X

Insider threats: Trust and negligence can be recipe for disaster

Introduction

Trust and Negligence. They often go together and in most cases are the prime reasons for data breaches arising out of insider job. For businesses to run, certain level of trust is required amongst colleagues and between bosses and employees, but then what is important is to ensure that security policies are irrefrangible at first place and also that they are not compromised in name of trust and “personal relations”.

For the most part, cyber security is assumed to be a contest between cyber security technologies coupled with experience and skills of IT managers seeking to defend their enterprise territory, and highly motivated attackers who are looking to exploit any weakness in network boundary with the intention of gaining access to precious and vendible information. But then if you look at the recent indicators in public domain, you will find that in a significantly large number of cases it was instigated from inside by someone known, perhaps who use to had tete-a-tete with IT managers. Because this problem starts from inside, solutions too must not be focused alfresco.

How big a threat is insider threat?

“Insider abuse featured in 20.6 % of all reported security incidents and 10.6% of confirmed data breaches” - Verizon data breach report, 2015.

If this was upsetting, what can unnerve you further as a security in charge is the report that “time of compromise” and “time to discover the compromise” are swerving over the last decade signifying a widening gap between when events happen and when they are detected.

What exactly is an insider threat?

Understanding the problem is a step closer towards the solution. The Computer Emergency Response Team (CERT) at Carnegie-Mellon University defines insider threat as “a malicious insider threat to an organization is a current or former employee, contractor, or other business partner who has or had authorized access to an organization’s network, system, or data and intentionally exceeded or misused that access in a manner that negatively affected the confidentiality, integrity, or availability of the organization’s information or information systems.

However, as the nature of doing business has evolved over time, so has the nature of the insider threat. Work-from-home, BYOD, distributive nature of workforce etc. have further complicated the problem making it even more severe than before.

What makes organizations vulnerable to insider threat?

Aspects that create Active Directory as a natural breeding ground of insider threats are:

Treating privileged credentials insouciantly: We all have privileged users in our organization who have elevated access to almost all systems, applications and data and frequently they are required to share that privilege with others to “get the work done” without apprehending the consequences of their actions.

Configuring inappropriate roles: User roles can be confusing at times particularly when it comes to implementing it in the Active Directory. We usually have overlapping roles and designations which when implemented in AD leads to multiple systems and applications’ owners – a situation that can lead to unmarked territorial rights within network.

Languid privilege de-provisioning: “Assigned the rights but didn’t care to remove it immediately after the task was over” – a common story behind data breaches originating from lack in automation in de-provisioning of rights.

Gaps in policy enforcement: Knowing where the sensitive data lies and who all can access it helps in designing a robust security policy enforcement which, unfortunately, many small enterprises lack.

Ineffectual auditing and response time: Auditing and compliance is there for a purpose.If followed to their core regulatory guidelines will keep you protected from most threats.

Un-automated AD management: Access controls and AD access rights should be regularly evaluated, changed or deleted as and when required. Lack of automation is the primary reason in effecting such activities, there is no automated way to detect and clean stale AD accounts.

Dealing with insider threats

Threats can arise from an employee with malicious intent, someone who feels exploited and unsatisfied or even a careless insider. You need to take a multi-faceted approach to deal with vulnerabilities coming from any of these types of users. At high-level you need to:

Devise ascendancies and pointers: Know what systems and applications are being used in your enterprise and all who have how much access to those systems and applications. Put together a team of professionals with mastery over set of procedures to prevent, detect and respond to insider threats.

Assess the vulnerabilities: Is your enterprise network’s threat register a tabula rasa?Walk through the business processes to look for gaps and vulnerabilities, note down all threats and exposures in threat register.

Input human behavior in simulating insider threats: User behavior can be an important input in simulating cyber security breach originating from insider threat. It can significantly narrow down the problem to pin point suspected users.

Do ersatz drills and practice how to respond to insider threats: Create a team of individuals who have expertise in staging insider attacks in your network. Simulate known modus operandi to test if your network can thwart such attacks and then try to improve the response time and mechanism.

Securing Active Directory against insider threats

Following are the best practices for securing Active Directory against insider threats:

  • Continuously monitor sensitive Active Directory objects for change attempts and event logs for any suspected access attempts. This process can be streamlined using avant-garde third-party AD auditing software like LepideAuditor Suite.
  • Monitor and protect “VIP Accounts” to ensure security of privilege accounts.
  • When assigning membership to sensitive groups do time-limited assignments with a definite and appropriate end-date rather than permanent assignments.
  • Create a list of accounts which can perform important tasks such as account creation and watch them so that any unauthorized action is immediately noticed.
  • Implement least-privilege administrative models so that users have rights to do only those actions that they are entitled to do and avoid “all or none” privilege assigning practice that many IT administrators do.
  • Implement secure administrative hosts to act as a secure platform from which privileged accounts can do administrative tasks in active directory.
  • Isolate and slowly decommission legacy systems and applications.
  • Migrate absolutely vital systems, if possible, to an altogether new forest with air-tight security policies.

Conclusion

The insider threat is taking its toll globally, tomorrow it can be your organization. What has been written in this article is at macro level, it is important for you to get your acts together and come up with a robust, comprehensive and finely woven insider threat mitigation program that can ensure security of enterprise network. Most important thing to understand here is the fact that insider threat is a socio-technical problem which for the most part originates from human factors and therefore any solution must be devised taking this factor into account. When it comes to enterprises’ networks, Active Directory is all pervasive, so focusing on tightening AD security will be a good start in the direction of devising a mechanism for dealing with insider threats.