Trust and Negligence. They often go together and in most cases are the prime reasons for data breaches arising out of insider job. For businesses to run, certain level of trust is required amongst colleagues and between bosses and employees, but then what is important is to ensure that security policies are irrefrangible at first place and also that they are not compromised in name of trust and “personal relations”.
For the most part, cyber security is assumed to be a contest between cyber security technologies coupled with experience and skills of IT managers seeking to defend their enterprise territory, and highly motivated attackers who are looking to exploit any weakness in network boundary with the intention of gaining access to precious and vendible information. But then if you look at the recent indicators in public domain, you will find that in a significantly large number of cases it was instigated from inside by someone known, perhaps who use to had tete-a-tete with IT managers. Because this problem starts from inside, solutions too must not be focused alfresco.
“Insider abuse featured in 20.6 % of all reported security incidents and 10.6% of confirmed data breaches” - Verizon data breach report, 2015.
If this was upsetting, what can unnerve you further as a security in charge is the report that “time of compromise” and “time to discover the compromise” are swerving over the last decade signifying a widening gap between when events happen and when they are detected.
What exactly is an insider threat?
Understanding the problem is a step closer towards the solution. The Computer Emergency Response Team (CERT) at Carnegie-Mellon University defines insider threat as “a malicious insider threat to an organization is a current or former employee, contractor, or other business partner who has or had authorized access to an organization’s network, system, or data and intentionally exceeded or misused that access in a manner that negatively affected the confidentiality, integrity, or availability of the organization’s information or information systems.”
However, as the nature of doing business has evolved over time, so has the nature of the insider threat. Work-from-home, BYOD, distributive nature of workforce etc. have further complicated the problem making it even more severe than before.
Aspects that create Active Directory as a natural breeding ground of insider threats are:
Treating privileged credentials insouciantly: We all have privileged users in our organization who have elevated access to almost all systems, applications and data and frequently they are required to share that privilege with others to “get the work done” without apprehending the consequences of their actions.
Configuring inappropriate roles: User roles can be confusing at times particularly when it comes to implementing it in the Active Directory. We usually have overlapping roles and designations which when implemented in AD leads to multiple systems and applications’ owners – a situation that can lead to unmarked territorial rights within network.
Languid privilege de-provisioning: “Assigned the rights but didn’t care to remove it immediately after the task was over” – a common story behind data breaches originating from lack in automation in de-provisioning of rights.
Gaps in policy enforcement: Knowing where the sensitive data lies and who all can access it helps in designing a robust security policy enforcement which, unfortunately, many small enterprises lack.
Ineffectual auditing and response time: Auditing and compliance is there for a purpose.If followed to their core regulatory guidelines will keep you protected from most threats.
Un-automated AD management: Access controls and AD access rights should be regularly evaluated, changed or deleted as and when required. Lack of automation is the primary reason in effecting such activities, there is no automated way to detect and clean stale AD accounts.
Threats can arise from an employee with malicious intent, someone who feels exploited and unsatisfied or even a careless insider. You need to take a multi-faceted approach to deal with vulnerabilities coming from any of these types of users. At high-level you need to:
Devise ascendancies and pointers: Know what systems and applications are being used in your enterprise and all who have how much access to those systems and applications. Put together a team of professionals with mastery over set of procedures to prevent, detect and respond to insider threats.
Assess the vulnerabilities: Is your enterprise network’s threat register a tabula rasa?Walk through the business processes to look for gaps and vulnerabilities, note down all threats and exposures in threat register.
Input human behavior in simulating insider threats: User behavior can be an important input in simulating cyber security breach originating from insider threat. It can significantly narrow down the problem to pin point suspected users.
Do ersatz drills and practice how to respond to insider threats: Create a team of individuals who have expertise in staging insider attacks in your network. Simulate known modus operandi to test if your network can thwart such attacks and then try to improve the response time and mechanism.
Following are the best practices for securing Active Directory against insider threats:
The insider threat is taking its toll globally, tomorrow it can be your organization. What has been written in this article is at macro level, it is important for you to get your acts together and come up with a robust, comprehensive and finely woven insider threat mitigation program that can ensure security of enterprise network. Most important thing to understand here is the fact that insider threat is a socio-technical problem which for the most part originates from human factors and therefore any solution must be devised taking this factor into account. When it comes to enterprises’ networks, Active Directory is all pervasive, so focusing on tightening AD security will be a good start in the direction of devising a mechanism for dealing with insider threats.
In what may be a landmark case, Google faces a hefty fine if it is found guilty of violating GDPR…
Sometimes, old wisdom is the best wisdom. Protect your data with these IT security best practices that have proven effective…
Today’s Xtreme Podcast: Shining a light on dark data, legacy security tools, and hacking stats that will leave you more…
In most cyberattacks, hackers want you to know you’ve been compromised. But in cryptojacking, hackers want you to live in…
Businesses want to improve uptime, and optimizing every part of their technology stack for high availability is a significant step…
Cybercrime is bad and getting worse. Yes, these 10 hacking stats will scare you, but knowing about them can help…