IT Security

Insider threat comments

by Mark Rowe

The training body SANS2015 Survey on Insider Threats suggested that most, 74 percent of organisations surveyed are concerned about threats from negligent or malicious employees.

SANS says that as breaches continue to cause significant damage to organizations, security consciousness is shifting from traditional perimeter defense to a holistic understanding of what is causing the damage and where organizations are exposed. Although many attacks are from an external source, attacks from within often cause the most damage. Prevention is more a state of mind than a reality, the report authors suggest. And while insider threats are on IT’s radar, their organisations fail to focus on solutions.

Comments

Sagie Dulce, security researcher at Imperva, said: “For me, the biggest takeaway from this report is “… you have to approach security with the assumption that an insider threat has already compromised you and focus your energy on detection”. 52% or responders have no idea how much the insider threat can cost, and are concerned about negligent / malicious insider. At the same time 44% spend 10% or less from their budget on this threat. While organizations realize how big a threat an insider is, they lack budget, training, technology and incident response plan for when a breach occurs. Obviously, the first things organizations must do is put some resources into the insider threat.

“The second thing organizations must do is prioritize: ask themselves what are the most important thing they are trying to protect? Once they know what they are trying to protect they should consider they how:

Is it Personal Information, emails, code etc
Is the data structured, unstructured?
Is it found on databases, file share?
Who has access to this data and how (from special terminals, via VPN, third party partners etc.)?

“Lastly, organizations need to build a detection & response strategy. Detection does not mean to detect a new virus or SSL attack, it means to detect anomalous behavior when machines / user accounts access data: Was the quantity of the data anomalous? Was the user account anomalous? Was the source (IP or host) that accessed the data anomalous? Was the user who accessed the data is facing hearing? All of these should trigger an event that should be analyzed by a response team. Only a response team that focuses on the insider threat, knows how their organization works and where are it’s soft spots has a real chance of detecting and mitigating a threat.”

And Roy Duckles, EMEA channel director at Lieberman Software Corporation, said: “The primary failings that contribute to insider attacks are due to the lack of visibility, accountability and auditability. There is an assumption that if a person or group have the “keys to the kingdom” with full admin rights across an enterprise, that this is a viable and effective way to apply security policies. Where most businesses fail is that due to the fact that this approach not only reduces security, but it makes it almost impossible to see who is changing what, on which systems, at what time, and the effect and risk that it has on a business. The dilemma that companies have, is that in order to provide their users with business as usual capability, they effectively remove the safeguards that prevent insider attacks. Anyone who has full admin rights and no accountability has the opportunity to effect an insider attack with a low risk of being detected. Without privilege admin controls there is no way of controlling this security blind spot. Add to this the fact that many companies fail to enforce a strong password policy, and many passwords are replicated and known throughout an IT team, then it becomes just too easy for a person to find the access they require. By enforcing effective 2 factor authentication and privileged access controls, and by making sure that administrators don’t “know” the passwords to get access to systems by changing them when used, and by auditing this activity, an organisation can remove the primary risk for insider attacks.

The best example of this being exploited was Edward Snowden – He persuaded co-workers in Hawaii to give him their login credentials, allowing him to access classified material. Snowden persuaded between 20 and 25 fellow workers at the NSA regional operations center in Hawaii to give him their log-ins and passwords by telling them they were needed for him to do his job as a computer systems administrator. If they hadn’t had known their passwords, they could never have given them to him and this insider breach wouldn’t have happened.”

Newsletter

Subscribe to our weekly newsletter to stay on top of security news and events.

© 2024 Professional Security Magazine. All rights reserved.

Website by MSEC Marketing