We consistently hear about all of the terrible cybersecurity threats from foreign governments, hacktivist and organized crime. They are ever-present and their methods of attack are increasingly complex. Organizations, both public and private, are spending billions of dollars to stop these attacks. However, there is one threat vector which is commonly overlooked: insider threats.
Insiders have authorization to access vast amounts of data. Because this access is authorized, it is harder to detect malicious activity with the same methods we use to detect external threats. Different controls should be implemented to prevent or detect different types of threats.
Some of your insider threats are people intending to do harm, while some are not. For purposes of this discussion, I will classify insider threats into three categories: the careless, the over-reachers,and the bad apples. The way you address these insider threats will vary based on your environment, but here are some things to consider.
The Careless
The careless are users who simply ignore policy, procedures, or best practices. Their actions, while not intentional, cause harm by allowing data to be viewed or used by those without access. Sometimes they even delete files they shouldn’t. One of the best ways to minimize the chance of this is by using strong access controls. Make sure users only have access to the systems and data they need to complete their jobs. This reduces the chance of an accidental misuse or disclosure of data.
The Over-reacher
Over-reachers are those who use their access beyond their authorization. Take for instance a network administrator. They have full access to every file on the network. They do not, however, have the authorization to browse the files at will. Doing this would divulge protected information and be a violation of the trust placed in them. Additional controls should be put in place to monitor the activity of system administrators. Reports should be generated and provided to someone other than that individual to detect use in excess of the granted authorization.
The Bad Apple
Now we get to the truly bad apples. Good luck detecting this bunch. They are crafty, know how to avoid detection and work behind the scenes. Special care needs to be taken to develop controls which will specifically detect actions that indicate malicious internal users. Controls such as monitoring the number of files copied from a network within a given period, large file transfers to removable media, and logins from abnormal locations or during off-hours. Behavioral analysis is critical to identify potential compromise.
As you can see, the threat from internal sources is very real. Many would argue the overall risk to an organization is greater from internal threats than external threats. There’s a lot of research which supports that premise. The key is how you define risk. For more on this subject, read my article "Internal vs. External Threats - Which One Worries You More?".
For help with understanding and reducing your risk, download "ENHANCING INFORMATION SECURITY IN AN UNSECURE WORLD" by following the link below.
Enhancing Information Security in an Unsecure World
This paper reviews four areas of concern: Passwords, Network Considerations, Data Security and Social Engineering.
