The Insider Threat – Is Your Organisation in Control?

Since security became an issue in the world of IT all those years ago, people have always focussed on the threat of external parties. Perhaps a kid trying to show off, maybe a competitor trying to steal information or even a terror organisation trying to cause chaos – they come in all shapes and forms.

What has become more prominent in the last few years is the threat of internal users. That’s not necessarily to say they are malicious, however wherever there is a human element, mistakes are inevitable. Before I continue, let me emphasise my strong belief that technology empowers human activity, it doesn’t replace it. However, mistakes will be made and this risk must be accounted for. I’m going to break this down into 3 sections: Accidental Loss, The Known Threat and The Unknown Threat.

Insider Threat essentially refers to insiders who maliciously, or accidentally do things to put an organisation and it’s data at risk.

Accidental Loss

Have you ever sent an email to a colleague and accidentally selected the wrong email address? I know I have. But now imagine the email had a highly sensitive file attached to it, for example the details of a new product currently being developed… This information in the wrong hands could be disastrous for your business. The first step to dealing with this issue is to understand the value of your data. There are 2 reasons why this is important: 1 – It promotes a cultural awareness of how sensitive information is, thus encouraging users to handle the data with the appropriate level of care. 2 – Various Technologies can pick up on the sensitivity and enforce certain handling rules.

Data classification allows you to apply both visual tags and metadata tags to documents which covers off both these points. From the user perspective, they will be prompted to classify and subsequently handle the information in an appropriate fashion, which helps minimise the number of mistakes made. From a technology point of view, these metadata tags can help control: 1 – Who can access this data, 2 – Whether it needs to be encrypted or not, 3 – How it can be shared, 4 – Where it must be stored & 5 – How long it must be stored for. These 5 points can be enforced. Using the example above, this would have meant that if I had tried to send a ‘sensitive’ email to an external email address, for example, a policy could have prevented me being able to do this. Thus, minimising the risk of accidental loss.

66% of all data breaches are caused by human error.

The Known Threat

Look around your office, I’m sure 99.9% of the people you work with are trustworthy, hardworking and intelligent individuals. However, emotion always causes risk. I want to point out some things to consider: 1 – The guy you fired but forgot to disable his remote access, 2 – Espionage/Financial Gain, 3 – Grudge & 4 – Ideology (Think, Edward Snowden). When you apply strong emotion and any of the points above to ANY individual, a risk has been created. In addition to this, there also needs to be a consideration for stolen user credentials. So, how do you manage this kind of risk?

First of all, CONTROL user access. You must look at what users need to have access to and then centralise their access. I wont go in to the detail on this but the areas which must be covered are: Single Sign-On, Multi Factor Authentication, AD Bridging, AD Auditing, User provisioning & Managing Privileged Accounts. Prevention is better than cure and these elements help to protect your environment from the risk of malicious users. However, it’s widely accepted and feared that despite everything you do to protect yourself from an attack, there are always other ways to be exploited. Therefore, utilisation of tools such as user & entity behaviour analytics can ensure that whenever & wherever an anomaly is detected, you have the ability to respond at the earliest possible point with the information necessary to fully understand and remediate the threat. Constantly MONITOR your users to detect anomalies.

PROTECT-DETECT-RESPOND

The Unknown Threat

Standard identity and access management solutions that control user access typically do not encompass SSH key based access to systems and accounts. This is a serious issue because most large enterprises use Secure Shell (SSH) to provide secure authentication and confidentiality for many business critical functions such as automated backups, day-to-day file transfers and interactive user access for systems administration. However, most organisations leave the process of generating, configuring and deploying the SSH public and private keys that enable these functions in the hands of end users. Over time, this results in uncontrolled proliferation of authentication keys. Security managers lose visibility and control over who has access to what servers and whether previously granted access rights should be revoked. It becomes nearly impossible to map the trust relationships between individual users, system accounts and application IDs with their respective destination servers. I cannot emphasise enough the importance of this – MANAGE your SSH keys.

During a health check of a major UK bank, we found 90% of the access was obsolete.

Similarly, Privileged users need access to critical systems, devices and data to do their jobs. Their activities are secured by protocols such as Secure Shell (SSH), Remote Desktop Protocol (RDP) and Secure Socket Layer (SSL). Shared accounts and encrypted communications make it difficult to know which privileged user is doing what, where and when, especially in today’s virtual office environment and outsourced IT administration set-ups. There has to be accountability and true visibility, while enabling efficient working practices. Every session and command must be traced to an individual and individuals should not have more access than they need to do their jobs. Finally, malicious activity must be stopped in real time. These are not just “nice to have” capabilities. Lack of accountability, control and real-time response expose your organisation to costly data breach, denial of service and compliance failures. So my final point is this, ensure you have tools in place to MONITOR and RECORD encrypted sessions.

Mitigating the risk of Insider threat is different for every organisation. All of the above must take into consideration your individual business’ people, processes and technology to determine the way forward. If you have questions on any of the points raised above, please feel free to get in touch.

Aaron Fox
Information Security Specialist
HANDD Business Solutions

 

To discuss Insider Threat Protection contact us by telephone on +44 (0)845 643 4063, or visit our website: www.handd.co.uk.