Did you ever think that the person sitting next to you could be considered an insider threat to your organization? It is hard to believe the malicious activity could be so close to home, however when you consider that hackers use social profiles to target users with elevated privilege to systems or data it raises an eyebrow. According to a 2015 Black Hat Survey 45% of hackers say that privileged account credentials are their most coveted target. Hackers are looking to take advantage of the insider and exploiting those privileges because these insiders have access to the most sensitive and lucrative data. Secondarily, the insider or person you have coffee with maybe involved in espionage (spying), data destruction and data theft.
How does this lend to a new perspective? Most of the time when I discuss cyber criminals they fall into these broad categories:
- Organized Crime -Much like Al Capone ran an organized crime syndicate with the purpose of profiting from smuggled alcohol. The twenty first century organized crime profits from stolen and smuggled credit cards, holding systems hostage and stolen IP. Extortion, fraud and theft are their calling cards.
- Hactivists – Those exploiting the internet and stealing secrets for social causes, think of Anonymous.
- Nation State – Secret groups in governments all over the worlds designed to spy, steal government and private intellectual property.
- The Black Hat – The renegade hacker or individuals who hack for fun or simply to spread chaos.
But, the insider could be you or me, it is anyone with access to systems or data. The insider is the careless user who shares a password or leaves their computer unlocked. The insider is the unknowing pawn to the criminal hacker installing malware and viruses as the result of a social engineering or spear-fishing attack. The insider is the person who uses their access for malicious activities, perhaps they are part of an organized crime ring, a disgruntled employee or mentally unstable person. Regardless, the goal of the cyber-criminal whether on or off premise is to obtain the ‘keys to the kingdom’ that is access to files, systems and data.
Up until recently the most proactive measures to stop the insider were education campaigns targeted at good security practices, security policy and anti-virus tools. These measures are not enough and traditional solutions like IDS, IPS and firewalls are focused on the perimeter, not on the insider who is a user and consumer of data. So what approach can we take from an IT perspective to be proactive from the insider threat?
Enforce the concept of ‘least privilege’, in simpler terms, ensure that users, and especially privileged users, have access to only the files and systems that they need to effectively do their jobs. The receptionist needs a different set of access to systems than the accountant. This could go as far as only giving them access during the right times as well. Consider, does a receptionist need access to the directory after business hours?
Manage access to systems and files in a way that ensures the identity of every user. How can we ensure the right users are accessing systems and how can we prove who they say they are? Is a user name and password enough assurance for access to transactional data? Multi-factor authentication is the best way using something that a user knows like a password, something they have like a token and something about them physically like a fingerprint or facial scan. This may sound futuristic but when information is valuable more organizations are turning to multiple types of verification.
And finally we need to monitor what users are doing in real-time to ensure they aren’t accidently or maliciously changing and/or deleting data. When suspicious behavior is found, tools are needed to quickly find out who is performing an activity, and what is happening, so that security teams can quickly take action to minimize damage from potential threats. When especially high risk user activity is detected, access to sensitive systems can be automatically revoked.
How can you reduce the risk of the insider threat? Start with ‘least privilege’, restrict access to sensitive data to only those with need. Develop controls and policies to ensure users have the right privileges, challenge users when accessing sensitive data and monitor malicious behavior, lead with an Identity-Powered Security approach. To learn more about the insider and privileged users download the flashpoint paper Privileged Users: Managing Hidden Risk in Your Organization