Below is a Top 10 List recapping some of the content from the previous posts, but also adding a few additional considerations for staying on top of insider threats within your organisation. Article by Tom Cross, Director of Security Research, Lancope.
First and foremost, it is important that your company conducts thorough background checks before hiring employees, contractors or third-party vendors so you will know exactly who you are working with. While certainly not the end-all-be-all, this critical first step can help curb individuals such as competitors or criminals from infiltrating your organization and network with the sole intent of stealing data.
Once employees are hired and given access to sensitive systems, establishing appropriate checks and balances is key. There should never be just one individual who has administrative access to a system, as this could essentially leave the person free to do whatever they want with the data or device, or even enable him/her to hold your data hostage when they leave the company. Shared usernames/passwords should also be avoided as they do not hold the individual users accountable, and could still be used by people who have since left the organisation.
Speaking of individuals leaving the organisation, it sounds obvious, but thorough measures need to be taken to revoke previous employee and contractor access to your company’s systems. Also pay particular attention to the person’s active sessions at the time they leave, as they may still be logged in somewhere and able to do damage if they wish.
Understand the different types and characteristics of insider threats (negligent, malicious and compromised) so that you can better detect and protect against them. Certain network behaviours can be indicative of an employee device that has been compromised, for example, or a malicious employee who is attempting to hoard or exfiltrate data. Being familiar with some of these behaviours can help ensure that you have the right defenses in place, as some security controls will be effective against certain types of insider threats but not others. While not always effective, access controls can serve as a key deterrent for both negligent and malicious insiders. Making it harder to access sensitive data can keep honest people honest, but also put a wrench in the plans of malicious attackers.
Encryption of data at restis crucial for minimising the impact should a negligent employee lose his/her laptop or other equipment. User education should not be overlooked. It is a lot easier for employees to abide by best practices if they are aware of them, and are educated on the serious impact that their careless, but seemingly benign actions could have on the organization. The collection, analysis and storage of various types of network logs should be a critical component of any insider threat security program. By leveraging network activity logs from various technologies such as firewalls, IPS systems, SIEMs, packet capture and, in particular, NetFlow, organisations can more easily be aware of and subvert insider attack attempts. Knowing that their activities are being monitored can also help deter insiders from “doing bad” on the network.
Some monitoring solutions, such as Lancope’s StealthWatch System, also provide additional security context such as identity, application and device data, which can be invaluable for quickly tracking down the source of insider attacks. Last but not least, it is important to realize that the IT department alone cannot adequately protect a company from its own insiders. Insider threat programs must be cross-organisational efforts that also involve other departments such as Management, HR and Legal. Management and HR can tip the IT team off to any disgruntled employees who may try to harm systems or steal data, and these other departments can also help IT in taking the appropriate actions should insider threat activity be detected.
