Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats //

Insider Threats

4/8/2019
07:30 AM
Bryan Sartin
Bryan Sartin
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Ignore the Insider Threat at Your Peril

Attacks from insiders often go undiscovered for months or years, so the potential impact can be huge. These 11 countermeasures can mitigate the damage.

The fear of cyber breaches looms heavy for many businesses, large and small. However, many companies are so busy looking for bad actors throughout the world that they ignore the threat from within their own walls.

According to Verizon's Insider Threat Report — which analyzes cases involving bad actors from the 2018 Data Breach Investigation Report — 20% of cybersecurity incidents and 15% of the data breaches investigated within the Verizon 2018 DBIR originated from people within the organization.

What's scarier, these attacks, which exploit internal data and system access privileges, are often only found months or years after they take place, making their potential impact on a business significant.

However, many organizations often treat insider threats as a taboo subject. Companies are too often hesitant to recognize, report, or take action against employees who have become a threat to their organization. It's as though the insider threat is a black mark on their management processes and their name.

The Verizon Insider Threat Report aims to change this perception by offering organizations a data-driven view on how to identify pockets of risk within the employee base, real-life case scenarios, and countermeasure strategies to consider when developing a comprehensive insider threat program.

In no small part, the first step is to understand the types of insider threats than an organization can face. The Insider Threat Report profiles five distinct insider personalities.

  1. The Careless Worker: These are employees or partners who misappropriate resources, break acceptable use policies, mishandle data, install unauthorized applications, and use unapproved workarounds. Their actions are inappropriate as opposed to malicious, many of which fall within the world of "shadow IT" (i.e., outside of IT knowledge and management).
  2. The Inside Agent: Insiders recruited, solicited, or bribed by external parties to exfiltrate data.
  3. The Disgruntled Employee: Insiders who seek to harm their organization via destruction of data or disruption of business activity.
  4. The Malicious Insider: Employees or partners with access to corporate assets who use existing privileges to access information for personal gain.
  5. The Feckless Third Party: Business partners who compromise security through negligence, misuse, or malicious access to or use of an asset.

So, how do you build countermeasures against inside actors?

There are several practical countermeasures to help organizations deploy a comprehensive insider threat program, which should involve close co-ordination across all departments from IT security, legal, and HR to incident response and digital forensics investigators.

Two factors hold the key to this success: knowing what your assets are and who has access to them.

Ways to Fight Back
These 11 countermeasures can help reduce risks and enhance incident response efforts:

  • Integrate security strategies and policies: Integrating the other 10 countermeasures listed below, or, better yet, having a comprehensive insider threat program with other existing strategies (such as a risk management framework, human resources management, and intellectual property management) can help strengthen efficiency, cohesion, and timeliness in addressing insider threats.
  • Conduct threat-hunting activities: Refine threat-hunting capabilities such as threat intelligence, Dark Web monitoring, behavioral analysis, and endpoint detection and response (EDR) solutions to search, monitor, detect, and investigate suspicious user and user account activities, both inside and outside the enterprise.
  • Perform vulnerability scanning and penetration scanning: Leverage vulnerability assessments and penetration tests to identify gaps within a security strategy, including potential ways for insider threats to maneuver within the enterprise environment.
  • Implement personnel security measures: Human resource controls (such as employee exit processes), security access principles, and security awareness training can mitigate the number of cybersecurity incidents associated with unauthorized access to enterprise systems.
  • Employ physical security measures: Physical methods to limit access such as identity badges and security doors should coincide with digital access methods such as card swipes, motion detectors, and cameras.
  • Implement network security solutions: Implement network perimeter and segment security solutions, such as firewalls, intrusion detection/prevention systems, gateway devices, and data loss prevention solutions in order to detect, collect, and analyze suspicious traffic potentially associated with insider threat activities. This will help highlight any unusual out-of-hours activity, volumes of outbound activity, and the use of remote connections.
  • Employ endpoint security solutions: Use established endpoint security solutions, such as critical asset inventories, removable media policies, device encryption and file integrity monitoring tools in order to deter, monitor, track, collect, and analyze user-related activity.
  • Apply data security measures: Apply data ownership, classification and protection as well as data disposal measures in order to manage the data life cycle and maintain confidentiality, integrity and availability with insider threats in mind.
  • Employ identity and access management measures: Employ identity, access and authentication management measures to manage limit and protect access into the enterprise environment. This can be taken to the next level by employing a privileged access management solution for privileged access.
  • Establish incident management capabilities: Establishing an incident management process to include an insider threat playbook with trained and capable incident handlers will make cybersecurity response activities more efficient and more effective in addressing insider threat activities.
  • Retain digital forensics services: Have an investigative response retained resource available which is capable of conducting a full spectrum of deep-dive investigations ranging from the analysis of logs, files, endpoint, and network traffic, in often delicate and human-related (or user-account-related) cybersecurity incidents.

