I often read a new article reporting a major security breach attributed to a nefarious “insider threat”. They’re often portrayed as some sort of malicious super villain straight out of a 60s James Bond movie.
The truth of the matter is that the insider threat scenario is more complex than that. Certainly, some insiders are malevolent. But the majority of problems emanating from within an organization are due to the carelessness of people with no malicious intent. Take, for example, the Adobe employee who accidentally posted the company’s private PGP key on the Internet.
Despite the cause, the insider threat can be controlled. But only if an organization takes the necessary steps to educate its staff, and implement appropriate technology to deal with the latest risks.
Unfortunately, most organizations concentrate on external threats. They invest in perimeter security tools that defend against the outside world. But when it comes to the insider threat, these same organizations often drop their guards.
So who exactly are these dangerous insider threats? Potentially, any employee. It could be an IT admin who’s lax in setting up password policies or fails to use two-factor authentication on sensitive resources. It could be an accountant who clicks on a link in a “funny” email, accepts an offer, and turns her machine into a Trojan horse that infects other machines. And yes, it could be the nervous employee concerned about his job security who seeks “insurance” by snooping through the network and accessing files he’s not supposed to see.
Can the Insider Threat be Stopped?
Insider threats, whether they’re malicious or not, cannot be completely stopped – but they can be significantly contained. It’s a matter of balancing the cost and complexity of implementing appropriate security technology and policies against the value of assets being protected.
A good way to limit the insider threat is by making the almost paranoid assumption that every machine in your organization is already compromised and every employee is malicious. Under this supposition, you should:
- Invest in software to alert you when unusual activities are detected
- Backup everything that is critical and establish a disaster recovery plan
- Utilize penetration testing
- Implement multi-factor authentication when accessing critical systems
- Scan all machines regularly and remove unauthorized software when found
- Change your privileged account passwords frequently; complex passwords are best
- And don’t give users persistent administrative privileges to their local systems
Secure Privileged Access
Also, the IT department shouldn’t set up any shared privileged account passwords that provide universal access to all or many systems.
Along these lines, have a look at our privileged identity management solution. It provides each system with unique and complex credentials. It also ensures that privileged accounts are available only to authorized personnel with limited time, audited access – preventing anonymous insider threats from wreaking havoc on your network, whether intentionally or not.
If you like this topic, please subscribe to our Cyber Defense Newsletter.
You can also follow us on Twitter.