Monsters Are Real, Insider Ghosts Are Too

Don’t believe that the call is coming from inside the house? Insider threats are very real.

Hackers are perceived as being faceless, hood-wearing bad guys typing feverishly to “hack into the mainframe” but the threats facing your organization may be far more subtle. The insider, the most unpredictable cyber-threat, is your colleague, your friend, a member of your team. And somewhere in between the Hollywood hacker and your office-mate lies the various third-party providers and contractors on whom most organizations rely. 81% of companies outsource part of their operations to an external service provider (according to PwC). And why wouldn’t they, when there are benefits to be gained in cost, agility, and productivity?

Not all cyber-crime is faceless…

Often, security folks believe that the biggest threat to an organization comes from organized teams of highly skilled cyber-attackers, overlooking the obvious. But what if the threat is closer to home, inside your network perimeter, inside your building or even in your office?

A known insider might just be the biggest threat to your organization’s security. In fact, IBM reports that insider threats are the cause of 60% of cyber attacks! But what are the motivations of an insider threat? What might lead someone to create havoc from within?

First and foremost, it’s important to acknowledge that not all insider threat comes from malicious actors looking to abuse the privileges entrusted to them. While it certainly can be, insider threat can also arise from negligence or human error.

Any staff member can pose a significant risk to any organization, as they may have elevated privileges and administrative access to systems that are key to the daily operation of a business. This insider risk can take many different shapes and forms, however, so there are no hard and fast rules for spotting a rogue. The law of averages means there is always a possibility that an otherwise talented and hardworking employee might be the catalyst for a major security incident.

So what’s the reality and why care…

The CERT Insider Threat Database contains over 1,000 incidents where insiders have either harmed their organization (sabotage); stolen proprietary information (theft of intellectual property); or modified, or deleted data for the purpose of personal gain or identity theft (fraud). Of these cases, 33 were reported to involve a disgruntled employee, as documented by either court documents or witness statements. This shows that insider threat is far greater than an employee gone rogue – 96.7% of reported cases were caused by mistake, by negligence, or some other vector of insider access!

Whether or not an attacker is seeking to sabotage a business and take personal vengeance, the fact remains that attacks linked to “insiders” via employee credentials can have significant impacts. Among the database’s incidents, some of the top outcomes of attacks are data deletion, blocked system access, and copied data.

Securing access to corporate systems and protecting IT resources is clearly imperative in the face of such consequences.

The Orphan Account Risk

Many organizations don’t effectively decommission privileged users when they move from one role to another or, even worse, when they leave altogether. Known as orphaned accounts, this obviously represents a huge issue and leaves open a completely unnecessary vulnerability. A failure to decommission privileged account access gives malicious actors the means to access sensitive systems through privileged credentials, and potentially bounce across the network to any number of assets.

Unfortunately, eliminating lost and forgotten orphan accounts is much easier said than done. With so many systems, identity directories, and applications managed in silos, accounts can easily fall between the cracks. Or maybe decommissioning doesn’t happen because users have accounts IT doesn’t even know about — also known as shadow IT. As employees and external contractors come and go, accounts and permissions evolve in ways that are complicated to follow. These orphan accounts create major access vulnerabilities into the IT infrastructure.

The Lost Data & Damages

Quite a few of the CERT database incidents involved the deletion of data ranges – from deleting specific records to deleting source code that corrupted a critical system that the company and its customers relied on. In one case, a former insider who had full access to the company’s network and systems proceeded to remotely attack the organization for four months. The insider deleted crucial files on servers, removed key backup disks, and deleted numerous records from an important database used by other systems. Despite no longer working with the organization for several long months, the insider’s user credentials were still valid allowing him to exact his revenge.

In a separate incident, an insider remotely blocked access to a system with lingering user credentials. Having a user account with elevated privileges gave him remote authorized access to the firewall, which was then used to disable the CEO’s account from accessing the internet and modified files to disable the system.

What’s worse is that for IT administration, systems often use a generic password, or a shared password that is rarely changed. These passwords can be used days, months, or potentially even years later to access critical systems and wreak havoc.

Employees and contractors may seem perfectly trustworthy when assigning user access and elevated privileges to administrate systems or access customer or financial data. However if their credentials are lost or stolen, or the person decides to take advantage of their access during or after their employment, an organization can be faced with lost data, frozen operations, massive recovery costs, and even painful non-compliance fines.

The Vulnerabilities Exploited

When left unchecked, lingering vulnerabilities in IT security can lead to a breach. Securing access and securing data is paramount in order to prevent an unrecoverable security incident. The CERT database highlights a number of incidents in which data was copied, stolen, or otherwise maliciously manhandled thanks to the exploitation of known vulnerabilities that were left unresolved.

Unsecure passwords are one of the biggest threats to your organization’s security. Shared passwords, generic passwords, old passwords … the lack of strict strength requirements and enforced rotation means any outsider can pretty easily become an insider with a little effort.

Two specific incidents involved insiders copying data after clearly flagging security issues and their concerns being dismissed. In both cases, the insider complained and made suggestions to correct security vulnerabilities and improve the companies’ policies. In both cases, the security concerns were ignored despite their severity, and the insiders were able to crack dozens of user passwords. One “insider” reported his results to prove his point. The other decided to use the passwords to gain access to other systems.

The Honest Mistake

Even the most earnest and well-intentioned user can accidentally click on a bad link or file. Unfortunately, phishing attempts have become increasingly sophisticated, able to easily masquerade as a legitimate email from a known source or colleague sharing a link to an invoice or a Word document to download. But that link or file may be hiding dangerous ransomware or cryptoviruses which can destroy data, freeze systems, or otherwise cause chaos in your IT infrastructure. These incidents can be prevented with security measures which block malware and stop malicious processes from advancing into the infrastructure, with malicious intent or by mistake.

To err is human, but to secure the IT infrastructure is imperative.

So who can you trust?

The technology being used in today’s businesses is more powerful than ever. Remote work, cloud-base solutions, connected OT… tools and systems are helping to increase productivity and drive digital transformation. But this increased visibility of IT and its key role in business operations now sees it under greater scrutiny, especially when it comes to trusting those with access to this now critical infrastructure.

A so-called Zero Trust approach to internal policies and security is key. That’s not to say that loyal employees and longstanding contractors are not trustworthy, but rather that in order to protect systems and data from insider threat of all kinds, an organization must implement certain key measures to control, manage, and monitor both access and identities.

Establish a holistic view of who has access to what resources and applications, how they use their access, and secure your assets from insider threat with comprehensive identity and access management:

  • Privileged Access Management – Secure your most sensitive IT assets first, with comprehensive oversight and control over elevated user privileges on critical resources
  • Identity-as-a-Service – Centralize and simplify identity management across all corporate applications, for all users, via SSO and MFA.
  • Endpoint Privilege Management – Protect vulnerable company endpoints inside or outside the corporate perimeter by eliminating local admin privileges, without hampering productivity.

Security doesn’t have to be scary. The ghosts of insiders past no longer need to lurk in your IT infrastructure, creating vulnerabilities for your organization. With simplified, robust cybersecurity solutions in place, there’s no need to fear the insider threat.