Insider Threats: How to Stop the Most Common and Damaging Security Risk You Face

Insider Threats: How to Stop the Most Common and Damaging Security Risk You Face

Since each insider threat is very different, preventing them is challenging.

  • By Tim Matthews
  • Mar 19, 2019
Insider threats continue to make news. In the fall of 2018, a senior scientist from Genentech was indicted for stealing trade secrets to give to a rival firm in Taiwan and later that year, Legacy Health announced it had suffered a data breach exposing the medical records of 38,000 patients were taken via a phishing attack against one of its employees.

While we may be distracted by ransomware or cryptojacking, insider threats are a much bigger issue. And while they have gone on for years, there are ways to mitigate risk and respond.

What is an insider threat?

An insider threat is malicious activity against an organization that comes from people within. The usual suspects are employees or contractors with access to an organization’s network, applications or databases.

Are insider threats always theft?

Actions that could negatively impact an organization falls into the insider threat category. These include sabotage, fraud, and espionage. Typically, insiders carry out their plans via abuse of access rights – both physical and online.

The types of insiders who are threats

Organizations that are looking to stop insider threats need to understand the three different types of insiders and their motives. Since they are each very different, preventing them is also different.

Malicious Insider –an employee or contractor who knowingly looks to steal information or disrupt operations.

This type of individual typically has two motives: stealing information to sell or advancing their career. These attacks may involve theft of intellectual property, where they would give it to a competing organization to hurt their own. Or they are looking for a way to punish or embarrass their employer.

Negligent Insider – an employee who does not follow proper IT procedures is considered a negligent insider.

This may be as simple as someone who leaves their computer without logging out or anyone who does not change default passwords.

Compromised Insider – an employee whose computer has been infected with malware is the most common example.

These employees are typically infected via phishing scams or by clicking on links that cause surreptitious malware downloads. Compromised devices can be used as a “home base” for cybercriminals. From there they can scan file shares, escalate privileges and more.

How are employees compromised

Here’s how an employee can become a compromised insider:

Phishing – a cybercrime in which a target individual is contacted via email or text message by someone posing as a legitimate institution in order to lure the individual into providing sensitive data.

Malware infection – a cybercrime when a machine is infected with malicious software – malware – infiltrates your computer. The goal of the malware in the case of a compromised insider is to steal sensitive information or user credentials.

Credential theft – a cybercrime aimed at stealing the username and password – the credentials – of a targeted individual. Credential theft can be done in a variety of ways. Phishing and malware infection, mentioned above, are common.

Pass-the-hash – a more advanced form of credential theft where the hashed – encrypted or digested – authentication credential is intercepted from one computer and used to gain access to other computers on the network.

Detecting insider threats

Being proactive and observing user behavior may allow organizations to catch potential malicious insiders before they disrupt operations.

Risk signs include

  • Employee’s interest in matters outside their duties
  • Working odd hours without authorization
  • Excessive negative commentary about the organization
  • Individuals who exhibit signs of drug or alcohol abuse, financial difficulties, gambling, and poor mental health

HR and IT security teams should be vigilant in the wake of significant organizational events, such as a layoff or if an employee believes they are going to receive a promotion and do not. Most important is coordination between HR and IT security around these events.

IT security should observe how users are behaving online in any of the above scenarios. Employees and contractors may exhibit online behaviors that tip off the security team. In the case of compromised users, there will likely be unusual access patterns that can be spotted.

How to prepare for insider threats

There are many things an organization can do to combat insider threats including:

Train Your Employees. Conduct regular anti-phishing training. The most effective technique is for the organization to send phishing emails to its users and focus training on those users who do not recognize the email as a phishing attempt. Organizations should also train employees to spot risky behavior among their peers and report it to HR or IT security.

Coordinate IT Security and HR. There is no shortage of stories about IT security teams that were blindsided by layoffs. Coordination between the CISO and head of HR can help prepare IT security. HR can advise IT security about certain employees that were passed over for promotion or not given a raise and put them on a watch list.

Build a Threat Hunting Team. Rather than reacting to incidents after they are discovered, threat hunting takes a proactive approach. Dedicated individuals on the IT security team look for telltale signs, such as those listed above, to head off disruption before it occurs.

