In times of workforce uncertainty, such as experienced with company layoffs, broad economic downturns, or industry upheavals (as oil & gas is undergoing right now), employee morale and loyalty may be undermined. Situations like these present opportunities for insiders or terminated employees to inflict damage on their (former) employer, either innocently or maliciously. WikiLeaks and folks like Edward Snowden have upped the ante and stature of insider leaked data—but damaging leaks are happening stealthily at thousands of companies each year, potentially dimming their prospects, undermining their competitiveness, and causing attrition (or stealing) of customers. Whether or not your industry, or company, is experiencing tumult, it’s a good practice to routinely reassess insider risk across your organization.
Insider Risk isn’t Limited to Just Privileged IT Users
While systems hacking or sabotage is more frequently associated with technical personnel—especially those with access to privileged accounts, data loss can be equally associated with sales or customer service. Employees can sneak out valuable company data with them (often to their next company) using USBs, email, or via downloads from the cloud in CRM systems like Salesforce, Microsoft Office 365, GoogleDocs, DropBox, and Box. Information that commonly exits with employees includes client lists, IP, trade secrets, and other data. And, let’s not forget BYOD/BYOA—valued productivity enablers, but problematic when off-boarding employees depart with devices they own and operate filled with company data, and with access to systems, applications/shadow IT, etc.
In the arena of insider threats, traditional perimeter security measures, like firewalls, IPS, AV, and even NGFW’s, are easily circumvented by those individuals with the access, privileges, and know-how. Read on to learn some best practices, policies, and technologies to implement to, if not prevent, at least limit damage from insider threats.
1) Guard and (Rotate) the Keys to the Kingdom
Employees typically rely on dozens of applications to perform their roles. Ideally, the corresponding accounts for these employees should be de-provisioned, or the passwords changed, when they depart from the company. Yet, frequently, accounts fly under the radar, and shadow accounts and IT applications loom on the system. These orphaned IT accounts could potentially be accessed by the ex-employees, or discovered by a roving hacker, providing an inroad to further discovery on the network that could expose data or lead to other damage.
Businesses need to simplify access rights management without bogging down the IT team. Here the best practice would be to document every password and permission granted. The most scalable way to discover, map, and rotate the hundreds of privileged passwords across an organization is by leveraging automated enterprise password solutions.
2) Cut Off the Root
Another best practice, least privilege, goes hand in hand with password management. Hackers frequently look to gain an initial foothold through a low-level exploit, and then stealthily make lateral moves that allow them to escalate their privileges. Removing all root and admin access rights to servers and reducing every user to a standard user dramatically reduces the attack surface, while limiting the moves any insider, or other infiltrator, can make. Establishing an effective privileged access management (PAM) solution that allows users necessary access to privileged accounts through a secure environment that regularly rotates, while never exposing, passwords is a must.
3) Diffuse Slick Social Engineering Tricks
Social engineering ruses are some of the most difficult to obviate because they rely on humans. Terminated workers can leverage their knowledge of the company, and exploit the trust and sympathies of their still-employed former coworkers to pry access to systems or sensitive information.
However, with job insecurity hanging overhead, sometimes it’s just an unsettled employee exercising poor judgment while looking for a better opportunity. Savvy phishers know their best watering holes, and employees at a company publicly dealing with layoffs, or in an economically shaky industry, make for an appealing target. The Verizon Data Breach Digest details a recent incident where a “recruiter” reached out to a chief design engineer. In this case, the recruiter sent a document containing malicious software, which deployed onto the host systems and established a connection to a command and control (C2) server overseas. Whoops.
4) Mind the Endpoint
The proliferation of endpoints offers a multitude of data egresses. Insider threats might materialize in the way of a departing employee transferring sensitive data from a company laptop to a personal one. USB’s are often used for a quick data dump of customer lists, competitive data, or trade secrets—and, as with Stuxnet, they can also serve as an infection vector.
With the exploding diversity of endpoints (desktops, laptops tablets, smartphones, IoT, etc.) and complexity of platforms across any IT environment (Windows, Linux, Mac, etc.), it’s important to implement a unified endpoint management strategy. Also, ensure that endpoint security solutions are installed and updated. When smartphones, BYOD and company-issued, comprise a substantial slice of your corporate environment, enterprise mobility management (EMM) technologies (MDM, MCM, MAM, etc.) should be a strong component of that endpoint approach.
Again, applying a least privilege model, removing administrative rights on end user accounts, and using policy to dictate what applications can run with higher privileges will go a long way toward circumscribing what a hacker can do should they gain entry to your corporate systems.
For another layer of protection, evaluate DLP (data loss prevention) software, which can help thwart sensitive data from leaving the company by applying contextual parameters on content, based on company policies.
