Insider attacks can damage a company as quickly as an external breach or an attack by an external hacker, but many companies don’t think much about how to detect or prevent an insider attack. In a recent study by Verizon,one of the key attack categories was classified as insider privilege abuse, with over 10,000 instances reported.
Insider Privilege Abuse is usually defined as any malicious or unapproved use of an organizations resources. It can also include collusion between an internal employee with an outsider or an abuse of privilege by a trusted business partner. While financial gain or fraud might be the primary driver of this activity, it isn’t always clear on how to detect the personnel you need to monitor closer or what tools might help you detect this activity.
What can happen? Ask Citibank what happened when a disgruntled employee issued commands to disable 9 core routers because they received a lower than desired performance review. This caused millions of dollars in lost revenue, expensive time spent by the remaining IT team to put the pieces back together, and the immeasurable loss of credibility for their IT department for many years. A smaller company might have gone out of business.
What is a company to do to detect and prevent these types of attacks before they can happen? There are some technical things you can do, but also there are some standard non-technical actions you can complete to reduce this type of risk.
There are non-technical precautions that may help detect and prevent insider privilege abuse:
- Document policies and procedures and enforce controls to monitor and verify strict compliance
- When performing a risk assessment, include the possible threats from insiders including trusted vendors
- Require security awareness training for all employees at least once per year
- Add background checks as a requirement for new hires with elevated access permissions
- Establish communication expectations between human resources and IT management, and don’t hesitate to involve legal if you have any questions or concerns
- Monitor and immediately respond to suspicious employee behavior
- Manage negative workplace issues by anticipating what will cause potential issues and who will react most negatively to changes in business policies or procedures
Until you have a specific issue, you will tend to think of some of these ideas as an over reaction. Ask Citibank if they are doing any of these things today.
There are technical controls that may help detect and prevent insider privilege abuse:
- Immediately deactivate access when employees are terminated or transferred
- Implement strict policies around creating and using network accounts and enforce minimum password requirements
- Review users with elevated privileges at least annually to justify continued access
- Enforce separation of duties, least privilege access, and data classification to identify specific at-risk data elements
- Track the use of privileged accounts, including unusual activity based on time of day or frequency of access
- Implement written system change controls and an approval process that over-communicates change information to the IT Team, including management
- Changes in vendor relationships should also cause changes to access permissions
- Log, monitor, and audit employee network activities and share the results with an audit team to build confidence that controls are in place and being monitored
So what causes an employee to become a risk for insider privilege abuse?
- Termination – An employee who is already leaving the company may feel they have nothing to lose if the perform an act of revenge on the way out the door, or maybe they just want to collect some confidential data on their way to your competitor.
- Cash – Basically there is money involved, either from an outside that has offered some type of financial incentive to provide specific information, or maybe a competitor is offering employment within their company if they can provide a specific piece of information.
- Life Event – You don’t always know what is happening in someones personal life, and serious events can lead to poor decisions. If someone thinks they have nothing to lose, they can turn rogue and do some serious damage.
- Boredom/Stupidity – An employee who was bored and looking for some excitement, or even a recently disciplined superuser may be looking for revenge. There is potential for this type of an individual to feel they aren’t being watched, or that no one cares about what they are doing, so they become an incremental malicious insider and over time commit a serious level of damage.