When Insider Threats Come From The Outside

Insider threats don’t always come from your office. Are you prepared to manage those that don’t?We all understand the classic insider threat: a malicious employee, perhaps disgruntled at being passed over for a promotion, may steal valuable data to sell on the open market or take to a competitor. An unhappy sysadmin may plant a backdoor in the system to give themselves an advantage over an employer who they now consider an adversary.

These threats are particularly worrying because insiders generally have easy access to sensitive company resources. These days, though, employees passing through the doors of your company each day may not be the only ones with this privileged access.

“Historically, ‘insiders’ were often referred to as disgruntled or negligent employees that inflicted harm to company assets. But today, there are many different classifications,” warned Sandy Bird, IBM fellow and CTO of security systems at IBM Canada.

In addition to classic malicious insiders determined to embezzle money or steal secrets from a company, IBM has identified several types of insider threat.

Some employees have left the company but may continue to use expired privileges, or backdoors created before they left. Another, which the company calls the ‘quality insider’, is particularly interesting.

“These are considered to be trusted third-party workers, such as electricians, construction workers and repair personnel who have access to the building and/or networks before, during or after office hours,” Bird said.

It’s important to realize that these semi-insiders do not just represent a purely physical risk. Network access is key. Giving account privileges to freelance contractors or suppliers can leave you open to risk.

Take Target, for example, which most recently agreed to a $39 million settlement with US banks over its 2013 data breach. The thieves, who compromised around 40 million credit card details was said to have broken in using network credentials stolen from a subcontractor that provided refrigeration services. Large retailers often have teams that consistently monitor energy consumption.

These quasi-insiders represent a significant risk, according to data security firm Vormetric, which sells data protection and encryption products. Its 2015 Vormetric Insider Threat Report identified contractor and service provider employees as the second biggest threat. 44% of companies pointed to them as an issue.

Protection

How can companies protect themselves against quasi-insider threats? Effective employee lifecycle management is one way. Disgruntled employees can only use their old accounts if they remain active. Combining an effective single sign-on and identity management layer with repeatable, consistent processes that delete employee accounts when they leave can go a long way towards preventing this.

An IT services management program can help to formalize these kinds of processes, making it easier for human resources to request an employee termination service that seals off everything upon departure.

At the organizational level, a comprehensive policy outlining exactly what is and isn’t acceptable when accessing company computing resources and data can help to lock down all insiders, regardless of where they work. This can be made to apply equally to third-party contractors who must abide by those rules.

Still, a contractor’s account may still be breached by someone else. This is why all users should be given least-privilege access to systems, limiting the amount of damage that they can do.

“Multi-factor authentication is another great way to ensure that only those who need access are actually getting to the data,” said Sol Cates, CSO at Vormetric. This makes it harder for attackers to breach someone’s account.

There is another line of defence, should all of these fail, he adds. Companies can watch for unusual patterns of behaviour to spot suspicious activity from insiders, whether or not they work inside your building.

“Watch the data access patterns of those who need access for their work for anomalous access patterns,” he said. “These can identify when a user is acting in a way that may indicate a threat.”

User activity monitoring (UAM) tools are available to help do this, and typically integrate with identity and access management systems.

Insider threats are a fact of life, even when those insiders aren’t always sitting at one of your own desks. The trick is to stop the threats becoming actual attacks. As with all cybersecurity discussions, 100% protection is never guaranteed. But a little forethought and preparation can help to drastically reduce the probability of being hit.