subscribe: Daily Newsletter

 

Managing the insider threat

0 comments

The more valuable a businesses’ intellectual property is, the higher the chances that cyber criminals will try to get their hands on it.
“Threats to organisations are prolific. Anyone who reads the news will have seen countless reports about threat actors breaching organisations and stealing their intellectual property or exposing their customers’ details,” says Jayson O’Reilly, director of sales and innovation at DRS.
He says what we read about far more seldom is breaches where insiders have been fingered as the culprit. “This is not because these types of incidents do not occur. Too often, it is an insider that enables the hacker, sometimes deliberately, sometimes purely by accident, and these types of breaches can be even more catastrophic than those carried out by outsiders alone.
“The threat from your employees is a real one. They have legitimate log in credentials, they know what information you have without having to conduct a fishing expedition. Although outside attackers are a great danger, and will constantly try to breach your defences to steal, disrupt or damage your business, do not make the mistake of ignoring the insider threat.”
He says the ability to keep sensitive information safe while not looking at every employee with suspicion is a balancing act, but there are several measures companies can take to protect against the insider threat. “Firstly, apply role-based access. As the business grows, and new staff join the company and others leave, roles and responsibilities change too. It is a hassle to keep provisioning and then de-provisioning access, which is why too many businesses are lackadaisical about it, and opt for an all-access approach.”
This is dangerous, he explains, as not all staff need access to all folders. “Make sure that roles and responsibilities are clearly defined, which will make the provisioning / de-provisioning process a lot easier. This isn’t a silver bullet, but will help limit any damage. In addition, always enforce the principle of least privilege, to ensure that no-one has access to any sensitive data that they don’t strictly need to do their jobs.”
Another step, says O’Reilly, is to apply privileged access management. “All businesses have IT departments with administrators that have to have root access to all critical resources. These people need to be trusted, but to err is human, and they can make mistakes too, which could harm the organisation. To counter this, companies should have good privileged access policies in place, and should avoid built-in ‘administrator’ or ‘root’ accounts instead of personal accounts tied to the individual. Should an event occur, or something go amiss, this will give the business a way of pinpointing anyone involved in suspect or anomalous behaviour.”
O’Reilly says to bear in mind that since it is impossible to stop an insider before they get in, early detection is crucial to limiting the damage. “Malicious insiders need to perform a number of steps before they can achieve their ends, and there are ways to stop them in that process.”
The first thing a business needs to do this is visibility into the network. Internal network traffic, access logs, policy violations and more need to be watched continuously for any anomalous behaviours. “The better you know what ‘normal’ activity on your network consists of, the better your chances of identifying suspicious activity. Understand how much traffic is normal, who should be accessing sensitive data and who should not, and what applications are used for the running of the business. Anything that does not meet these ‘normal’ criteria should be investigated, to prevent unauthorised access, policy violations, data exfiltration or internal reconnaissance.”
Having good policies in place, and being aware, can limit your chances of suffering an insider attack, not only by preventing malicious employees, but honest ones from making genuine mistakes.