In many instances, the most damaging data breaches an organization will face are from an internal source, be it an employee, contractor or temp worker who has access to the network for their day-to-day job function. As data breaches are making major headlines, from massive consumer brands like Target and Coca-Cola to financial institutions and local government, organizations are scrambling to understand how these breaches occurred and most importantly who was behind each attack.
According to a report by Vormetric and Enterprise Strategy Group, more than 50 percent of IT decision makers claim it’s harder to catch insider threats today than it was in 2011. This may be attributed to expanding complexity of corporate environments, including the expansion of contractors and remote workers and the infrastructure to support them. Continued growth of cloud services also adds security challenges by moving data out of the corporate IT security department, making user access much harder to control across disparate applications and systems.
There are several ways to add structural controls to limit network risk, but the first step is to examine the profiles of potential insider threats and the motivations behind their actions.
The ex-employee
Not all employment relationships end on a sweet note. The trouble is knowing exactly how upset an employee is when he or she walks out the door. A former employee has tons of knowledge about how systems are configured, default passwords that may be in use, and security policies that can be exploited. It doesn’t take long to learn this kind of information; it’s probably covered in “Training 101” to make sure an employee has the knowledge to do their daily job. A disgruntled former employee armed with the knowledge of a few default passwords and how to externally access your systems can quickly cause havoc.
The consultant
How many outside consultants or inside supplemental workforce consultants does your company employ? These workers may not have full access to your network, but still have access to sensitive information. Consultants represent risk for several reasons. Because they often work remotely, a company may have to open up an external network link to sensitive systems. This could be through a jump host, VPN, or other proxy system. However it’s done, it creates an external route that can be exploited. Secondly, turnover can be a big issue. Because consultants are often hired for short-term projects, an IT department can struggle with the load required to revoke access or change passwords every time a contractor or consultant ends their tenure.
The current employee
No one wants to think of their employees, colleagues and work friends as a threat, but existing employees can be seriously malicious users. This is especially true for employees who either know they are about to be let go, or who are planning to quit, and decide to take passwords with them. Current employees can also accidently or intentionally provide access to those who shouldn’t have it. Perhaps they agreed to give access to a colleague who then does not follow the company’s security policy, or they accidentally open the network to external threats through phishing attacks. Employees can also inadvertently enable external attacks by losing a laptop or smartphone containing sensitive information that is not properly protected.
Once you have identified internal threat sources and what motivates them, the next step is to implement policies that give more control and visibility over their behavior on the enterprise network. Don’t overlook the proper management of network access and control of user privileges. Just as all employees have different job descriptions and levels of decision making power, they should also have a customized level of access on the network. Following the principle of least privilege, if a person does not have access to an area of the network, it will be much more difficult for them to exploit the network, both now and after employment.
Make sure regular auditing capabilities are in place within IT teams. If you cannot tell who is doing what on the company network, you cannot know how extensive a breach really is. Having a full audit trail also protects organizations from failed audits and costly penalties for not meeting compliance mandates like HIPAA, PCI and Sarbanes-Oxley.
If you’re using outside consultants, greatly limit their access to sensitive accounts and keep their level of privilege on the network as low as possible. Require that every time they use access credentials, they must also use multi-factor authentication.
Keep a keen eye on your environments and understand that some of the biggest data security threats you face may be from folks you’ve shared jokes with at the water cooler.
By Ben Yoder, Product Manager, Thycotic Software
Ben Yoder is a software engineer turned product manager and a lover of all things IT. He’s an expert on technology integrations and database systems, manages Thycotic Software’s market-leading Privileged Account Management solution, and keeps a keen eye on product trends in the IT security space. Ben currently leads the product team at Thycotic Software and spends his spare time indulging in craft beers with friends.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.