Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


06:16 PM
Eric Cole
Eric Cole
Connect Directly

Stopping Insider Attacks

There is no single thing you can do to prevent an attack from the inside. The concept of defense-in-depth applies here as it does to all areas of security. No single solution is going to make you secure. Only by putting many defense measures together will you be secure, and those measures must encompass both preventive and detective measures.

There is no single thing you can do to prevent an attack from the inside. The concept of defense-in-depth applies here as it does to all areas of security. No single solution is going to make you secure. Only by putting many defense measures together will you be secure, and those measures must encompass both preventive and detective measures.Some of the key things that can be done to prevent or minimize the damage of the insider threat are the following:

  • Security awareness. Employees, contractors, and any other insiders need to be educated on how to protect corporate assets. They need to understand the dangers and methods of social engineering and be careful what information they give out. They also have to be cognizant that insiders could exist at their companies and not only do their part to protect corporate assets (for example, locking their workstations), but they also have to look for indications of insider threats and report them to the correct parties.

  • Separation of duties. Any critical job function or access to critical information should involve two or more people. This prevents a single person from committing an inside attack.

  • Rotation of duties. All critical jobs should have multiple people who perform the roles, and those people should be rotated through periodically. If a person knows that someone else is going to be performing a given role in two months, then it will be much harder for them to commit fraud or other insider attacks because there is a good chance someone might catch it later.

  • Least privilege. Any additional access that someone has can be used against the company. Although access is needed for people to perform their jobs, this access should be carefully controlled. People should be given only the access they need to do their jobs -- and nothing else.

  • Controlled access. Access is what someone is going to use to compromise an organization. The more a company knows what access people have, the better they can control it.

  • Logging and auditing. Organizations must know what is happening on their networks, and this information must be reviewed on a regular basis. If someone's actions are not logged, then a company will have no idea who did what and will not be able to detect the insider. Even if this information is logged, if it is not reviewed on a regular basis, then an organization will not be able to catch an attacker in a timely manner.

  • Policies. A policy states what a company's stance is on security and what is expected of anyone with inside access. A policy is a mandatory document that is clear and concise and that everyone must follow. If a policy does not exist, then how do insiders know what is expected of them? I once knew an employee who bragged about making copies of software when he left a company. When I questioned his concern of legality and theft, he replied simply by saying, "I never signed anything." This information must be presented to them in a way they understand, and it must be made clear they have to follow it.

  • Defense-in-depth. When it comes to network security, there is no silver bullet. No single solution is going to make you sure. Organizations must deploy a layered security model, with checks and balances across each layer.

  • Look beyond technology. Many inside attacks are not technology-driven. Organizations must realize that nontechnology-based solutions need to be implemented across the company.

  • Archive critical data. Any critical information must be properly archived and protected. This way all the IP is not in one place should a system gets destroyed or compromised.

  • Complete solution. Any solution that is implemented must include all aspects of the company: people, data, technology, procedures, and policies.

    Dr. Eric Cole, Ph.D., is a security expert with more than 15 years of hands-on experience. Cole has experience in information technology with a focus on perimeter defense, secure network design, vulnerability discovery, penetration testing, and intrusion detection systems. He is the author of several books, including Hackers Beware, Hiding in Plain Site, Network Security Bible, and Insider Threat. He is the inventor of more than 20 patents, and is a researcher, writer, and speaker. Cole is a member of the Commission on Cyber Security for the 44th President and several executive advisory boards, and is CTO of the Americas for McAfee. Cole is involved with the SANS Technology Institute (STI) and SANS working with students, teaching, and maintaining and developing courseware. He is a SANS fellow, instructor, and course author. Dr. Cole has 20 years of hands-on experience in information technology with a focus on building out dynamic defense solutions that protect organizations from advanced threats. He has a Master's degree in computer science from NYIT and a Doctorate from Pace University, with a ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    Data Leak Week: Billions of Sensitive Files Exposed Online
    Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
    Intel Issues Fix for 'Plundervolt' SGX Flaw
    Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/11/2019
    Register for Dark Reading Newsletters
    White Papers
    Current Issue
    The Year in Security: 2019
    This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
    Flash Poll
    Rethinking Enterprise Data Defense
    Rethinking Enterprise Data Defense
    Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2019-12-14
    There is an improper authentication vulnerability in Huawei smartphones (Y9, Honor 8X, Honor 9 Lite, Honor 9i, Y6 Pro). The applock does not perform a sufficient authentication in a rare condition. Successful exploit could allow the attacker to use the application locked by applock in an instant.
    PUBLISHED: 2019-12-14
    Some Huawei smart phones have a null pointer dereference vulnerability. An attacker crafts specific packets and sends to the affected product to exploit this vulnerability. Successful exploitation may cause the affected phone to be abnormal.
    PUBLISHED: 2019-12-13
    There is an information disclosure vulnerability in certain Huawei smartphones (Mate 10;Mate 10 Pro;Honor V10;Changxiang 7S;P-smart;Changxiang 8 Plus;Y9 2018;Honor 9 Lite;Honor 9i;Mate 9). The software does not properly handle certain information of applications locked by applock in a rare condition...
    PUBLISHED: 2019-12-13
    Huawei CloudUSM-EUA V600R006C10;V600R019C00 have an information leak vulnerability. Due to improper configuration, the attacker may cause information leak by successful exploitation.
    PUBLISHED: 2019-12-13
    Certain Huawei products (AP2000;IPS Module;NGFW Module;NIP6300;NIP6600;NIP6800;S5700;SVN5600;SVN5800;SVN5800-C;SeMG9811;Secospace AntiDDoS8000;Secospace USG6300;Secospace USG6500;Secospace USG6600;USG6000V;eSpace U1981) have an out-of-bounds read vulnerability. An attacker who logs in to the board m...