Insider Threats or External Cyber Attacks – Is One a Bigger Risk?
by Chris Stoneff|
Today’s headlines tell the tale. Most organizations are under continuous cyberattack from nation-states or professional criminal hackers. It’s understandable that one of the main focuses for IT security teams is stopping intruders from gaining access to assets on the corporate network. However, a worrying number of organizations are dropping their guard when it comes to defending against the insider threat.
And malicious insiders are indeed significant threats, since they can be very difficult to identify. This is because an insider – whether he’s an employee or a contractor – is already entrusted with authorized access to at least some systems and applications on a corporate network. Without a good insider threat solution, it can be challenging for those in IT to decipher whether an employee is performing his regular job tasks, or carrying out something sinister.
Malicious insiders have been responsible for some interesting breach scenarios in recent history. Consider Terry Childs in San Francisco who held the city hostage for two weeks while sitting in a jail cell. Or the infamous Edward Snowden, formerly of the NSA.
Insider Threats and External Cyber Attacks: An Overview
Companies need to take both external cyberattacks and insider threats seriously. Fortunately, each attack vector can often be defended using the same cyber security strategies, which I’ll get to in the next section of this post. But first, let’s take a quick look at both types of attack.
One of the main objectives of a cyberattack is to extract credentials that allow the intruder to move laterally throughout the network. Once the hacker can nest within the environment, he can easily steal confidential data at will. Many skilled cybercriminals have an arsenal of advanced tools, like zero-days, which they can continuously launch at an organization. This puts immense pressure on security teams to fight sophisticated cyberattacks that they’ve never seen before.
While an organization usually faces more external attacks, IT needs to be just as concerned about insider threats. An angry employee who already has access to company files could be secretly leaking documents to competitors, or he could be sabotaging systems or corrupting data because he is miffed at his boss.
Despite these risks, a study from Lieberman Software Corporation (which was recently acquired by Bomgar), revealed that only 35 percent of IT professionals view insiders as a bigger threat than outsiders. This statistic is concerning. It seems to indicate a certain level of naivety and unearned trust between the IT group and their user communities. When people have trust, they’re less likely to verify that trust and put proper controls in place.
The Perimeter is Porous
In recent years, much of the focus of IT has been on hardening the network perimeter against outsiders. The idea is that if you stop the criminals from getting in, then nothing bad happens. The problem is, many of the organizations that are fixated on perimeter security give implicit trust to anyone who walks through their doors.
During my career in cyber security, I’ve seen pervasive administrative access granted to most anyone for anything. This, in turn, gave rise to the Terry Childs and Edward Snowden incidents mentioned earlier.
How Can You Protect Against Both Insider Threats and External Cyber Attacks?
IT must continue to focus on protecting the perimeter but should also air gap internal network segments and, in some cases, business units. After all, there’s no good reason to let developers be on the same network as human resources, or allow accountants to access the web servers.
Organizations should also change privileged credentials on a frequent basis, with unique and complex values for each credential. Continuously rotating privileged credentials blocks the lateral movement on the network that hackers seek.
What else? Follow the following steps to minimize the risks posed by both external cyberattacks and insider threats:
Account for Job Role Changes
Review role changes and turnover in the IT department. Examine whether any systems that were accessed by former staff still have the same administrator passwords. If so, change these logins immediately.
Examine Your Web Applications
Check your organization’s websites for the use of embedded credentials in clear text. Also, look for static connection strings with credentials that may still be known to the site’s developers. Change these to unique and complex passwords so that previous access methods are no longer available.
Stop Sharing Passwords
Determine if IT staff are sharing passwords or publishing login credentials on a spreadsheet that’s accessible by many people. It’s surprising how many IT admins still practice this risky behavior.
Stop Reusing Passwords
Catalog all privileged accounts on critical systems and eliminate any common login credentials.
Start Changing Passwords
Confirm that IT staff change administrator and root passwords on a regular basis. Also, ensure that the passwords are only accessible to delegated personnel on a time-limited basis.
Test Your Vulnerabilities
Confirm that critical systems are not subject to compromise by newly-discovered or well-worn cyber threats, by performing regular penetration testing. Consider using a combination of off-the-shelf pen testing software and security contractors to achieve “belt and suspenders” coverage when it comes to vulnerability testing.