The Growing Menace of Internal Threats

The Growing Menace of Internal Threats

While the internal threat has long been known, organizations have, for far too long, focused on guarding against the external threats that they face. Threats attributed to insiders are fewer in volume, but they can cause considerably greater damage. According to the Open Security Foundation, insiders are responsible for just 19.5 percent of all security incidents, but for an enormous two-thirds of all records that are exposed. This shows just how damaging internal threats are to organizations, since such data leaks dramatically increase the risk of financial and reputational damage from noncompliance with mandates that require high levels of protection for sensitive information. Recent data from Forrester Research shows that 25 percent of organizations state that a malicious insider was the most common way a security breach occurred.

Among the reasons that internal threats are more damaging is that many insiders are provisioned with too much access to privileged accounts, where they can access sensitive information. Such privileged users include network and database administrators. What makes them so potentially dangerous is that they generally operate at a higher level on the network, with greater access to confidential information, and they have greater knowledge of how systems work, enabling them to move around systems and routinely defeat technical controls that are in place. In many cases, access rights are assigned to tasks or projects, with common passwords shared among those working on the projects, leaving little accountability regarding who has done what.

Publicity surrounding the menace of insider threats has grown recently, as major leaks of sensitive documents gained worldwide press coverage. But not all of these threats originate on the inside. The vast majority of advanced attacks involve an external attacker targeting an insider in an organization. Once the attacker has gained a foothold in the organization, in many cases using phishing attacks against a particular employee, he then looks to move laterally through the networks, looking to elevate his privileges via those with more credentials in order to target the most sensitive and valuable information. According to incident response consultants CyberSheath, the exploitation of privileged accounts is seen in 100 percent of advanced threat incidents that they respond to.

Insider attacks can also occur when an insider is coerced into criminal acts. In December 2013, SC Magazine reported that an employee of a global energy company based in the United States was coerced by a foreign entity to use his privileged access to steal valuable information that included source code and other trade secrets from the energy company. His actions caused the company to lose three-quarters of its revenue and half of its workforce and knocked $1 billion off the organization’s market value.

While many internal threats can be attributed to deliberate acts, inadvertent mistakes, or coercion, the blame cannot be laid entirely on individuals, since it is practices taken by the organizations themselves that could leave them wide open to abuse. Many organizations fail to block privileged access to sensitive data, over-assign privileges, fail to properly vet users through stringent background checks, and fail to ensure that users do not carry over their access rights once they leave an organization, which could allow information to fall into the hands easily.

In order to keep internal threats in check, organizations should ensure that they follow a number of basic principles: According to the principle of least privilege, individuals should be provided with access to information and resources that are necessary for their legitimate needs only. Organizations should also ensure that they have a handle on shared accounts and passwords and establish effective separation of duties so that accountability for actions can be attributed to individual users. Organizations need to ensure that they have a complete record of events and user account activity for internal governance and regulatory compliance purposes.

Controlling what insiders can do is a must for all organizations. Organizations that implement the proper controls will find themselves much better insulated from the damage that insiders can cause than their competitors who fail to do so.

Fran Howarth

Fran is an industry analyst specializing in security. She has worked within the security technology sector for more than 25 years in an advisory capacity as an analyst, consultant, and writer. Fran focuses on the business needs for security technologies, with a focus on emerging technology sectors. Her current areas of focus include cloud security, data security, identity, and access management, network and endpoint security, security intelligence and analytics, and security governance and regulations.