[BreachExchange] Insider threat fundamentals and mitigation techniques

Mon May 24 18:35:48 EDT 2021

https://www.scmagazine.com/perspectives/insider-threat-fundamentals-and-mitigation-techniques/

Employees may intentionally or unwittingly expose the business to serious
security risks. Security manages need to stay on top of insider threats and
learn prevention best practices.

While it’s important to secure a digital infrastructure against external
adversaries, a lot of the risks occur on the inside. Offensive activity may
stem from current personnel, former employees, partners, and third-party
contractors. Since these people have access to a good deal of
business-critical information, any deviation from corporate policies or
deliberate foul play on their end turns the organization into low-hanging
fruit for cyber predators and competitors.

Data leaks, privacy violations, unauthorized payments, and interference
with the proper functioning of enterprise security solutions are a few
common examples of the impact perpetrated by insiders. Obviously, any such
incident can turn into a disaster for the company.

What are these individuals driven by? The FBI splits the factors and
motives into personal and organizational. The former type spans financial
gain, vengeance of disgruntled staff, pursuit of adventure, susceptibility
to blackmail, or a desire to satisfy one’s ego. Various addictions and
family problems can become catalysts for misconduct like that as well.

Organizational factors are mostly fueled by a lack of employee training on
how to handle classified data, inefficient telework policies, and weak
countermeasures for exiting the facility with proprietary materials. These
slip-ups tend to underlie more serious long-term consequences for the
target, such as the theft of intellectual property to help a business rival
gain a competitive advantage.

Usual suspects and red flags

Generally speaking, insider threats are a two-pronged phenomenon. They can
emanate from people who knowingly undermine the digital and financial
well-being of an organization or from negligent employees who do not
necessarily mean to cause harm. However, this categorization does not
reflect all shades of the issue. Let us get a little more in-depth to
explain the big picture.

Staff members who do not follow safe online practices may unknowingly
precipitate a situation that plays into an attacker’s hands. They may fall
for a phishing scam and disclose their corporate authentication details,
download malware disguised as a harmless app, open a booby-trapped email
attachment, or send a wire transfer requested by a malefactor impersonating
their boss.

There are also rebellious users who hate to go with the flow and love
breaking the rules. A person like that will likely turn a blind eye to the
fact of their participation in someone’s evil plot, sincerely believing
that they are doing something for fun or out of curiosity.

There are also spies working for nation-states who piggyback on their broad
access to corporate assets. They aim to amass proprietary data and sabotage
the organization from within. These individuals operate in the interest of
a third-party, such as an intelligence agency or a competitor or
nation-state threat actor seeking to ruin your business.

Lastly, insider threats are often caused by solo offenders who are not in
cahoots with a third-party. These perpetrators quietly harvest sensitive
corporate data and look for ways to monetize or otherwise mishandle it at a
later point. There’s high risk if such a person works on the IT team and
has elevated privileges in the network.

Regardless of the scenario, the giveaways are fairly easy to identify.
Security pros should become suspicious if any of the following happens: an
employee copies confidential files without a specific need; accesses the
network remotely during vacation or in off-hours; installs suspicious
software on their work computer; purchases things they normally cannot
afford; or gets curious about business areas beyond their regular duties.

Thwarting insider threats

To prevent insiders from harming the business, whether on purpose or
because of seemingly trivial blunders, security teams should harden the
security of the company’ physical and digital corporate assets. First
things first, enforce standard operating procedures (SOPs) to ensure
employees know and comply with enterprise policies, especially those
regarding intellectual property.

Monitor anomalous events, such as the transfers of data beyond employees’
access privileges, unusual attempts to access corporate IT systems
remotely, or installation of suspicious apps on company-issued devices.
Also, leverage internet security software to detect malware in real-time
and enable URL filtering to block credential phishing sites and other
dubious resources. Pinpoint and fix network security imperfections using
trusted vulnerability management tools.

Err on the side of caution by implementing least privilege so that users
cannot access more data than they need for their work. When firing staff,
immediately revoke their access to corporate facilities and the computer
network. Finally, keep in mind that IT systems are as strong as their
weakest link, and human beings are quite often the weakest link.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210524/9562e5de/attachment.html>