Today, many organizations are under continuous attack from nation-states or professional cyber criminals. One of the main focuses for IT security teams is stopping intruders from gaining access to assets on the corporate network. However, this strain on IT teams means that when it comes to malicious insiders, a worrying number of organizations almost entirely drop their guard.
An insider attack is one of the biggest threats faced by organizations since these types of hacks can be very difficult for IT teams to identify. This is because an insider – whether he’s an employee or a contractor – is already entrusted with authorized access to at least some systems and applications on a corporate network. It can be very hard for those in IT to decipher whether he’s just performing his regular job tasks, or carrying out something sinister.
Insiders have been responsible for some interesting breaches or hostage scenarios in recent history, whether intentional or not. Consider Terry Childs in San Francisco who held the city hostage for two weeks while sitting in a jail cell or Edward Snowden, formerly of the NSA.
So, which is a bigger threat – an external hacker or a disgruntled employee?
An overview of the threats
One of the main objectives for an external cyber attacker is to extract credentials that allow the intruder to move laterally throughout the environment. Once the intruder achieves full access to a network, he can easily steal confidential data. Many skilled cybercriminals have an arsenal of advanced tools, like zero-days, which they can continously launch at organizations. This puts immense pressure on IT teams as they are often fighting sophisticated cyber attacks that they’ve never seen before.
While an organization usually faces more external threats, the reality is that IT teams need to be just as concerned about the insider threat. An angry employee who already has access to company files could be secretly leaking documents to competitors, or he could be sabotaging systems or corrupting data because he is miffed at his employer. The same could be said about former employees, who often retain access to the network even long after leaving the organization.
Despite these risks, a recent study from Lieberman Software Corporation, carried out at Microsoft Ignite, revealed that only 35 percent of IT professionals view insiders as a bigger threat than outsiders. This statistic is concerning as it seems to indicate a certain level of naivety and unearned trust between IT administrators and their user community. It also might indicate that we can anticipate more news surrounding internal breaches in the near future. Where people have trust, they are less likely to verify that trust and put controls in place.
So much of IT in recent years has been focused on protecting the network perimeter from outsiders. The idea is that if you stop the criminals from getting in, then nothing bad happens. However, according to the PwC Global State of Information Security Survey 2015, “insiders—current and former employees, in particular—have become the most-cited culprits of cybercrime.” The fact is, many of the organizations that are so focused on perimeter security are giving implicit trust to anyone who walks through their doors.
During my career in the cyber security industry, I’ve seen this manifest with pervasive administrative access being granted to almost anyone for anything; along with passwords that never change and little to no segregation of duties. This in turn gave rise to the Terry Childs and Edward Snowden incidents mentioned earlier.
The reality is that companies need to take both external cyber attacks and malicious insiders seriously, because they can each have disastrous consequences.
Protecting against insiders and outsiders
IT teams must continue to focus on protecting the perimeter, but should also air gap internal network segments and, in some cases, business units. There’s no good reason to let developers be on the same network as human resources or allow sales to access the web servers.
IT should also bite the bullet and begin changing privileged credentials on a frequent basis, with unique and complex values for each credential. Continuously rotating privileged credentials blocks the lateral movement on the network that hackers seek. Remove permanent administrative access and allow delegated personnel to be escalated when they need it, as opposed to maintaining persistent access.
To expand on this strategy, organizations that take the following six steps can significantly minimize the risks posed by both external cyber attacks and insider threats:
1. Account for job role changes – Review employee work role changes and turnover in the IT department and examine whether any systems that were accessed by former staff still have the same administrator passwords. If so, change these logins immediately.
2. Examine your web applications – Check your organization’s websites for the use of embedded credentials in clear text, and for any static connection strings with credentials that may still be known to the site’s developers. Change these to unique and complex passwords so that previous access methods are no longer available.
3. Stop sharing passwords – Determine if IT staff are sharing passwords or publishing login credentials on a spreadsheet that’s visible to too many people. It’s surprising how many individuals within IT still practice this risky behavior.
4. Stop reusing passwords – Catalog all privileged accounts used on critical systems and eliminate any common login credentials that don’t need to be reused.
5. Start changing passwords – Confirm that IT staff are changing administrator and root passwords on a regular basis and ensure that the current passwords are only accessible to delegated personnel on a time-limited basis.
6. Keep testing – Perform regular penetration testing of external and internal systems to confirm that critical systems are not subject to compromise, either by newly-discovered or well-worn threats. Many organizations use a combination of off-the-shelf pen testing software and outside contractors to achieve “belt and suspenders” coverage when it comes to vulnerability testing.