Related Content:

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

As head of Verizon Global Security Services, Bryan Sartin keeps pace with the leading and bleeding edges of innovation in the security market, while maintaining the highest quality of service in delivery operations. He manages the proactive and reactive span of Verizon's ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
4/8/2019 | 8:51:22 AM
Bad Practices: Turn good people into your enemy.
THE OUTSOURCED EMPLOYEE: If an employer wants to make a solid employee otherwise free of any intent at all, just outsource and have him or her train a replacement.  That breaks all bargains.  No loyalty at that point and, when a whole IT department is sent packing - alot of assets go with them.   140 walked out of one firm a few years ago and I was part of another wholesale ransack JUST to save costs.   That is worse than being fired - it is an insult. 

WE RESPECT YOU IF YOUR LEAVE BUT WE CAN FIRE IN A HEARTBEAT: Equal that with WE want two weeks notice but we can fire YOU with a phone call this afternoon.  Have a nice day.  Oh really?   I gave one day notice for that reason to an employer who did terminate staff with just one or two day notice.   Revenge pure and simple

WE'RE SORRY WE FIRED YOU. Beware terminating critical personnel too.  My daughter lost a real-estate position when the wholel firm closed, 320 laid off and among them was the IT guy who maintained asset inventory.  Well they suddenly wanted him back for a time to track non-returned inventory and ..... well he told them they could put that offer where the sun did not shine.  Result: lost inventory and assets.   

One firm I worked for fired a lawyer and turns out they needed him realy bad.  A mistake.  They invited him back.  No hard feelings.  He was not offended nor did he turn bad employee BUT HE WAS FIRED so it was time to renegotiate salary!!!!!!
The Mainframe Is Seeing a Resurgence. Is Security Keeping Pace?
Ray Overby, Co-Founder & President at Key Resources, Inc.,  8/15/2019
The Flaw in Vulnerability Management: It's Time to Get Real
Jim Souders, Chief Executive Officer at Adaptiva,  8/15/2019
5 Ways to Improve the Patching Process
Kacy Zurkus, Contributing Writer,  8/20/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5638
PUBLISHED: 2019-08-21
Rapid7 Nexpose versions 6.5.50 and prior suffer from insufficient session expiration when an administrator performs a security relevant edit on an existing, logged on user. For example, if a user's password is changed by an administrator due to an otherwise unrelated credential leak, that user accou...
CVE-2019-6177
PUBLISHED: 2019-08-21
A vulnerability reported in Lenovo Solution Center version 03.12.003, which is no longer supported, could allow log files to be written to non-standard locations, potentially leading to privilege escalation. Lenovo ended support for Lenovo Solution Center and recommended that customers migrate to Le...
CVE-2019-10687
PUBLISHED: 2019-08-21
KBPublisher 6.0.2.1 has SQL Injection via the admin/index.php?module=report entry_id[0] parameter, the admin/index.php?module=log id parameter, or an index.php?View=print&id[]= request.
CVE-2019-11601
PUBLISHED: 2019-08-21
A directory traversal vulnerability in remote access to backup & restore in earlier versions than ProSyst mBS SDK 8.2.6 and Bosch IoT Gateway Software 9.2.0 allows remote attackers to write or delete files at any location.
CVE-2019-11602
PUBLISHED: 2019-08-21
Leakage of stack traces in remote access to backup & restore in earlier versions than ProSyst mBS SDK 8.2.6 and Bosch IoT Gateway Software 9.2.0 allows remote attackers to gather information about the file system structure.