While you’re standing on the ramparts of your enterprise perimeter, scanning for bad guys, there may well be a threat right in your blind spot: Insiders. Maybe it’s someone truly malicious, like a spy. Maybe it’s someone pilfering for profit, the modern equivalent of someone stealing office supplies. Either way, the threat from trusted insiders is real: According to “Insider Threats and the Need for Fast and Directed Response,” a new survey from the SANS Institute, about a third of organizations have confirmed experiencing insider misuse incidents.
Another recent report, the Global State of Information Security Survey 2015 from PwC, found that the highest number of perpetrators of insider crimes were current employees (32%) followed by former employees (30%). Other perpetrators include partners, contractors and customers. While the 2015 Data Breach Investigations Report from Verizon adds that of insider incidents that occur, 37.6% were from ordinary end users, 16.8% were from cashiers, 11.2% from finance staff and 10.4% from executives.
If budgets represent priorities, we’ve definitely got a problem: The PwC survey comments that crimes caused by internal perpetrators are often more costly or damaging than those perpetrated by external groups. The SANS report adds that while more than half (52%) of respondents perceive negligent employees as the cause of significant damage, almost half (44%) are spending 10% or less of their IT budget on this insider threats, “so it’s clear why survey respondents also suffer a significant number of insider breaches.”
So what’s the motivation? According to Verizon, 40% of incidents were about stealing money, plain and simple, “whether they plan to monetize stolen data by selling it to others (such as with financial data) or by directly competing with their former employer.” Interestingly, according to Verizon, the second most common reason is convenience – using an unapproved workaround to speed things up or make it easier for the end user. Yet, even with good intentions, it’s a breach of trust, and a breach of security.
One more important statistic: The Verizon report states that the most prevalent malicious action by insiders was privilege abuse. That might mean using admin privileges on systems where the employee shouldn’t be poking around. Or it might mean using a supervisor’s password or key card, something that’s common in retail settings where the manager violates corporate protocols by delegating supervisory signoff.
Today, nearly all detection and prevention security solutions currently focus on stopping outsiders, not monitoring executives, systems administrators or the green eyeshade crowd. As the PwC report comments “many companies do not have an insider-threat program in place, and are therefore not prepared to prevent, detect, and respond to internal threats.” So unless you catch someone in the act, it’s going to require extensive monitoring to spot anomalies in network usage – like large email attachments being sent to an employee’s personal Gmail account, or a pattern of access failures in system logs. But there are a few proactive, preventive measures you can take to help make your organization more secure from insiders.
An ounce of prevention is worth a pound of cure. Start by ensuring that your organization has a well-organized, well-understood, well-maintained, and well-monitored security policy for both insiders and outsiders. Make sure it isn’t overly broad and permissive. Yes, it may keep your employees happy (users don’t like to have to contact administrators to request access resources because it slows down their productivity), but a permissive security policy won’t keep your corporate resources safe. Also, an out-of-date security policy may not be effective, especially if it allows access to resources that are no longer present, or have moved.
Once you have developed a solid security policy, you’ll want to ensure that it’s applied and managed consistently and correctly across your enterprise network. The best way to do that is through automation. Automated security policy management will not only eliminate mistakes (either accidental or intentional) but also provide the oversight and logs that can detect tampering.
Watch the watcher. In addition to monitoring employees, make sure that anyone with privileged rights to the enterprise infrastructure and the security policy is truly trusted and keep an eye on them. (Here’s a blog post with some practical suggestions.) Also, program your enterprise infrastructure to generate alerts if certain security policies are changed – and ensure that high ups in the food chain get those alerts.
Check what’s going out, not just what’s coming in. While you’re looking at the network policies, verify the outbound access you allow employees to have while on your network. Lock down what’s not needed — for example, if your company doesn’t use Dropbox or Google Drive, lock them out. Here’s a good post on how to filter outbound traffic at the firewall.
With the threat landscape changing every 30 days it would seem that outsider threats are the obvious place to train your biggest security guns. But never forget that you also likely face significant threats from your employees and contractors. A recent AlgoSec report found that 73% of organizations consider insiders to be a top concern. While hackers may be more newsworthy, insider threats are real, dangerous and costly.
This blog post was originally published in Information Security Buzz.
Receive notifications of new posts by email.