[BreachExchange] Insider Threat: Common Myths and Misconceptions

Audrey McNeil audrey at riskbasedsecurity.com
Mon Jul 2 18:05:04 EDT 2018


https://www.securityweek.com/insider-threat-common-myths-and-misconceptions

Insider threat is a growing area of concern and confusion among security
practitioners. Typically accustomed to concentrating their resources on
combating external threats, many security teams are eager yet unsure of how
to combat threats that arise internally. This uncertainty, unfortunately,
is often exacerbated by numerous common myths and misconceptions about
insider threat, some of which include:

Insider Threats are Always Intentional and Harmful

Much of the confusion around insider threat starts with its definition.
Factors ranging from fear to hype to inaccurate reporting have given rise
to the widespread perception that the most malicious and damaging types of
insider attacks—such as those involving corporate espionage, for
example—are representative of all insider threats. But similar to how the
majority of network security threats are far more common yet far less
damaging than APTs, most insider threats are relatively tame and
unsophisticated compared to how they are often perceived.

There are various accepted definitions of an insider threat, but most agree
that it:

- Is a threat to an organization that originates from within that
organization;

- Involves a current or former employee, contractor, or partner who has or
had authorized access to an organization’s network, system, or data, and
who misuses that access;

- Can be intentional when a user purposefully subverts a control (some
practitioners refer to intentional insider threats as malicious);

- Can be unintentional when a user subverts a control not purposefully;

- Can be harmful or not harmful.

In many cases, unintentional insider threats are overlooked. These can
include situations where a user accidentally sends an email containing
sensitive information to the wrong recipient, for example. Though the user
did not intend to engage in potentially threatening behavior, their action
could have had serious ramifications for the company, potentially causing
the same amount of harm as an intentional insider threat. Similar confusion
is also common with regard to insider threats that do not result in harm.
The aforementioned unintentional insider threat would only be harmful if
the email recipient had misused the contents of the email and/or failed to
destroy it.

But even when an insider threat is intentional, it is not necessarily
harmful. For example, let’s say a user forgets their login credentials for
a company system. In response, they choose to access the system by
obtaining another user’s credentials even though they are aware that such
an action goes against company policy. This threat would be intentional
because the user knew they were subverting a control and did so
nonetheless. But unless the user had abused the credentials to the
detriment of the company, the threat, though intentional, would likely not
cause harm.

It’s important to recognize that the definition of an insider threat has
implications beyond just semantics. Regardless of whether an insider threat
is intentional or unintentional, and harmful or not, combating these
threats effectively requires a comprehensive understanding of what they are
and how they originate.

If You Have an Insider Threat Resource, You Have an Insider Threat Program

The composition of an insider threat program (ITP) is another common area
of confusion. Specifically, many organizations assume that an effective ITP
can comprise any resource or combination of resources dedicated to
addressing insider threat.

In some cases, this assumption is shaped by the increasing number of tools
being marketed as “silver bullets” or “panaceas” for insider threat. While
various types of alerting and user behavior analytics (UBA) tools, for
example, can provide immense value to a well-structured and equipped ITP,
no such tool can serve as a replacement for an entire program. Believing
otherwise can lead an organization to assume they are prepared and able to
address insider threats when they are not.

In reality, an effective ITP requires a specific combination of tools,
datasets, expertise, personnel, and cross-functional collaboration, along
with comprehensive and integrative programmatic and investigative
functions. These requirements are generally consistent regardless of an
organization’s size. Smaller organizations can scale their ITP accordingly
by sharing responsibilities among personnel without having to invest in all
of the often-expensive tools typically employed by larger organizations.
But even with the requisite resources and controls in place, initiating and
developing an ITP can be a lengthy and complex endeavor, which is why
organizations looking to do so are often encouraged to seek external
support.

Preventing Insider Threat Requires an Insider Threat Program

But before an organization even considers starting such a program, it’s
important to understand that the primary objectives of an ITP are to deter,
detect, and respond to insider threats—not prevent them. The issue isn’t
that insider threats can’t be prevented, but rather it’s that prevention
occurs largely at the information security level, not the ITP level. Many
of the same basic, best-practice information security controls that help
organizations mitigate threats such as phishing and malware infections can
also help prevent insider threats.

These controls include having robust identity and access management (IAM)
processes, revoking former employees’ access to company systems and assets
in a timely manner, blocking users from accessing personal email, social
media, and external instant messengers from inside the network, restricting
the use of flash drives and external media storage devices, enforcing bring
your own device (BYOD) policies, and ensuring all users are trained
thoroughly and often on security awareness and hygiene best practices, to
name a few.

This is why it’s crucial for an organization to achieve and maintain an
effective information security program before initiating an ITP. Even the
most sophisticated and comprehensive ITP will provide little value if the
organization is unable to uphold adequate standards of information security.

The above list is meant to highlight a few of the most common and impactful
ways in which the area of insider threat is misunderstood, but this list is
by no means comprehensive. As more organizations recognize the critical
need to address this threat, it’s imperative that as security
practitioners, we acknowledge the often-confusing nature of insider threat,
seek to dispel misconceptions, and provide clear, accurate insight whenever
possible.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180702/614e52e7/attachment.html>


More information about the BreachExchange mailing list