The Rise of the Insider Threat
How do you protect your IT infrastructure and data when the problem is inside your walls?
With all the talk of defending against hackers, cyber criminals, malware infection and other external threats, we often overlook a key fact – a huge portion of data breaches and system compromises come from the inside, not the outside. Figures from a recent report from McAfee entitled ‘Grand Theft Data’ say that internal actors are responsible for 43% of data loss. Half of the damage was intentional; the other half was accidental. So, how do you protect your IT infrastructure and assets when the problem is already inside your walls?
The starting point is to understand the nature of the problem. However, there is an imbalance in the type of information available. We know a lot about infiltration or how attackers get into a network. We know less about exfiltration or how data is moved out of a network. The McAfee report gives the following statistics concerning data exfiltration:
- Removal of physical media containing data occurs in 40% of exfiltration incidents.
- File transfer or tunnelling protocols like File Transfer Protocol (FTP) or Secure Copy Protocol (SCP) were used in 25% of data exfiltration cases.
- Encryption was applied to 32% of data being exfiltrated.
64% of security professionals interviewed thought that data loss prevention (DLP) technology could have protected against exfiltration. However, some flavours of DLP may not solve all the problems. Information leaving an office on a thumb drive is one example, and encryption of data is another. If tell-tale strings (credit card numbers, for example) cannot be identified, a DLP solution may fail to spot sensitive data being moved.
Unsurprisingly, the organisations that continuously monitored their network for anomalous or suspect behaviour had a greater chance of detecting data compromise from internal resources and less chance of suffering exfiltration.
Identifying Risky Insiders
Enterprises can get a step ahead by identifying not just insider actions that put corporate information at risk, but also people likely to perform those actions. Essentially, there are two types of insider who represent a cyber risk:
Type A – malicious
These individuals put an enterprise at risk for their personal gain, for revenge, or both. Misdeeds include theft of valuable data and Intellectual Property (IP), exposing data to the public, and hijacking or sabotaging databases and servers. Customer and employee information, including personally identifiable information (PII) and personal health information (PHI) are favourites. Intellectual property (IP) and then payment card information are the next most popular types of data to steal. Malicious insiders often develop over time, rather than suddenly turning malicious or joining an organisation with malicious intent from the outset. Possible causes of malicious behaviour include personal financial issues, lack of promotion, and poor management.
Malicious exfiltration of data can also be disguised in several ways. They include compression, encryption, obfuscation, and steganography (such as data embedded in images). However, abnormal data flows may be harder to disguise. They may be in direct conflict with an enterprise security policy, happen at a strange time or from a strange access point, or show movement to an unusual network address.
Type B – negligent
Unaware of basic precautions for handling sensitive information, error-prone, or careless, these individuals do not intend to harm. Unfortunately, their accidental mistakes can be as costly as the deliberate attacks of others. They may lose mobile devices, thumb drives, or other media containing enterprise data. They may be too free with business information when chatting on social networks. Hackers and criminals can then leverage indiscretions to produce targeted phishing and whaling emails. IT workers may misconfigure system security or fail to apply the latest security updates. And the scourge of the note with account access details stuck on a PC screen is widespread.
How ZoneFox Can Help
Organisations need complete visibility of their data flow. They need to know who is accessing what data, where and when. This information is already important for compliance, and doubly important for security. User behaviour and data movement should be monitored on and off the network. Abnormal incidents need to be flagged intelligently and immediately to security personnel. Priority alerts must be seen right away without swamping teams with a deluge of low-level information.
ZoneFox does this in two ways. Firstly, it provides the option of a rule-driven approach – for example, to compare activities and flows with enterprise security policies. Secondly, it offers an advanced machine learning capability to spot suspect and risky behaviour. Threat hunting and threat discovery are facilitated by full records of network activities.
ZoneFox is available as a full cloud-based solution with the associated advantages of ZoneFox expert support, platform monitoring, automated backups, and installation security. The solution also scales as enterprise IT infrastructures grow. In addition to handling the challenges described above, ZoneFox helps enterprises combat insider threats originating from:
Unauthorised use of IT resources and applications
- Detection of employees using personal clouds for corporate information
- Rogue use of shadow IT and exposure of sensitive information to risk
- Non-compliance with regulations, including sharing or distribution of PII
- Installation of unapproved and unlicensed software
- Unauthorised use of restricted applications like network sniffing tools and remote desktop tools
Unauthorised access to or transfer of data
- Use of removable media to store, move, steal or leak data
- Unauthorised access and copying of business-critical data
- File transfers to / from unusual destinations
- File exfiltration via instant messenger and social media applications
Monitoring high-risk user employee groups and profiles
- Identifying potential leavers (‘flight risk’ and possible data theft) via user behaviour analysis
- Monitoring high-risk user groups, e.g. those in conflict with management or facing redundancy
Misuse, abuse, and malicious behaviour
- Misuse of file system admin rights
- User disablement or override of endpoint security products
- Use of password stealing tools and the dark web
- Inappropriate content access – from prohibited apps to music / movie piracy and pornography
For example, ZoneFox has already demonstrated its capabilities in detecting unauthorised employee data uploads to Microsoft OneDrive, policy violation through unapproved installation of sports viewing applications, tunnelling of data through the Dark Web (by users hoping to avoid detection) and ransomware infection almost triggered by a careless employee but stopped before damage could occur.
Practising Prevention as Well as Cure
IT security professionals now understand that cyber-attacks are no longer a matter of ‘if’, but ‘when’. ZoneFox helps security staff to spot attacks earlier, allowing them to contain, mitigate, and eliminate threats more effectively and more rapidly. ZoneFox also alerts security staff to suspicious or abnormal behaviour before attacks start. Segmentation of security monitoring using ZoneFox means that higher risk groups can be more closely tracked, making better use of a security team’s limited resources.
Prevention of problems can also be taken a step further by creating workplace conditions that encourage good employee behaviour. Measuring and responding to levels of employee satisfaction is a key part of preventing insider security risks. Surveys can help to gauge sentiment. HR records and analytics can help identify trends and triggers. For example, employees may seek to leave an organisation (possibly trying to take confidential information at the same time) when salary levels, career prospects or other aspects of their job are below certain measurable levels of satisfaction. Information security awareness programs can reduce careless behaviour. Awareness training can be tailored to specific groups and needs using information from ZoneFox reports.
There are two further points to be made. Firstly, your security operations should respect employee privacy as appropriate. Secondly, older technology such as fax machines and other physical media such as printouts and CDs are still used in many organisations. They must be included in awareness training and security plans and policies, even if they are now gradually being replaced by entirely digital media.
For more information, please visit https://www.zonefox.com/