Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


06:16 PM
Eric Cole
Eric Cole
Connect Directly

Stopping Insider Attacks

There is no single thing you can do to prevent an attack from the inside. The concept of defense-in-depth applies here as it does to all areas of security. No single solution is going to make you secure. Only by putting many defense measures together will you be secure, and those measures must encompass both preventive and detective measures.

There is no single thing you can do to prevent an attack from the inside. The concept of defense-in-depth applies here as it does to all areas of security. No single solution is going to make you secure. Only by putting many defense measures together will you be secure, and those measures must encompass both preventive and detective measures.Some of the key things that can be done to prevent or minimize the damage of the insider threat are the following:

  • Security awareness. Employees, contractors, and any other insiders need to be educated on how to protect corporate assets. They need to understand the dangers and methods of social engineering and be careful what information they give out. They also have to be cognizant that insiders could exist at their companies and not only do their part to protect corporate assets (for example, locking their workstations), but they also have to look for indications of insider threats and report them to the correct parties.

  • Separation of duties. Any critical job function or access to critical information should involve two or more people. This prevents a single person from committing an inside attack.

  • Rotation of duties. All critical jobs should have multiple people who perform the roles, and those people should be rotated through periodically. If a person knows that someone else is going to be performing a given role in two months, then it will be much harder for them to commit fraud or other insider attacks because there is a good chance someone might catch it later.

  • Least privilege. Any additional access that someone has can be used against the company. Although access is needed for people to perform their jobs, this access should be carefully controlled. People should be given only the access they need to do their jobs -- and nothing else.

  • Controlled access. Access is what someone is going to use to compromise an organization. The more a company knows what access people have, the better they can control it.

  • Logging and auditing. Organizations must know what is happening on their networks, and this information must be reviewed on a regular basis. If someone's actions are not logged, then a company will have no idea who did what and will not be able to detect the insider. Even if this information is logged, if it is not reviewed on a regular basis, then an organization will not be able to catch an attacker in a timely manner.

  • Policies. A policy states what a company's stance is on security and what is expected of anyone with inside access. A policy is a mandatory document that is clear and concise and that everyone must follow. If a policy does not exist, then how do insiders know what is expected of them? I once knew an employee who bragged about making copies of software when he left a company. When I questioned his concern of legality and theft, he replied simply by saying, "I never signed anything." This information must be presented to them in a way they understand, and it must be made clear they have to follow it.

  • Defense-in-depth. When it comes to network security, there is no silver bullet. No single solution is going to make you sure. Organizations must deploy a layered security model, with checks and balances across each layer.

  • Look beyond technology. Many inside attacks are not technology-driven. Organizations must realize that nontechnology-based solutions need to be implemented across the company.

  • Archive critical data. Any critical information must be properly archived and protected. This way all the IP is not in one place should a system gets destroyed or compromised.

  • Complete solution. Any solution that is implemented must include all aspects of the company: people, data, technology, procedures, and policies.

    Dr. Eric Cole, Ph.D., is a security expert with more than 15 years of hands-on experience. Cole has experience in information technology with a focus on perimeter defense, secure network design, vulnerability discovery, penetration testing, and intrusion detection systems. He is the author of several books, including Hackers Beware, Hiding in Plain Site, Network Security Bible, and Insider Threat. He is the inventor of more than 20 patents, and is a researcher, writer, and speaker. Cole is a member of the Commission on Cyber Security for the 44th President and several executive advisory boards, and is CTO of the Americas for McAfee. Cole is involved with the SANS Technology Institute (STI) and SANS working with students, teaching, and maintaining and developing courseware. He is a SANS fellow, instructor, and course author. Dr. Cole has 20 years of hands-on experience in information technology with a focus on building out dynamic defense solutions that protect organizations from advanced threats. He has a Master's degree in computer science from NYIT and a Doctorate from Pace University, with a ... View Full Bio


    Recommended Reading:

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    COVID-19: Latest Security News & Commentary
    Dark Reading Staff 8/3/2020
    Pen Testers Who Got Arrested Doing Their Jobs Tell All
    Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
    New 'Nanodegree' Program Provides Hands-On Cybersecurity Training
    Nicole Ferraro, Contributing Writer,  8/3/2020
    Register for Dark Reading Newsletters
    White Papers
    Cartoon Contest
    Current Issue
    Special Report: Computing's New Normal, a Dark Reading Perspective
    This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
    Flash Poll
    The Changing Face of Threat Intelligence
    The Changing Face of Threat Intelligence
    This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2020-08-08
    In JetBrains YouTrack before 2020.2.6881, the markdown parser could disclose hidden file existence.
    PUBLISHED: 2020-08-08
    In JetBrains YouTrack before 2020.2.6881, a user without permission is able to create an article draft.
    PUBLISHED: 2020-08-08
    JetBrains YouTrack before 2020.2.8873 is vulnerable to SSRF in the Workflow component.
    PUBLISHED: 2020-08-08
    In JetBrains Kotlin before 1.4.0, there is a script-cache privilege escalation vulnerability due to kotlin-main-kts cached scripts in the system temp directory, which is shared by all users by default.
    PUBLISHED: 2020-08-08
    In JetBrains TeamCity before 2020.1, users with the Modify Group permission can elevate other users' privileges.