Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats //

Insider Threats

07:30 AM
Bryan Sartin
Bryan Sartin
Connect Directly
E-Mail vvv

Ignore the Insider Threat at Your Peril

Attacks from insiders often go undiscovered for months or years, so the potential impact can be huge. These 11 countermeasures can mitigate the damage.

The fear of cyber breaches looms heavy for many businesses, large and small. However, many companies are so busy looking for bad actors throughout the world that they ignore the threat from within their own walls.

According to Verizon's Insider Threat Report — which analyzes cases involving bad actors from the 2018 Data Breach Investigation Report — 20% of cybersecurity incidents and 15% of the data breaches investigated within the Verizon 2018 DBIR originated from people within the organization.

What's scarier, these attacks, which exploit internal data and system access privileges, are often only found months or years after they take place, making their potential impact on a business significant.

However, many organizations often treat insider threats as a taboo subject. Companies are too often hesitant to recognize, report, or take action against employees who have become a threat to their organization. It's as though the insider threat is a black mark on their management processes and their name.

The Verizon Insider Threat Report aims to change this perception by offering organizations a data-driven view on how to identify pockets of risk within the employee base, real-life case scenarios, and countermeasure strategies to consider when developing a comprehensive insider threat program.

In no small part, the first step is to understand the types of insider threats than an organization can face. The Insider Threat Report profiles five distinct insider personalities.

  1. The Careless Worker: These are employees or partners who misappropriate resources, break acceptable use policies, mishandle data, install unauthorized applications, and use unapproved workarounds. Their actions are inappropriate as opposed to malicious, many of which fall within the world of "shadow IT" (i.e., outside of IT knowledge and management).
  2. The Inside Agent: Insiders recruited, solicited, or bribed by external parties to exfiltrate data.
  3. The Disgruntled Employee: Insiders who seek to harm their organization via destruction of data or disruption of business activity.
  4. The Malicious Insider: Employees or partners with access to corporate assets who use existing privileges to access information for personal gain.
  5. The Feckless Third Party: Business partners who compromise security through negligence, misuse, or malicious access to or use of an asset.

So, how do you build countermeasures against inside actors?

There are several practical countermeasures to help organizations deploy a comprehensive insider threat program, which should involve close co-ordination across all departments from IT security, legal, and HR to incident response and digital forensics investigators.

Two factors hold the key to this success: knowing what your assets are and who has access to them.

Ways to Fight Back
These 11 countermeasures can help reduce risks and enhance incident response efforts:

  • Integrate security strategies and policies: Integrating the other 10 countermeasures listed below, or, better yet, having a comprehensive insider threat program with other existing strategies (such as a risk management framework, human resources management, and intellectual property management) can help strengthen efficiency, cohesion, and timeliness in addressing insider threats.
  • Conduct threat-hunting activities: Refine threat-hunting capabilities such as threat intelligence, Dark Web monitoring, behavioral analysis, and endpoint detection and response (EDR) solutions to search, monitor, detect, and investigate suspicious user and user account activities, both inside and outside the enterprise.
  • Perform vulnerability scanning and penetration scanning: Leverage vulnerability assessments and penetration tests to identify gaps within a security strategy, including potential ways for insider threats to maneuver within the enterprise environment.
  • Implement personnel security measures: Human resource controls (such as employee exit processes), security access principles, and security awareness training can mitigate the number of cybersecurity incidents associated with unauthorized access to enterprise systems.
  • Employ physical security measures: Physical methods to limit access such as identity badges and security doors should coincide with digital access methods such as card swipes, motion detectors, and cameras.
  • Implement network security solutions: Implement network perimeter and segment security solutions, such as firewalls, intrusion detection/prevention systems, gateway devices, and data loss prevention solutions in order to detect, collect, and analyze suspicious traffic potentially associated with insider threat activities. This will help highlight any unusual out-of-hours activity, volumes of outbound activity, and the use of remote connections.
  • Employ endpoint security solutions: Use established endpoint security solutions, such as critical asset inventories, removable media policies, device encryption and file integrity monitoring tools in order to deter, monitor, track, collect, and analyze user-related activity.
  • Apply data security measures: Apply data ownership, classification and protection as well as data disposal measures in order to manage the data life cycle and maintain confidentiality, integrity and availability with insider threats in mind.
  • Employ identity and access management measures: Employ identity, access and authentication management measures to manage limit and protect access into the enterprise environment. This can be taken to the next level by employing a privileged access management solution for privileged access.
  • Establish incident management capabilities: Establishing an incident management process to include an insider threat playbook with trained and capable incident handlers will make cybersecurity response activities more efficient and more effective in addressing insider threat activities.
  • Retain digital forensics services: Have an investigative response retained resource available which is capable of conducting a full spectrum of deep-dive investigations ranging from the analysis of logs, files, endpoint, and network traffic, in often delicate and human-related (or user-account-related) cybersecurity incidents.

