scenarios that could be most damaging
to your business.
Ensure that a well-defined incident management procedure is in place to
back up the management of a security violation and that there is a
disciplinary procedure in place to deal with employees and contractors who
would compromise the security of your organisation. Once you’ve addressed
the insider threats within your organisation, you can turn your attention
to external cyber threats.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160906/79999437/attachment.html>
More information about the BreachExchange
mailing list