To say that insider threat is an ancient problem is an understatement. The poet Virgil, circa 29BC wrote “…they pretend it's a votive offering: this rumor spreads. They secretly hide a picked body of men, chosen by lot there, in the dark body, filling the belly and the huge cavernous insides with armed warriors.” The text describes the original ‘Trojan Horse’ used as a subterfuge by the Greeks to enter the city of Troy and win a long running war.
Modern information security has its own equivalent of “beware Greeks bearing gifts” where a seemingly benign person or even applications inside the perimeter are in fact a malicious actor. According to the latest edition of the highly regarded Verizon Data Breach Investigations Report, a quarter of all breaches (25%) are described as having “involved internal actors”.
This description covers a wide range of insider threats from the gullible member of staff that has unwittingly given access to systems by sharing passwords, through to the disgruntled employee pilfering data before a planned exit – and all the way through to organized criminals that may have bribed, threatened or planted an accomplice within the target. The DBIR also notes that 51% of all breaches involved some type of criminal gang, a figure which has grown consistently over the last few years.
So even though a quarter of all breaches have an insider component, the problem often fails to gain the exposure it potentially warrants. One issue is cultural – we like to believe that we can trust the colleague sitting next to us and corporate etiquette is a complex sea to navigate, especially around IT security.
Another issue is a perceived inability to stop insider threat. According to a 2015 survey of 5,000 information security professionals conducted by The SANS Institute, only 31% of respondents believed that they “…have the ability to prevent/deter an insider incident/attack.”
Although this low figure could be seen as an admission that the problem is too complex, the reality is that absolute prevention or deterrent of an insider threat is futile.
Using the analogy of physically protecting a house against burglary – the locks on the doors, double glazed windows and the state of the art burglar alarm won’t stop a robber with a JCB (tractor) smashing down a wall, grabbing valuables and legging it. It also won’t stop an invited guest, pocketing a small yet valuable ornament without anybody noticing. Yet the protection of the physical perimeter makes the first attack less likely and placing a valuable ornament inside a locked display case deters the second insider threat.
This hardening of the outside and inside approach should also extend to information security and does not require the purchase of every single “magic bullet” software tool or cloud security service to setup the basics.
The reality is that many organizations are still failing to implement some of the fundamental measures that can protect against external and insider threat. For example, giving everybody administrator rights to applications that they have no need to administer is still surprisingly common. Unpatched operating systems are an issue, but they are easier to exploit for vulnerabilities if the attacker is already inside the perimeter on the internal LAN.
Another issue is the lack of a joined up exit policy. If a staff member leaves, moves to another department, subsidiary company, takes maternity leave or sabbatical is there a formal process for passing details on to the IT department for suspending access credentials? Also, is there validation that this process has actually taken place?
Enacting the above examples require no retooling and can be carried out using the built-in systems utilities of every operating system. Yet with the myriad of IT projects, compliance regulations and threat alerts – it is often hard focus on what will have the biggest impact in terms of reducing risk and mitigating damage of any type of attack.
The simplest approach is to firstly audit who has access, to what applications and crucially why? Next, run a vulnerability scan to find out what are the issues across the environment and then fix the ones that are easiest to address first.
Next, setup a workable least privilege environment using either built-in system admin tools or privilege access management (PAM) software. Although by no means the end of the journey, this approach will at least setup a foundation to build on.
A final point regarding insider threat is that, at least in theory, nobody is above the rules when it comes to following sensible security policies. However, it is unwise to upset the IT department as ultimately they often have the skills and access credentials to reap the most damage as a disgruntled employee. As such, having an exit policy designed for very senior IT administrators is something that every HR person may want to consider.
If you’re in the process of building your own privileged access management strategy, download this white paper ‘7 Steps to Complete Privileged Access Management’. And as always, contact us for more information.
Editors note: This article was original posted on InfoSecurity Magazine.
Brian Chappell, Chief Security Strategist
Brian has more than 30 years of IT and cybersecurity experience in a career that has spanned system integrators, PC and Software vendors, and high-tech multi-nationals. He has held senior roles in both the vendor and the enterprise space in companies such as Amstrad plc, BBC Television, GlaxoSmithKline, and BeyondTrust. At BeyondTrust, Brian has led Sales Engineering across EMEA and APAC, Product Management globally for Privileged Password Management, and now focuses on security strategy both internally and externally. Brian can also be found speaking at conferences, authoring articles and blog posts, as well as providing expert commentary for the world press.