Insider threats pose a significant security risk to enterprises. By some accounts, more than 60% of organizations...
have experienced an insider threat attack -- is your enterprise next?
Don't fret. There are steps to take -- as well as signs to look for -- to detect and protect against common insider threats without breaking the bank.
Overall, there are three common types of insider threats: compromised insiders, such as an employee whose credentials were stolen; negligent insiders, for example, if an employee misplaces a laptop or incorrectly sends an email; and malicious insiders, including disgruntled employees, who commit acts such as theft, fraud, sabotage, espionage and blackmail.
These threats can be further broken down by how sensitive data is leaked. Here are six common insider threats that pose a danger to sensitive data, along with mitigation strategies for each.
1. Exploiting information via remote access software
Problem: A considerable amount of insider abuse is performed offsite via remote access tools. Users are less likely to be caught stealing sensitive data when they can do it off site. Plus, inadequately protected laptops, for example, may end up in the hands of an attacker if left unattended, lost or stolen. A number of remote access tools, namely Microsoft's remote desktop protocol (RDP), are particularly susceptible to infiltration.
Solution: Solid share and file permissions are critical, as are OS and application logging. With many remote access options, you can enable tighter security controls on certain features and system access, monitor employee usage in real time and generate usage logs. Look into the configuration of your system and determine which features and audit trails can provide better management, reporting and security. It's also common for abuse to take place during nonbusiness hours, so consider limiting the times that users can remotely access systems.
Strong passphrase requirements can thwart guessed logins, and requiring users to log in after power-saving timeouts can keep unauthorized users locked out. Encrypting system hard drives also helps protect systems that are lost or stolen. To prevent RDP risks, it's best to disable the protocol when possible. Otherwise, proper patching and using Group Policy are recommended.
2. Third-party threats
Problem: Third parties that have access to enterprise systems -- think contractors, part-timers, customers, suppliers and service providers -- can present a major risk to sensitive data. Also known as supply chain attacks or value-chain attacks, third-party attacks leave sensitive data and a company's reputation vulnerable, as evidenced in the 2013 Target breach in which customer data was stolen after an HVAC contractor's credentials were obtained by hackers.
Solution: Make sure any third party you work with is trustworthy -- look at their background and get references if possible. Second, have a sound third-party risk management program in place. Monitoring tools are instrumental in identifying malicious or anomalous behavior. User behavior analytics can detect erratic conduct. Restrict third-party access through the principle of least privilege to prevent access to anything on the network beyond what is needed to complete their job.
It is also important to regularly review third-party accounts to ensure system permissions are terminated after their work is completed. Regular user access reviews for employees and third parties alike is a critical security practice.
3. Leaking data via email and instant messaging
Problem: Sensitive information included in or attached to an email or IM can easily -- and, often, unintentionally -- end up in the wrong hands. This is one of the easiest types of insider threats to eliminate.
Solution: One of the most effective mitigation strategies to catch sensitive information leaving the network is to set up a network analyzer to filter keywords, attachments and so forth. Utilizing client- or server-based content filtering can also catch and block sensitive information from going out. Likewise, perimeter-based or outsourced messaging security mechanisms offer easy-to-manage content filtering and blocking.
Keep in mind that none of these options work well if message traffic is encrypted. However, filtering will at least highlight the fact that such communication is taking place. Speaking of which, be sure to regularly review enterprise firewall rules to determine not only what's allowed in, but also what's allowed out of the network.
4. Insecure file sharing
Problem: Whether or not you permit file-sharing software such as Dropbox or Google Drive, or collaboration tools such as IM, Slack or Skype, odds are they're on your network and waiting to be abused. The services themselves are not the problem; it's how they're used that causes trouble. All it takes is a simple misconfiguration to serve up your network's local and network drives to the world.
Solution: If your organization allows file-sharing and collaboration software, it behooves you to ensure that users are aware of the dangers. Monitoring tools can help enterprises detect and manage the use of file-sharing and collaboration tools.
If you don't want these services used, you can try blocking them at the firewall; however, sometimes the software is smart enough to find open ports to go out. Also note that if you have business-grade Dropbox, for example, you cannot disable personal Dropbox use and keep the enterprise version. Be sure to use a network analyzer and regularly perform a firewall rule audit.
5. Careless use of wireless networks
Problem: One of the most unintentional types of insider threats is insecure wireless network usage. Whether it's at a coffee shop, airport or hotel, unsecured airwaves can easily put sensitive data in jeopardy. All it takes is a peek into email communications or file transfers for valuable information to be stolen. Wi-Fi networks are most susceptible to these attacks, but don't overlook Bluetooth on smartphones and tablets. Also, if you have wireless LANs inside your organization, employees could use them to exploit the network after hours.
Solution: You cannot control the airwaves outside of your office, but you can enable secure Wi-Fi use. This entails using a VPN for remote network connectivity, a personal firewall to keep users from connecting to the wireless computer and SSL/TLS for all messaging.
Also ensure your internal wireless networks are secure. Use proper encryption and authentication -- WPA3 is the latest iteration of the Wi-Fi security protocol -- and enable logging. Disabling Bluetooth if it's not needed or at least making your devices nondiscoverable can also cut down on wireless attacks.
6. Posting information to discussion boards and blogs
Problem: Users often post support requests, blogs or other work-related messages on the internet. Intentional or not, this can include sensitive data and file attachments that may put your organization at risk.
Solution: Filtering HTTP content and email communications at the network perimeter is the best way to check for and block sensitive information from going out to such sites. However, there's always a chance that information may leak out via encrypted transmissions or from users' personal machines. In either case, it pays to stay abreast of new information about your organization on the web. A good way to do this is to subscribe to Google Alerts so you can be alerted anytime certain keywords show up on the internet. General Google queries can often uncover material as well. However, this only works for information made available to Google's bots, which may exclude some discussion boards.
The threat of malicious insiders isn't going away. The "2019 Verizon Data Breach Investigations" report said that 34% of all data breaches the previous year were the result of inside actors, up from 28% and 25% in 2017 and 2016, respectively.
If you implement these technical mitigation strategies alone, they'll work -- albeit in a vacuum -- for the short term. For long-term business value, ensure they're mated to an insider threat program, user awareness training and business policies that outline, "This is how we do it here." This, combined with security metrics for determining if your countermeasures are working appropriately, can provide excellent protection against all types of insider threats, compromised, negligent and malicious alike.
How to prevent insider threats