Today’s headlines tell the tale. Most organizations are under continuous cyber attack from nation-states or professional criminal hackers. Understandably, one of the main focuses for IT security teams is stopping intruders from gaining access to assets on the corporate network. However, a worrying number of organizations are dropping their guard when it comes to defending against the insider threat.
And malicious insiders are indeed significant threats, since they can be very difficult for IT teams to identify. This is because an insider – whether he’s an employee or a contractor – is already entrusted with authorized access to at least some systems and applications on a corporate network. Without a good insider threat solution it can be challenging for those in IT to decipher whether an employee is just performing his regular job tasks, or carrying out something sinister.
Malicious insiders have been responsible for some interesting breaches or hostage scenarios in recent history. Consider Terry Childs in San Francisco who held the city hostage for two weeks while sitting in a jail cell or the infamous Edward Snowden, formerly of the NSA.
Insider Threats and External Cyber Attacks: An Overview
Companies need to take both external cyber attacks and insider threats extremely seriously. Fortunately, each attack vector can often be defended using the same cyber security strategies, which I’ll get to in the next section of this post. But first, let’s take a quick look at both types of attack.
One of the main objectives of an external cyber attack is to extract credentials that allow the intruder to move laterally throughout the network. Once the hacker is able to nest within the environment, he can easily steal confidential data at will. Many skilled cybercriminals have an arsenal of advanced tools, like zero-days, which they can continuously launch at organizations. This puts immense pressure on IT teams to fight sophisticated cyber attacks that they’ve never seen before.
While an organization usually faces more external attacks, the reality is that IT teams need to be just as concerned about insider threats. An angry employee who already has access to company files could be secretly leaking documents to competitors, or he could be sabotaging systems or corrupting data because he is miffed at his boss.
Despite these risks, a recent study from Lieberman Software Corporation at Microsoft Ignite 2015, revealed that only 35 percent of IT professionals view insiders as a bigger threat than outsiders. This statistic is concerning, as it seems to indicate a certain level of naivety and unearned trust between IT administrators and their user communities. When people have trust, they’re less likely to verify that trust and put proper controls in place.
The Perimeter is Porous
In recent years, much of the focus of IT has been on hardening the network perimeter against outsiders. The idea is that if you stop the criminals from getting in, then nothing bad happens. However, according to the PwC Global State of Information Security Survey 2015, “insiders—current and former employees, in particular—have become the most-cited culprits of cybercrime.” The fact is, many of the organizations that are so fixated on perimeter security give implicit trust to anyone who walks through their doors.
During my career in cyber security, I’ve seen pervasive administrative access granted to most anyone for anything. This, in turn, gave rise to the Terry Childs and Edward Snowden incidents mentioned earlier.
How Can You Protect Against Both Insider Threats and External Cyber Attacks?
IT must continue to focus on protecting the perimeter but should also air gap internal network segments and, in some cases, business units. After all, there’s no good reason to let developers be on the same network as human resources, or allow accountants to access the web servers.
Organizations should also change privileged credentials on a frequent basis, with unique and complex values for each credential. Continuously rotating privileged credentials blocks the lateral movement on the network that hackers seek.
What else? Take the following six steps to minimize the risks posed by both external cyber attacks and insider threats:
- Account for Job Role Changes
Review role changes and turnover in the IT department. Examine whether any systems that were accessed by former staff still have the same administrator passwords. If so, change these logins immediately.
- Examine Your Web Applications
Check your organization’s websites for the use of embedded credentials in clear text. Also, look for static connection strings with credentials that may still be known to the site’s developers. Change these to unique and complex passwords so that previous access methods are no longer available.
- Stop Sharing Passwords
Determine if IT staff are sharing passwords or publishing login credentials on a spreadsheet that’s accessible by many people. It’s surprising how many IT admins still practice this risky behavior.
- Stop Reusing Passwords
Catalog all privileged accounts used on critical systems and eliminate any common login credentials.
- Start Changing Passwords
Confirm that IT staff change administrator and root passwords on a regular basis. Also, ensure that the passwords are only accessible to delegated personnel on a time-limited basis.
- Test Your Vulnerabilities
Confirm that critical systems are not subject to compromise by newly-discovered or well-worn threats, by performing regular penetration testing. Consider using a combination of off-the-shelf pen testing software and security contractors to achieve “belt and suspenders” coverage when it comes to vulnerability testing.
Learn more about how you can better protect your critical systems against both insider threats and external hackers. Download our white paper, Best Practices in Privileged Identity Management.
By Chris Stoneff, Vice President Technical Management, Lieberman Software
Chris Stoneff oversees product management, quality assurance and technical support at Lieberman Software, and is instrumental in guiding the development of the Lieberman Software products portfolio.