Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats //

Insider Threats

4/8/2019
07:30 AM
Bryan Sartin
Bryan Sartin
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Ignore the Insider Threat at Your Peril

Attacks from insiders often go undiscovered for months or years, so the potential impact can be huge. These 11 countermeasures can mitigate the damage.

The fear of cyber breaches looms heavy for many businesses, large and small. However, many companies are so busy looking for bad actors throughout the world that they ignore the threat from within their own walls.

According to Verizon's Insider Threat Report — which analyzes cases involving bad actors from the 2018 Data Breach Investigation Report — 20% of cybersecurity incidents and 15% of the data breaches investigated within the Verizon 2018 DBIR originated from people within the organization.

What's scarier, these attacks, which exploit internal data and system access privileges, are often only found months or years after they take place, making their potential impact on a business significant.

However, many organizations often treat insider threats as a taboo subject. Companies are too often hesitant to recognize, report, or take action against employees who have become a threat to their organization. It's as though the insider threat is a black mark on their management processes and their name.

The Verizon Insider Threat Report aims to change this perception by offering organizations a data-driven view on how to identify pockets of risk within the employee base, real-life case scenarios, and countermeasure strategies to consider when developing a comprehensive insider threat program.

In no small part, the first step is to understand the types of insider threats than an organization can face. The Insider Threat Report profiles five distinct insider personalities.

  1. The Careless Worker: These are employees or partners who misappropriate resources, break acceptable use policies, mishandle data, install unauthorized applications, and use unapproved workarounds. Their actions are inappropriate as opposed to malicious, many of which fall within the world of "shadow IT" (i.e., outside of IT knowledge and management).
  2. The Inside Agent: Insiders recruited, solicited, or bribed by external parties to exfiltrate data.
  3. The Disgruntled Employee: Insiders who seek to harm their organization via destruction of data or disruption of business activity.
  4. The Malicious Insider: Employees or partners with access to corporate assets who use existing privileges to access information for personal gain.
  5. The Feckless Third Party: Business partners who compromise security through negligence, misuse, or malicious access to or use of an asset.

So, how do you build countermeasures against inside actors?

There are several practical countermeasures to help organizations deploy a comprehensive insider threat program, which should involve close co-ordination across all departments from IT security, legal, and HR to incident response and digital forensics investigators.

Two factors hold the key to this success: knowing what your assets are and who has access to them.

Ways to Fight Back
These 11 countermeasures can help reduce risks and enhance incident response efforts:

  • Integrate security strategies and policies: Integrating the other 10 countermeasures listed below, or, better yet, having a comprehensive insider threat program with other existing strategies (such as a risk management framework, human resources management, and intellectual property management) can help strengthen efficiency, cohesion, and timeliness in addressing insider threats.
  • Conduct threat-hunting activities: Refine threat-hunting capabilities such as threat intelligence, Dark Web monitoring, behavioral analysis, and endpoint detection and response (EDR) solutions to search, monitor, detect, and investigate suspicious user and user account activities, both inside and outside the enterprise.
  • Perform vulnerability scanning and penetration scanning: Leverage vulnerability assessments and penetration tests to identify gaps within a security strategy, including potential ways for insider threats to maneuver within the enterprise environment.
  • Implement personnel security measures: Human resource controls (such as employee exit processes), security access principles, and security awareness training can mitigate the number of cybersecurity incidents associated with unauthorized access to enterprise systems.
  • Employ physical security measures: Physical methods to limit access such as identity badges and security doors should coincide with digital access methods such as card swipes, motion detectors, and cameras.
  • Implement network security solutions: Implement network perimeter and segment security solutions, such as firewalls, intrusion detection/prevention systems, gateway devices, and data loss prevention solutions in order to detect, collect, and analyze suspicious traffic potentially associated with insider threat activities. This will help highlight any unusual out-of-hours activity, volumes of outbound activity, and the use of remote connections.
  • Employ endpoint security solutions: Use established endpoint security solutions, such as critical asset inventories, removable media policies, device encryption and file integrity monitoring tools in order to deter, monitor, track, collect, and analyze user-related activity.
  • Apply data security measures: Apply data ownership, classification and protection as well as data disposal measures in order to manage the data life cycle and maintain confidentiality, integrity and availability with insider threats in mind.
  • Employ identity and access management measures: Employ identity, access and authentication management measures to manage limit and protect access into the enterprise environment. This can be taken to the next level by employing a privileged access management solution for privileged access.
  • Establish incident management capabilities: Establishing an incident management process to include an insider threat playbook with trained and capable incident handlers will make cybersecurity response activities more efficient and more effective in addressing insider threat activities.
  • Retain digital forensics services: Have an investigative response retained resource available which is capable of conducting a full spectrum of deep-dive investigations ranging from the analysis of logs, files, endpoint, and network traffic, in often delicate and human-related (or user-account-related) cybersecurity incidents.

