Contrary to popular belief, insider attacks are not just caused by employees. An ‘insider’ is anybody given access to either data or infrastructure within an organisation.
This could be a disgruntled current or former employee, or a contractor, third party or partner organisation. For many large organisations, there is a long line of people who have the access to commit an insider attack.
Once they’ve got access to parts of the internal infrastructure, the in-place perimeter security is effectively useless.
Internal segmentation of networks is typically poorly deployed across organisations as it’s classed as a lower priority.
‘Many firms have historically focused on perimeter security, meaning their network has a hard exterior but soft underbelly,’ says Steve Mulhearn, head of enhanced technologies for the UK and Ireland at Fortinet.
A major driver for insider threats is linked to the motive and intent of an employee to perform a malicious activity, for either financial gain or personal satisfaction.
Intent and capability from misaligned user access is a toxic combination, with employees often holding the organisation responsible in the event of a breach – as seen by the recent Morrisons data breach, which led to employees taking legal action against the supermarket giant.
In a recent study by ISACA and the RSA Conference, four in ten organisations had experienced insider damage at least quarterly in 2015.
‘These insiders are increasingly becoming a major risk to information security through account misuse, data loss and fraudulent activities,’ says Ramsés Gallego, president of ISACA’s Barcelona chapter. ‘The type of attack can range from the introduction of viruses to the theft of information, money or corporate secrets.’
Studies show that, on average, an insider crime takes up to 42 days more time to resolve than an external cyber attack, with the cost of repair to the enterprise coming in at over £12,000 per day.
The tangible recovery costs are often the simplest items to calculate. The additional support costs from vendors, consultancy partners and internal business units that are required to help resolve, secure and document insider-related data breaches are considerable.
Cost analysis should focus beyond the monetary, considering, for example, the time and effort of all involved, including senior management.
Data breaches of any kind – internal or external – can also create great damage for an enterprise’s public brand.
‘With the rise of social media and news proliferation,’ says Gallego, ‘an insider breach can instantly devalue an enterprise’s image as a well-managed and secure business in control of its information assets and customer-related data.’
Realistically, privileged users have always been a high-risk group. The catastrophic damage this type of technical user can cause – not just for the business but for customers as well – has been demonstrated on a number of occasions.
Earlier this year, Ofcom became the latest high-profile organisation to fall victim to the insider threat. The incident was a perfect example of how firms struggle to protect their data resources from those already legitimately ‘inside the fence’.
Every organisation will have employees or contractors who have far-reaching, privileged computer network access rights – and it is how these users are controlled and secured that is often a weak link in the data security framework.
According to a survey conducted by Ovum last year, only 13% of European respondents felt confident that their organisations were safe from insider threats.
‘It is often a case of ineffective management of privileged users on corporate networks that causes this type of data breach incident,’ says Louise Bulman, VP and GM EMEA at Vormetric. ‘Until organisations adopt an encrypt-everything strategy with appropriate access control, the insider threat will remain a serious problem for organisations today.’
When dealing with insider threats, however, organisations must consider that the person whose access is being used is not necessarily aware.
One of the biggest security issues facing companies is advanced malware, which opens up information or infrastructure to external bodies. This is a very grey and shady area when it comes to attribution, as it’s difficult to define as an external or internal attack.
Often, users have been infected by the malware inadvertently, and organisations often struggle to differentiate between inadvertent attacks and malicious internal attacks.
‘When it comes to statistics on how prevalent insider attacks are, these figures can often be inaccurate as there isn’t a coherent, agreed definition of exactly what constitutes an insider attack,’ says Mulhearn.
Out of sight
Another problem is that many enterprise defences and security process are not designed to deal with an insider threat.
If a user has valid access to the network then threat detection solutions may not see anything, and if they do it will most likely be a set of low-priority events that are lost in the noise of everything else the security team has to deal with.
Dealing with these kinds of threats, and external threat actors who use stolen credentials and other weak entry points to gain access to infrastructure, requires companies to evolve their approach.
‘We need better visibility of network and threat activity across our user base, ideally together so that we can establish cause and effect, and we need tools that allow our analysts to more readily establish shifts in patterns of threat activity or traffic,’ says Darren Anstee, chief security technologist at Arbor Networks.
‘Many organisations are now adopting a more forward-leaning security posture for exactly these reasons.’
Part of an evolving approach to security is not seeing the malicious insider attack as an IT problem. Overcoming the issue requires organisations to look at it as a business and HR problem.
When an organisation is victimised by an insider attack, the organisation should look within and not place the responsibility for the actions of one individual upon the shoulders of a single department – unless the employee was an IT staff member.
It is the line manager’s responsibility, and insider attacks should always be seen as an organisational failure. Just as the safety officer is not responsible for an employee who sets fire to the physical building, IT should not be responsible for the equivalent data destruction by an insider attack.
However, just as the safety officer needs to ensure that the fire suppression system is working, IT needs to be prepared.
‘The best defence against an insider attack, other than robust backups of data, is active engagement by supervisors and managers,’ says Ian Trump, security lead at LOGICnow. ‘In the vast majority of cases of insider attacks, there are usually warning signs.
‘The key to mitigating the risk is not to hire and forget. Active engagement, listening, reviews, check-ins, training and a council are all better things to do than an impromptu disaster recovery exercise.’
That’s not to say, however, that the CIO and CISO shouldn’t take a leading role in looking at how insider attacks can cause damage to IT systems, and designing out as many weaknesses as possible. For example, organisations that don’t want employees to download material onto thumb drives should disable their USB ports. And data loss prevention tools should be set to ‘prevent’, not just ‘monitor’.
‘The organisation should also look at insecure but honest workarounds, and ask themselves why staff do not follow the correct procedure,’ says Mark Stollery, managing consultant in enterprise and cyber security, UK & Ireland, at Fujitsu. ‘It is probably because the correct procedure is cumbersome and ineffective. Make
the right way the easy way and people will follow it.’
General awareness training has been shown to be of negligible use except to demonstrate compliance to auditors.
Training must focus on changing specific behaviours, and must be simple and clearly articulated to employees, such as, ‘Do not send material marked confidential by email.’
Security behaviours must also be supported and actively demonstrated by the senior leadership.
‘An organisation whose leaders do not follow the rules should not be surprised when other staff don’t follow them either,’ says Stollery. ‘A culture of paying attention to security is also a deterrent to insiders who might be tempted to do the wrong thing.’
>See also: Top 6 cyber security predictions
Gone are the days when it was believed that the network could be secured at the gateway – there is no longer a network perimeter.
We live in an age of data portability, the mobile workforce and the wide-scale use of BYOD. And security problems are only going to get worse because of the increasing number of possible attack vectors.
Organisations need to take the time to understand the data they wish to protect. Only when this is understood and categorised should decisions be made on the administrative and technology requirements.
‘User education is critical and employee buy-in is essential,’ says David Kennerley, senior manager for threat research at Webroot. ‘It’s also about a change in mindset, turning the employee problem into part of the solution.’
Cybercriminals only need to find one hole in the defence, whereas security professionals have to secure all. It’s never going to be an easy task, but sound user education and relevant processes, combined with the relevant technologies, are now more important than ever and should never be underestimated.