According to the 2015 CERT and ACSC Cyber Security Survey, 60% of respondents believed that the Insider threat is one of the most prominent in their Organisation. However, in reality they only accounted for 14% of reported attacks. The threat is there nevertheless and the fear of a trusted insider skirting the defenses of your Organisation (maliciously or inadvertently) is very real. Here are some key recommendations that you should consider when creating a plan safeguard your organization from the insider threat:
1) Train the Human Element – Malicious insiders most often take advantage of their trusted position to extract or leak information for various reasons. According to the 2013 CPNI UK report, financial gain was the most common reasoning behind an attack. However, attacks could also occur for ideological purposes, divided loyalties, revenge or even simply the thrill of taking on an organisation.
It is recommended that organisations strive to develop a “security culture” within their workplace. This will ideally help to encourage employees to feel comfortable reporting any suspicious behavior to their superiors, as well as being alert to it in the first place. Organizing additional training programs that instruct employees on how to recognize potential signs of malicious behavior as well as clear guidelines on what is acceptable and expected would further improve this culture. The development of a shared understanding and willingness to protect the organisation is necessary for an effective “security culture”.
2) Limiting Access to Resources – Ensuring that staff members are only granted the level of access to information and systems that they require in day to day operations will help prevent undue privileged access being exploited by trusted insiders. Should further access be required for a task, it should be removed from the user once the task requiring it is completed.
In addition, further preventative measures can be implemented. The restriction of physical access (via swipe cards for example) to sensitive areas is an obvious precaution (as well as preventing visitors to the site from roaming unescorted), as well as protecting electronic documents that contain sensitive information with some form of encryption.
Another common precaution to help prevent unnecessary access is limiting the use of USB sticks, as they are a common method for the deployment of malware. This can be done by blocking ports or removing them entirely on workstations that should not require them.
3) Be Alert to Social Engineering Techniques – Although it is relatively well known that phishing attacks (via email) are a serious threat to organisations, attackers are becoming increasingly advanced in the methods used to try and trick employees with privileged access into inadvertently compromising their organisations systems. The only way to combat this threat is to constantly be alert to suspicious communications that are unexpected. Always checking the source of an email that requests you to click through a link is a great habit for all email users to get into (into both private and work life) as often this will be the only indicator that an email is not genuine.
Limiting, where possible, the public exposure of information regarding the movements of staff that have privileged access is also an important defense against social engineering. It is much more difficult for an attacker to impersonate a trusted user if they are not able to reference their schedule among other personal details.
4) Be Aware During Recruitment and the Onboarding of Third-Parties– Both Australian and Foreign-based adversaries target private and public systems in order to gain access to sensitive information or to cause harm to a system. This includes the targeting of critical infrastructure which may have detrimental effects on the economy and nation as a whole. Although the external perimeter defenses of an organisation may be enough to prevent most unauthorized access, it is highly possible that a malicious party will attempt to gain access as an insider, avoiding the well implemented defenses entirely.
Taking special care to ensure that recruitment screening (and background checking) is properly implemented to prevent outside parties from gaining a foothold as a trusted insider is a crucial part of protecting sensitive assets. Additionally, contractors should come under the same level of scrutiny, if not more so and as mentioned previously access should be restricted to the task at hand and no more.
It is difficult to protect against an insider. By their nature insiders are trusted and have access to information and systems that could well be extremely damaging to an organisation should it be compromised. By following the guidelines in this article (although they are not exhaustive) it will help to minimize the damage that a malicious party could potentially do, as well as the damage that may be caused inadvertently by a non-malicious staff member.
For further information on protecting and implementing defenses against Insiders as well as many of the other threats Australian organisations face presently, do not hesitate to contact Agilient.
The Agilient Team