Related Content:

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

As head of Verizon Global Security Services, Bryan Sartin keeps pace with the leading and bleeding edges of innovation in the security market, while maintaining the highest quality of service in delivery operations. He manages the proactive and reactive span of Verizon's ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
4/8/2019 | 8:51:22 AM
Bad Practices: Turn good people into your enemy.
THE OUTSOURCED EMPLOYEE: If an employer wants to make a solid employee otherwise free of any intent at all, just outsource and have him or her train a replacement.  That breaks all bargains.  No loyalty at that point and, when a whole IT department is sent packing - alot of assets go with them.   140 walked out of one firm a few years ago and I was part of another wholesale ransack JUST to save costs.   That is worse than being fired - it is an insult. 

WE RESPECT YOU IF YOUR LEAVE BUT WE CAN FIRE IN A HEARTBEAT: Equal that with WE want two weeks notice but we can fire YOU with a phone call this afternoon.  Have a nice day.  Oh really?   I gave one day notice for that reason to an employer who did terminate staff with just one or two day notice.   Revenge pure and simple

WE'RE SORRY WE FIRED YOU. Beware terminating critical personnel too.  My daughter lost a real-estate position when the wholel firm closed, 320 laid off and among them was the IT guy who maintained asset inventory.  Well they suddenly wanted him back for a time to track non-returned inventory and ..... well he told them they could put that offer where the sun did not shine.  Result: lost inventory and assets.   

One firm I worked for fired a lawyer and turns out they needed him realy bad.  A mistake.  They invited him back.  No hard feelings.  He was not offended nor did he turn bad employee BUT HE WAS FIRED so it was time to renegotiate salary!!!!!!
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
US Sets $5 Million Bounty For Russian Hacker Behind Zeus Banking Thefts
Jai Vijayan, Contributing Writer,  12/5/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Our Endpoint Protection system is a little outdated... 
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-3667
PUBLISHED: 2019-12-11
DLL Search Order Hijacking vulnerability in the Microsoft Windows client in McAfee Tech Check 3.0.0.17 and earlier allows local users to execute arbitrary code via the local folder placed there by an attacker.
CVE-2019-19719
PUBLISHED: 2019-12-11
Tableau Server 10.3 through 2019.4 on Windows and Linux allows XSS via the embeddedAuthRedirect page.
CVE-2019-19720
PUBLISHED: 2019-12-11
Yabasic 2.86.1 has a heap-based buffer overflow in the yylex() function in flex.c via a crafted BASIC source file.
CVE-2019-19707
PUBLISHED: 2019-12-11
On Moxa EDS-G508E, EDS-G512E, and EDS-G516E devices (with firmware through 6.0), denial of service can occur via PROFINET DCE-RPC endpoint discovery packets.
CVE-2019-19708
PUBLISHED: 2019-12-11
The VisualEditor extension through 1.34 for MediaWiki allows XSS via pasted content containing an element with a data-ve-clipboard-key attribute.