Problem solve Get help with specific problems with your technologies, process and projects.

Five common insider threats and how to mitigate them

Users can be an enterprise's best defense or its worst enemy. They have access to valuable network resources and information that can be used for ill-gain, be it accidentally or intentionally. This tip explains five common insider threats and offers tips for mitigating them.

Despite the continuous growth of malware and other threats, insiders still pose a significant threat to enterprises....

According to Gartner, more than 70% of unauthorized access to data is committed by an organization's own employees. But don't fret. There are steps you can take to protect against common insider threats without breaking the bank.

Let's look at five insider threats that pose a danger to sensitive information along with tactics for mitigating them.

1.) Exploiting information via remote access software

A considerable amount of insider abuse is performed offsite via remote access software such as Terminal Services, Citrix and GoToMyPC. Simply put, users are less likely to be caught stealing sensitive information when they can it do offsite. Also, inadequately protected remote computers may turn up in the hands of a third-party if the computer is left unattended, lost or stolen.

What you can do about it:
Solid share and file permissions are critical, as is OS and application logging. With many remote access solutions, you can also enable tighter security controls on certain features and system access, monitor employee usage in real time, generate usage logs and more. Look deeply into the configuration of your system and determine which features and audit trails can provide better management, reporting and security. Also, it's common for abuse to take place during non-business hours, so consider limiting the times that users can remotely access systems.

Strong passphrase requirements can thwart guessed logins, and screen saver timeouts on remote computers can keep unauthorized users locked out. Encrypting system hard drives helps protect systems that are lost or stolen.

2.) Sending out information via e-mail and instant messaging

Sensitive information can simply be included in or attached to an e-mail or IM. Although this is a serious threat, it's also one of the easiest to eliminate.

What you can do about it:
An effective way to catch sensitive information leaving the network is to set up a network analyzer and filter keywords, specific attachments, etc.

You can also utilize client or server-based content filtering to catch and block sensitive information going out. However, perimeter-based or outsourced messaging security solutions offer content filtering and blocking that is much easier to manage.

Keep in mind that none of these work well if message traffic is encrypted. But filtering will at least highlight the fact that such communication is taking place. Speaking of which, perhaps now's a good time to review your firewall rules to determine not only what's allowed in but also what's allowed out of the network.

3.) Sharing sensitive files on P2P networks

Whether or not you allow peer-to-peer file sharing software such as Kazaa or IM on your network, odds are it's there and waiting to be abused. The inanimate software in and of itself is not the problem – it's how it's used that causes trouble. All it takes is a simple misconfiguration to serve up your network's local and network drives to the world.

What you can do about it:
If your organization allows P2P software, it behooves you to ensure that users are aware of the dangers. There are even certain perimeter-based P2P content monitoring solutions that can help keep sensitive data safe.

If you don't want P2P software on your network, you can try blocking it at the firewall; however, the software is smart enough to find open ports to go out. This is another good use for a network analyzer and even more justification for performing a firewall rule audit.

The ideal solution is to prevent P2P file sharing traffic from ever entering or leaving the network. The only effective methods I've found for this is to use a P2P firewall at the perimeter or personal firewall software with application protection.

4.) Careless use of wireless networks

Perhaps the most unintentional insider threat is that of insecure wireless network usage. Whether it's at a coffee shop, airport or hotel, unsecured airwaves can easily put sensitive information in jeopardy. All it takes is a peek into e-mail communications or file transfers for valuable data to be stolen. Wi-Fi networks are most susceptible to these attacks, but don't overlook Bluetooth on smartphones and PDAs. Also, if you have WLANs inside your organization, employees could use it to exploit the network after hours.

What you can do about it:
You cannot control the airwaves outside of your office, but you can enable secure wireless hotspot usage for your Wi-Fi users. This entails using a VPN for remote network connectivity, a personal firewall to keep users from connecting to the wireless computer and SSL/TLS for all messaging (i.e., Webmail via HTTPS, POP3s, IMAPs and SMTPs).

Ensure your internal wireless networks are secure. Use proper encryption and authentication (preferably WPA or WPA2) and enable logging. Also, try to use directional antennae and drop down the power levels on your access points to keep wireless signals inside your building. Disabling Bluetooth if it's not needed or at least making your devices non-discoverable can also cut down on wireless attacks.

5.) Posting information to discussion boards and blogs

Quite often users post support requests, blogs or other work-related messages on the Internet. Whether intentional or not, this can include sensitive information and file attachments that put your organization at risk.

What you can do about it:
Filtering content in HTTP and e-mail communications at the network perimeter is the best way to check for and block sensitive information from going out to such sites. However, there's always a chance that information may leak out via encrypted transmissions or from users' personal machines. In either case, it pays to stay abreast of new information about your organization on the Web. A good way to do this is to subscribe to Google Alerts so you can be alerted anytime certain keywords show up on the Internet. General Google Web and Groups queries can often uncover material as well. However, this only works for information made available to Google's bots, which may exclude a large number of discussion boards.

If you implement these technical safeguards alone, they'll work (albeit in a vacuum) for the short-term. However, for long-term business value, you've got to ensure they're mated to business policies outlining "this is how we do it here." This, combined with user awareness and security metrics for determining if your countermeasures are working appropriately, can provide excellent protection against insider threats. Who knows, maybe this can even provide some justification for a high-end network-based content monitoring solution down the road.

About the author
Kevin Beaver is an independent information security consultant, author and speaker with Atlanta-based Principle Logic, LLC. He has more than 18 years of experience in IT and specializes in performing information security assessments. Kevin has written five books including
Hacking For Dummies (Wiley), Hacking Wireless Networks For Dummies, and The Practical Guide to HIPAA Privacy and Security Compliance (Auerbach). He can be reached at kbeaver @

Dig Deeper on Security Awareness Training and Internal Threats-Information

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.