Insider threats and how they can be mitigated

Any employee with access to sensitive data is a potential threat, whether they know it or not. Even if they don't have malicious intentions, the inherent nature of their privilege is what makes them so dangerous.

Any employee with access to sensitive data is a potential threat, whether they know it or not. Even if they don't have malicious intentions, the inherent nature of their privilege is what makes them so dangerous.

Vormetric recently published its 2013 Insider Threat Report exploring the very nature of these dangers while also tallying the results of a survey it conducted over two weeks in August of this year. The numbers, which were tabulated in September, indicated the responses from 707 IT professionals to questions regarding insider threats and they choose to combat them. Needless to say, the pervasive theme of the survey results was that insider threats are a very serious concern to just about everyone.

[6 technical measures to mitigate insider threats]

The respondents were likely fearful, at least in part, due to what they had been hearing about in headline news about data breaches and insider threats, said Vormetric CEO Alan Kessler. He pointed to recent examples in Bradley Manning and Edward Snowden, adding that many businesses are beginning to see these problems themselves.

Vormetric CSO, Sol Cates, meanwhile, said that enterprises are concerned about insider threats because they are realizing that beyond an employee going rogue -- as was the case with Manning and Snowden -- there is the idea of privileged users whose identities are being compromised.

"That's becoming another concern," said Cates, "this idea of unchecked privilege that these companies don't have enough controls around."

The report also indicated what specific types of insiders the respondents perceived to be the biggest threats, with non-technical employees with legitimate access to sensitive data accounting for 51 percent of the vote. Though it may not necessarily seem obvious at first, there are scores of employees that fit the description in question, including employees in HR, who often find themselves needing to interact with personally identifiable information (PII).

"The question is, do you have proper control over how they interact with this information?" asked Kessler. "But the technical aspect of controlling this kind of access is very hard, especially if you're trying to retrofit older systems."

[The 3 types of insider threat]

Cates added that executives also fit the bill here, as their jobs are not technical in nature, but they often need access to sensitive information in order to do their job.

"That's the whole point of data and information, to make it usable." said Cates. He did, however, have one suggestion for mitigating such a threat.

"Education and empowerment of the business user is a good way to counteract this problem," he said.

With insider threats posing such a significant problem, another obvious solution would be to conduct thorough background checks on potential employees before they are hired to determine whether or not they can be trusted (or whether or not they are a liability). While Cates maintains that this is a common procedure these days, the tricky part is limiting those employees' exposure to sensitive data while still allowing them to do their jobs and administrative functions.

"There are tools that blind operators to sensitive information," said Cates. "Businesses have ways to never expose certain employees to the information in their systems."

Surprisingly, however, the very employees who should be trusted to manage these systems and protect the data within them are the ones that present the most risk. The report indicated that 34 percent of security professionals said that IT administrators were one of the biggest threats to their organizations. That said, it's not always an individual or an actual person that presents the risk, said Cates. The inherent risk is their privilege.

"You can watch what [IT administrators] are doing, but they get to make these decisions," said Cates. "They authenticate, oversee data flow, and determine what apps your company is interacting with."

[Report indicates insider threats leading cause of data breaches in last 12 months]

So from a control perspective, businesses need to determine, can they or do they need to look at sensitive information in order to do their jobs? One possible solution here, said Cates, is to audit what your IT administrators are trying to do.

"It's important to understand what they're doing with your info, because they're the ones protecting it," said Cates. "You need to manage the privilege, not the user."

It would appear that that's what many businesses are trying to do. The survey results indicated that 31 percent of respondents rated "network security tools" as the most important protection against insider attacks. Kessler explained that this could include anything from firewalls to intrusion detection/protection services (IDS/IPS) to network-based malware detection solutions. This is, of course, because a lot of the time malware is targeting specific users based on their privileges.

Kessler agreed that the gatekeepers and their privileges need to be monitored, using the postal service as a metaphor. They manage and deliver your mail, but they have no right or need to see what's inside. "Here, it's the same thing," he said. "We're limiting their ability to see data but still allowing them to do their job."

Employees aren't always in the office though, so what about insiders who find themselves frequently working on the road? The use of mobile devices and connecting to company networks from remote locations pose inherent risks, both of which were addressed in the report. To put the concern into perspective, 49 percent and 41 percent of respondents said that their organizations' data was most vulnerable on a desktop/laptop or mobile device, respectively.

Cates went beyond the statistic, however, and clarified what the numbers meant by reading between the lines. Unless companies have enabled special privileges on these devices, he said, they are nothing more than vectors to information. So the real risk isn't localized, but there is still concern about where they could lead.

"The actual amount of data or records being stolen from these devices is fairly minimal," he said. "They're just a way to get into data centers. But there is a lot of risk on those endpoints."

[Data breach risks: Not just the insider threat]

Employees accessing their company's network or files remotely, said the Vormetric report, is a situation in which businesses need to take user context into consideration. A CEO, for example, should have complete access to all data when he or she is connected via the corporate LAN, but not when accessing the files remotely from an internet café. Current, typical measures for remote access are often not sufficient in this sense, said Cates.

"As it stands now, VPN is not strong enough. Things can be spoofed," said Cates. "You need better monitoring of database access and activity. In the future, there's going to be some innovation where you can get more info about whether where you're coming from is safe."

The report also suggested that a viable approach to fighting insider threats is pervasive coverage. While this may raise concerns about whether or not this creates more work for security teams, Cates argues that this isn't the case.

Cates suggested implementing controls so that access is on a "need to know only" basis. Organizations can take privileged access away and use methods like keystroke tracking and heavy auditing to protect their data. By taking a policy approach to data access and reducing total ownership, he said, Vormetric's idea of pervasive coverage doesn't actually take more time or work since it reduces what teams need to focus on.

"You want to make it so the only way to your information is through the front doors," said Cates. "Now I only have to watch the front doors. My time is more focused."

[Wikileaks and the authorized insider threat]

Kessler also talked about de-perimeterization and, more specifically, situational awareness when approaching security. While there are some solutions that are focused and tactical, he said, they are often expensive and require training. Rather, teams should focus on the prevention and reaction aspect of security and try to reduce reaction times when dealing with a threat.

"Yes, there are expensive options, but you can always start off by just collecting information [about threats] for faster response times," said Kessler. "Boil up your data to discoverable problems and actions, and that way folks can get to the bottom of issues quicker.

"Reduce your attack surface with preventative measures, and then solve problems quicker with your reaction."

Join the CSO newsletter!

Error: Please check your email address.

Tags security

More about CSOIPSLANVormetric

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Grant Hatchimonji

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place