Training to Tackle Insider Threats
By Pete Burke, technical consultant at Force 3
Much like the age-old horror movie trope, when it comes to cybersecurity, the calls are coming from inside the house.
What does that mean? Almost three quarters (74 percent) of breaches originate from within an organization, and two in five of those threats come from employees.
One of the biggest misconceptions about insider threats is that they are universally marked by willful and malicious intent, like the high-profile cases of Chelsea Manning and Edward Snowden. But such attacks actually only comprise a fraction of the problem.
Realistically, insider threats only mean that the problem originates from within your organization—regardless of intent, motive or lack thereof. It could be an employee unwittingly downloading a malicious piece of software or virus from a certain website. A majority of the time, when a company is hacked, it’s by someone appearing to use valid credentials. That’s because they’ve somehow phished and stolen credentials from an authorized employee using a keylogger or some other device. On the surface, it looks like legitimate traffic, but it’s not actually the employee on the other side.
With so much awareness of this issue and so much technology already in place to defend against it, what remains missing? There are several ways we can do better to protect against insider threats, from both the human and the IT sides.
Start with Recruitment
Many organizations mistakenly think that preventing insider threats begins with employee training. But waiting until employees are already inside your organization is too late: Companies need to be on top of this starting with the hiring process.
You can vet for potential insider threat activity if you know what you’re looking for. Hiring managers should conduct thorough background investigations that screen potential employees for financial and criminal histories and flag anything that could lead to an insider threat. Factors like substantial outstanding debt or criminal activity, for instance, leave an employee vulnerable to potential blackmail.
Training for Awareness
Once hired, people should be educated about how to spot and report suspicious activity. Some of this is simply common sense: If an employee sees someone doing something blatant, like transferring files to a personal hard drive or thumb drive, that should raise flags and prompt immediate action.
Managers should work with employees to watch for red flags: for instance, an employee whose behavior suddenly and rapidly changes for no obvious reason. Mannerisms to look out for include nervousness, erratic behavior or evasiveness about what they’re working on or to whom they’re talking.
Employees should also be trained watch for and report suspicious devices, like thumb drives or recorders. In one instance I know of, an employee was looking for an outlet under a table and, much to their surprise, found a hidden listening device. If it looks out of the ordinary, be diligent. Report it to someone who’d know what to do.
Hiring quality contractors
One lesser-known source of vulnerability is the contractor. Typically, when you’re hiring contractors, the contracts are created generically and the candidates who are actually going to do the work may not be specifically identified. There might be a changing cast of characters rotating in and out of your offices as contracts end and are picked up by new players. You need to make sure that when you choose a contracting partner, their employees are vetted to the same level as your own.
There’s also still much that can be done from the IT side. Believe it or not, one of the most overlooked protections against insider threats is ironically one of the most obvious: the visibility of the traffic on your network. You’d be surprised how many organizations don’t have a clue what’s going on in their network. They don’t know all the applications running on it or all the personal devices people are trying to connect to it.
Before thinking about how to protect yourself, before you deciding which gateways or firewalls to put in place, you have to assess what’s happening on your network. I recall one situation with a client who had no idea that an employee was using an application to phone home to China. The employee was told it wasn’t an approved use and to stop. Two days later, that application showed up again, and again two days after that. It kept happening until the employee ultimately was let go.
It’s crucial that you analyze typical network traffic and behaviors to identify abnormalities. Every company needs a baseline that tells you, for instance, that John in accounting typically uses the accounting systems, maybe a few different file shares, websites or other applications. Armed with this same level of visibility, you’ll also know when John in accounting suddenly tries to access HR files, or if there is any other notable deviation from the norm—behavior you’ll certainly want to monitor and potentially act upon.
There’s a plethora of tools out there (and even more on the horizon) to help companies prevent insider threats. Even something as basic as a network switch now has technology built in to add additional layers of security. It’s no longer enough to ensure devices hit the mark for speed and reliability. They must also be secure before any traffic is allowed to flow through them.
Another promising shift is the increasing use of automation and AI to detect abnormalities. While people still set the strategy and make recommendations, there’s a real opportunity to use technology to detect, respond to, analyze and mitigate these threats. No matter how many engineers you put in a room, you’ll never match the breadth of data that can be analyzed through automation.
The immediate reaction to an insider threat is to buy new technologies and tell employees to be more secure. Let’s take a step back and approach insider threats from a proactive, training-focused mindset. Get an understanding of your people, set a baseline for online and offline behaviors, and start tracking for anomalies.
About the Author
Pete Burke is a security and borderless networks technical consultant at Force 3.
He advises federal technology buyers on the solutions that best fit their needs. Pete has previously worked at Gemalto and Philips Healthcare.
The opinions expressed in this blog are those of PeteBurke and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.
Pete can be reached online at https://www.linkedin.com/in/pete-burke-cissp-35133b2b/ and at our company website www.force3.com.