Insider threat

 
Some of the high-stake data breaches that happened recently in the US were committed by current or former employees of small and big organizations. while others were caused by accident or unintentional, some of the data breaches were committed with malicious intent. There is no question that internal threats need the same level of focus as external threats need. The recent survey, the insider threat report from CA (https://www.ca.com/content/dam/ca/us/files/ebook/insider-threat-report.pdf) shows that 90% of organizations feel vulnerable inside to internal threats. More than half of surveyed organizations confirmed insider attacks against their organizations in the previous months.
 
An Insider threat with malicious intention ranges from stealing  PII (Personally identifiable information), PHI (Protected Health Information) and Credit card information for monetary purposes while an insider threat with unintentional activities ranges from using unsecured emails or data exchange, not following security policies to using unapproved process or tools resulting in exposing private information.
 
Here are some of the potential root causes for internal threats

• Lack of access controls or User access review for critical infrastructures such as cloud infrastructure, network infrastructure, wireless network, endpoints, data repositories such as active directory, production databases, corporate file servers, business applications and cloud applications such as Slack, Salesforce, Google GSuite, DropBox and Share file
• Known vulnerabilities left unaddressed without proper patching
• Lack of enough information on employees’ activities and lack of tools to monitor all their activities
• No formal process to provision or de-provision employees’ access during employee hiring, termination, or employee transfer.
• Lack of background check on employees
• Employees lack training in security policies, security responsibilities, and data ownership

 
 
Measures you can take to reduce insider threats 
 
User Access 

• Enforce employee provision and de-provision process if possible, enforce with tools and automation for internal and cloud applications such as Slack, DropBox, Salesforce, Google g suite, SharePoint
• Enforce user access review for business applications as well as cloud applications
• Use least privilege policy
• Implement approval process for all access specifically for administrative access
• Enforcement of regular employee access review specifically, the administrative user or access to PII, PHI and other business-critical data
• Enforce password policies and changes
• Implement role-based security in business and cloud applications

 
Controls and Tools 

• Setup single-sign-on capabilities or tools to ease employee de-provision with one click
• Implement (Active Directory Federated system) for cloud applications if possible
• 2FA for critical and cloud applications
• Enforce VPN access for production infrastructure
• With many companies using cloud applications for corporate operations, having ADFS functionality or any other automation to review users’ access in cloud applications
• Install password vaults to maintain administrative password so root passwords can be protected
• Protect the backups with proper access and monitor backup usage
• Install physical controls such as video monitoring, biometric access, badge access
• Install Data Loss Prevention (DLP) tools on endpoint activity
• Use Mobile Device Management (MDM) such as Air Watch to control laptops and desktops abilities
• Centralize business applications’ user profile and access using SSO and centralized access management
• Keep all machines and infrastructure up to date with patching. Automate patching wherever possible

 
Insider Threat Activities Monitoring

• Create dashboards for all employee activities and monitor regularly. Monitor and handle any unusual events promptly
•  Install IDS/IPS and monitor log files
• Monitor Data Loss Prevention (DLP)

 
Data-store and Data Exchange

• Encrypt PII, PHI and sensitive business-critical data at rest and in transit
• Use SFTP, secured API services over TLS 1.2 secure layer
• Use secure emails infrastructure for sensitive data exchange
• User email filters solutions to track PHI, PII and PCI data movements

 
Security Training and Awareness 

• Educate employees on security policies, roles responsibilities, and data ownership

 
As inside threat survey and recent data breaches show us, internal threats are trending upward. Implementing proper security controls and recommendations of security professionals will help minimize insider threats.