The Threat From Within – A Genuine Horror Story

These days it’s not uncommon for security teams to focus their efforts on protecting a business from outside threats, but if you dig a little deeper the call could actually be coming from inside the house.

Research into threat behavior suggests that a staggering 60 percent of breaches stem from the people within your own organization. Scared? You should be, especially given insider threat can be one of the most damaging to an organization.

Without a detailed focus, there is a real chance that security teams could be overlooking the obvious – a threat much closer to home, possibly even inside your network perimeter, building or even in the office. An individual that might just be the biggest threat to your organization’s security! So what are the motivations of an insider threat? What might lead someone to create havoc from within? Here are my top tips on what to look out for to avoid a fright.

Be aware that not all internal threats are malicious - Breaches often arise from negligence or human error. The CERT Insider Threat Database contains over 1,000 incidents where insiders have either harmed their organization (sabotage); stolen proprietary information (theft of intellectual property); or modified, or deleted data for the purpose of personal gain or identity theft (fraud). Of these cases, just 33 were reported to involve a disgruntled employee, as documented by either court documents or witness statements. This shows that insider threat is far greater than an employee gone rogue – 96.7% of reported cases were caused by mistake, by negligence, or some other vector of insider access!

Whether or not an attacker is seeking to sabotage a business and take personal vengeance, the fact remains that attacks linked to “insiders” via employee credentials can have significant impacts. Among the database’s incidents, some of the top outcomes of attacks are data deletion, blocked system access, and copied data. Securing access to corporate systems and protecting IT resources is clearly imperative in the face of such consequences.

The orphaned account risk - Many organizations don’t effectively decommission privileged users when they move from one role to another or, even worse, when they leave altogether. Known as orphaned accounts, this obviously represents a huge issue and leaves open a completely unnecessary vulnerability.

A failure to decommission privileged account access gives malicious actors the means to access sensitive systems through privileged credentials, and potentially bounce across the network to any number of assets.

Unfortunately, eliminating lost and forgotten orphan accounts is much easier said than done. With so many systems, identity directories, and applications managed in silos, accounts can easily fall between the cracks. Or maybe decommissioning doesn’t happen because users have accounts IT doesn’t even know about. As employees and external contractors come and go, accounts and permissions evolve in ways that are complicated to follow. These orphan accounts can create major access vulnerabilities into the IT infrastructure.

Lost data & damages - Quite a few of the CERT database incidents involved the deletion of data ranges – from deleting specific records to deleting source code that corrupted a critical system that the company and its customers relied on.

In one case, a former insider who had full access to the company’s network and systems proceeded to remotely attack the organization for four months. The insider deleted crucial files on servers, removed key backup disks, and deleted numerous records from an important database used by other systems. Despite no longer working with the organization for several long months, the insider’s user credentials were still valid allowing him to exact his revenge.

Exploited vulnerabilities - When left unchecked, lingering vulnerabilities in IT security can lead to a breach. The CERT database highlights a number of incidents in which data was copied, stolen, or otherwise maliciously manhandled thanks to the exploitation of known vulnerabilities that were left unresolved.

Unsecure passwords are one of the biggest threats to your organization’s security – whether that’s shared, generic, old and just weak passwords, it all means that any outsider can pretty easily become an insider with a little effort. Regularly changing systems passwords will prevent access to critical systems, reduce the risk of data lost data and save you time and potentially massive recovery costs - including painful non-compliance fines.

The Honest Mistake - Even the most earnest and well-intentioned user can accidentally click on a bad link or file. Unfortunately, phishing attempts have become increasingly sophisticated, able to easily masquerade as a legitimate email from a known source or colleague sharing a link to an invoice or a Word document to download. That link or file may be hiding dangerous ransomware or crypto viruses which can destroy data, freeze systems, or otherwise cause chaos in your IT infrastructure.

These incidents can be prevented with security measures which block malware and stop malicious processes from advancing into the infrastructure, with malicious intent or by mistake.

So who can you trust?

The answer is to adopt a Zero Trust approach to internal policies and security. That’s not to say that loyal employees and longstanding contractors are not trustworthy, but rather that in order to protect systems and data from insider threat of all kinds, an organization must implement certain key measures to control, manage, and monitor both access and identities.

Security doesn’t have to be scary. Take a holistic view of who has access to what resources and applications, how they use their access, and secure your assets. Protection will ensure there’s no need to fear the insider threat.

What’s Hot on Infosecurity Magazine?