[BreachExchange] Are You Prepared for a Malicious Insider Threat?

Wed Jun 27 23:10:11 EDT 2018

https://securityboulevard.com/2018/06/are-you-prepared-for-a-malicious-insider-threat/

Earlier this month, Tesla became the poster child of the damage a
single malicious insider can do to your company.

Tesla CEO Elon Musk sent an email to employees about an employee who
allegedly “conducted quite extensive and damaging sabotage” to
corporate operations, which included changing the code on Tesla’s
operating system. The employee also was accused of “exporting large
amounts of highly sensitive Tesla data to unknown third parties,”
according to the email.

Malicious insiders tend to be the forgotten cog in security plans.
After all, as the Verizon “Data Breach Investigation Report” (DBIR)
2018 revealed, 73 percent of all data breaches are caused by
outsiders, so security systems focus on them. Even when we talk about
insider threats, we’re most likely to think of them in terms of an
employee clicking on a phishing link or making an error. Their
“attack” is usually an innocent or uneducated mistake, and they make
up 17 percent of data breaches, according to the DBIR.

Ten percent of serious security incidents are caused by malicious
insiders, but they are the most difficult to stop. It isn’t that
security systems aren’t set up to sniff out a potential problem
employee; rather, they often are folks who already have the keys to
the network kingdom. They have access to multiple areas of the network
and databases; they know—and possibly helped develop—code and
intellectual property secrets. When they are working on something, it
is nearly impossible to tell if they are causing intentional damage.

“Insiders in high-tech organizations that have access to sensitive
information and systems inherently pose significant risk to
organizations,” said Steve Grobman, McAfee SVP and CTO, in an email
comment. “One of the most difficult challenges for organizations is to
mitigate these risks while maximizing employee productivity and
effectiveness.”

Finding the Malicious Insider

How do you know if one of your employees is about to go rogue? You
usually don’t. In the typical workplace, your employees are trusted
users and you treat them that way, said Chris Morales, head of
security analytics at Vectra. For example, he said, while on a
corporate network, employees typically don’t need to perform the same
extra authentication steps necessary to connect to services and
applications that they do when they are connected from home. As a
result, they can move around freely.

However, that trusted user also presents the highest risk because they
have easy access to cause harm. What most employees don’t have is the
motivation to be a threat—until something is triggered in them.

The trigger could be almost anything: The employee was turned down for
a job promotion or a raise. The employee is being bullied or harassed
by co-workers. The employee has relationship problems at home. Perhaps
the employee was fired and is angry (and their network access was not
terminated). There are often revenge factors at play when malicious
insiders strike.

But sometimes it is a business deal for them: They are having money
troubles. They receive an offer from a third party—a large payment in
return for corporate theft or sabotage.

In the Tesla instance, Morales said, “the motivation sounds personal,
and that is quite often the case in corporate sabotage.”

Leadership that is in tune with their employees may be able to see the
warning signs of a potential malicious insider before they strike and
take action before damage is done.

Taking Precautions

However, chances are we’re going to miss those signals. Malicious
insider threat prevention, therefore, needs to be included in any
security plan.

“In either the case of a cyberattacker, or a rogue employee who is an
insider threat, enterprises benefit from internal monitoring that can
detect suspicious behavior in order to prevent damage,” said Morales.

Monitoring such as detection technology that notifies IT if an
internal user is trespassing in areas of the network where they don’t
belong or if they are behaving in unusual ways, such as logging in
outside of work hours or on a different device. Detection technology
could alert you to disgruntled employee.

Access control is another avenue of protection. “By using change logs
and setting up approvals for any code changes, you can add an
additional layer of security to protect critical code,” explained Tim
Roddy, VP of Cybersecurity Product Strategy with Fidelis
Cybersecurity. “For organizations to protect themselves from
exfiltration of highly sensitive data, data loss prevention on
endpoints and primary network services is not enough. Organizations
need to analyze all ports and protocols to prevent any blind spots.”

Even the best companies are going to have problems with malicious
insiders. Being able to recognize rogue employees isn’t easy, so
having the right tools in place to detect insider threats could be the
difference between protecting your assets or making Tesla-like news.