5) Monitoring & Behavioral Analytics Can Stop Breaches Early
By monitoring all the data that moves with your employees—on any device and in the cloud—you can rapidly react and remediate any access and misuse of confidential data. Sounds good, right? But, the reality is that IT teams have plenty of data--the problem is lasering in on key bits of information amidst a mountain of log files and other data. If the IT team itself is short-staffed, data management becomes even more untenable—at least without the right tools. A behavioral analysis solution can help correlate these log files to pinpoint high-risk activities, and flag them for investigation.
So, what are some early warning signs or red flags?
- Bulk exports of sensitive data, such as sales lead information
- Accessing parts of the system that they don’t ordinarily visit
- Editing object information, or deleting items
- Performing any of these actions at an unusual time or location—such as from home, or from an unrecognized IP late at night or on the weekend.
A former Zynga employee uploaded 760 Zynga files to a Dropbox account just before he left the company and went to work at a competitor, prompting a lawsuit that was settled out of court in 2013. This is a common data theft scenario that flies under the radar at millions of companies, potentially providing the competition with an (illegal) leg up. With the burgeoning quantity of sensitive data housed in the Cloud via SaaS solutions such as SalesForce or Dropbox, organizations should look to cloud security solutions that tether to APIs and distribute alerts when unusual download activity is occurring. With early detection, IT can block the downloads, or freeze accounts before troves of data escape from the company.
6) Create Strong and Enforceable Policies
Protection starts with policy--which needs to be enforced through the right technologies. Your employee and insider policy should establish:
- Non-disclosure of confidential data
- Appropriate equipment usage
- Data and equipment ownership (including with regards to BYOD)
- Non-compete restrictions
- Classification and documentation of assets that need to be secured
- Liability for data loss or contamination
- Exit policy - mandate completion of all items in the employment termination checklist
The policy should also define the monitoring and oversight of:
- User accounts
- Privileged accounts
- Physical controls
- Vendor/third party facilities or accounts that should be evaluated
7) Foster Sound Information Governance through Education
Security awareness and information governance training should commence at onboarding and include a detailed section on the handling of confidential information, as well as on secure use of company equipment, and BYOD devices. Ideally, training should be reinforced at regular intervals during employment, and supplemented by timely alerts or reminders of potential exploit tactics (phishing, social engineering, etc.), at times of increased risk.
Encourage employees to be proactive in reporting suspicious activity—from a temperamental machine or piece of software to a suspicious looking email in their inbox. Employees should also understand that policy violations will be enforced.
During exit interviews, review with the employee their continued responsibility to protect confidential information and return all company property and information—including company data stored on personal devices.
Sample IT Security Checklist for Exiting Employees
- Termination date/time
- Final work date
- Return company equipment badge, PCs, company credit cards, phone, printers, etc.)
- Disable computer(s)
- Disable network ports
- Disable keycard and door code
- Disable network account
- Disable AD account and migrate to disabled users
- Remove permissions to external and internal networks
- Deactivate email, network, and application accounts
- Remove group memberships and corporate accounts
- Disable phone account and/or forward messages per supervisor’s instructions
- Remove device(s) from endpoint management system
- Delete helpdesk account
- Disable conferencing accounts
- Delete Unix and other applicable accounts
- Change all passwords used by the employee.
- Determine if employee has access to colleagues’ passwords, and if so, change those passwords
- Ensure departing employees’ privileges are revoked, root access passwords changed, etc.
- Delete account / page administrator status for employees with access to company social media
- Remove user from printer address book
- Close travel and expense management account
- Disable CRM account
- Company-owned devices and BYOD? Dispose of or wipe per policy.
Even in the best of times, managing risk in the face of a dynamic threat universe requires ceaseless diligence, adaptability, and evolution by the enterprise. In times of economic malaise, when the people link of 'technology, processes, and people' chain is most tested, you put your organization on much stronger security footing if you have implemented the steps described above.
Thanks for tuning in, and I welcome any comments or thoughts you might have on this subject.
Matt Miller, Senior Content Marketing Manager, BeyondTrust
Matt Miller is a Senior Content Marketing Manager at BeyondTrust. Prior to BeyondTrust, he developed and executed marketing strategies on cyber security and cloud technologies in roles at Accelerite (a business unit of Persistent Systems), WatchGuard Technologies, and Microsoft. Earlier in his career Matt held various roles in IR, marketing, and corporate communications in the biotech / biopharmaceutical industry. His experience and interests traverse cyber security, cloud / virtualization, IoT, economics, information governance, and risk management. He is also an avid homebrewer (working toward his Black Belt in beer) and writer.