Employ User Behavioral Analytics. User Behavior Analytics (UBA), also known as User and Entity Behavior Analytics (UEBA), is the tracking, collecting, and analyzing of user and machine data. Using various analytical techniques, UBA determines normal from anomalous behaviors. This is typically done by collecting data over a period of time to understand what normal user behavior looks like, then flagging behavior that does not fit that pattern. UBA can often spot unusual online behaviors – credential abuse, unusual access patterns, large data uploads – that are telltale signs of insider threats. UBA can spot these unusual behaviors among compromised insiders long before criminals have gained access to critical systems.

By better understanding the different types of insiders and the behaviors they exhibit, organizations can be better prepared to fight these threats. A combination of training, organizational alignment, and technology is the right approach.

Featured

  • Allegion, Comfort Technologies Implement Mobile Credentials at the Artisan Apartment Homes in Florida

    Artisan Apartment Homes, a luxury apartment complex in Dunedin, Florida, recently transitioned from mechanical keys to electronic locks and centralized system software with support from Allegion US, a leading provider of security solutions, technology and services, and Florida-based Comfort Technologies, which specializes in deploying multifamily access control, IoT devices and software management solutions. Read Now

  • Mall of America Deploys AI-Powered Analytics to Enhance Parking Intelligence

    Mall of America®, the largest shopping and entertainment complex in North America, announced an expansion of its ongoing partnership with Axis Communications to deploy cutting-edge car-counting video analytics across more than a dozen locations. With this expansion, Mall of America (MOA) has boosted operational efficiency, improved safety and security, and enabled more informed decision-making around employee scheduling and streamlining transportation for large events. Read Now

  • Security Industry Association Launches New “askSIA” AI Tool

    The Security Industry Association (SIA) has unveiled a brand-new SIA member benefit – askSIA, a conversational AI agent designed to help users get the most out of their SIA membership, easily access SIA resources and find the latest information on SIA’s training and courses, reports and publications, events, certification offerings and more. SIA members can easily find askSIA by visiting the SIA homepage or looking for the askSIA icon in the top left of webpages. Read Now

    • Industry Events

  • Industry Embraces Mobile Access, Biometrics and AI

    A combination of evolving workplace dynamics, technology innovation and new user expectations is changing how people enter and interact with physical spaces. Access control is at the heart of these changes. Combined with biometrics and AI, mobile access control has become increasingly crucial for deploying entry solutions that are seamless, secure and adaptive to user needs. Read Now

  • Sustainable Video Solution Delivered for Landmark City of London Office Development

    An advanced, end-to-end video solution from IDIS, with a focus on reducing waste and costs, has helped a major office development in the City of London align its security with sustainability objectives. Read Now

Most   Popular

New Products

  • Camden CM-221 Series Switches

    Camden CM-221 Series Switches

    Camden Door Controls is pleased to announce that, in response to soaring customer demand, it has expanded its range of ValueWave™ no-touch switches to include a narrow (slimline) version with manual override. This override button is designed to provide additional assurance that the request to exit switch will open a door, even if the no-touch sensor fails to operate. This new slimline switch also features a heavy gauge stainless steel faceplate, a red/green illuminated light ring, and is IP65 rated, making it ideal for indoor or outdoor use as part of an automatic door or access control system. ValueWave™ no-touch switches are designed for easy installation and trouble-free service in high traffic applications. In addition to this narrow version, the CM-221 & CM-222 Series switches are available in a range of other models with single and double gang heavy-gauge stainless steel faceplates and include illuminated light rings.

  • Luma x20

    Luma x20

    Snap One has announced its popular Luma x20 family of surveillance products now offers even greater security and privacy for home and business owners across the globe by giving them full control over integrators’ system access to view live and recorded video. According to Snap One Product Manager Derek Webb, the new “customer handoff” feature provides enhanced user control after initial installation, allowing the owners to have total privacy while also making it easy to reinstate integrator access when maintenance or assistance is required. This new feature is now available to all Luma x20 users globally. “The Luma x20 family of surveillance solutions provides excellent image and audio capture, and with the new customer handoff feature, it now offers absolute privacy for camera feeds and recordings,” Webb said. “With notifications and integrator access controlled through the powerful OvrC remote system management platform, it’s easy for integrators to give their clients full control of their footage and then to get temporary access from the client for any troubleshooting needs.”

  • Automatic Systems V07

    Automatic Systems V07

    Automatic Systems, an industry-leading manufacturer of pedestrian and vehicle secure entrance control access systems, is pleased to announce the release of its groundbreaking V07 software. The V07 software update is designed specifically to address cybersecurity concerns and will ensure the integrity and confidentiality of Automatic Systems applications. With the new V07 software, updates will be delivered by means of an encrypted file.