Related Content:



Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

As head of Verizon Global Security Services, Bryan Sartin keeps pace with the leading and bleeding edges of innovation in the security market, while maintaining the highest quality of service in delivery operations. He manages the proactive and reactive span of Verizon's ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
User Rank: Ninja
4/8/2019 | 8:51:22 AM
Bad Practices: Turn good people into your enemy.
THE OUTSOURCED EMPLOYEE: If an employer wants to make a solid employee otherwise free of any intent at all, just outsource and have him or her train a replacement.  That breaks all bargains.  No loyalty at that point and, when a whole IT department is sent packing - alot of assets go with them.   140 walked out of one firm a few years ago and I was part of another wholesale ransack JUST to save costs.   That is worse than being fired - it is an insult. 

WE RESPECT YOU IF YOUR LEAVE BUT WE CAN FIRE IN A HEARTBEAT: Equal that with WE want two weeks notice but we can fire YOU with a phone call this afternoon.  Have a nice day.  Oh really?   I gave one day notice for that reason to an employer who did terminate staff with just one or two day notice.   Revenge pure and simple

WE'RE SORRY WE FIRED YOU. Beware terminating critical personnel too.  My daughter lost a real-estate position when the wholel firm closed, 320 laid off and among them was the IT guy who maintained asset inventory.  Well they suddenly wanted him back for a time to track non-returned inventory and ..... well he told them they could put that offer where the sun did not shine.  Result: lost inventory and assets.   

One firm I worked for fired a lawyer and turns out they needed him realy bad.  A mistake.  They invited him back.  No hard feelings.  He was not offended nor did he turn bad employee BUT HE WAS FIRED so it was time to renegotiate salary!!!!!!
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
WannaCry Has IoT in Its Crosshairs
Ed Koehler, Distinguished Principal Security Engineer, Office of CTO, at Extreme Network,  9/25/2020
Safeguarding Schools Against RDP-Based Ransomware
James Lui, Ericom Group CTO, Americas,  9/28/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-09-27
XSS exists in the MobileFrontend extension for MediaWiki before 1.34.4 because section.line is mishandled during regex section line replacement from PageGateway. Using crafted HTML, an attacker can elicit an XSS attack via jQuery's parseHTML method, which can cause image callbacks to fire even witho...
PUBLISHED: 2020-09-27
An issue was discovered in the FileImporter extension for MediaWiki before 1.34.4. An attacker can import a file even when the target page is protected against "page creation" and the attacker should not be able to create it. This occurs because of a mishandled distinction between an uploa...
PUBLISHED: 2020-09-27
An issue was discovered in MediaWiki 1.34.x before 1.34.4. On Special:Contributions, the NS filter uses unescaped messages as keys in the option key for an HTMLForm specifier. This is vulnerable to a mild XSS if one of those messages is changed to include raw HTML.
PUBLISHED: 2020-09-27
In MediaWiki before 1.31.10 and 1.32.x through 1.34.x before 1.34.4, Special:UserRights exposes the existence of hidden users.
PUBLISHED: 2020-09-27
In MediaWiki before 1.31.10 and 1.32.x through 1.34.x before 1.34.4, XSS related to jQuery can occur. The attacker creates a message with [javascript:payload xss] and turns it into a jQuery object with mw.message().parse(). The expected result is that the jQuery object does not contain an <a> ...