Most organizations worry about data breaches caused by cybercriminals. However, internal malicious actors, malicious actors disguising themselves as insiders, and accidental insider threats are often overlooked. In fact, according to Palo Alto’s 2020 “The State of Cloud-Native Security” report, 9.7% of survey respondents said insider threats were the primary threat to cloud security. To promote a more robust cloud security posture, understanding what insider threats are and how you can mitigate them is more important than ever.
What are insider threats?
An insider threat is a security risk within an organization, like current or former employees, officers, consultants, business partners, or the Board of Directors. Equally important, credential theft attacks can also fall under the insider threat umbrella because malicious external actors use the same login credentials as legitimate internal users.
Unlike traditional on-premise IT infrastructures that sit behind a company’s network firewall, cloud-based services rely on user login and credentials to grant access. The same qualities that make the cloud useful for a remote or hybrid workforce increase the attack surface. According to the 2020 Black Hat USA Attendee Survey, 11% of security leaders said that data theft or sabotage by malicious insiders was one of their most significant concerns at the time and 10% saw it as one of their greatest threats for the future. As Boards of Directors move their data to the cloud, Identity and Access Management (IAM), also called the “Identity Perimeter,” becomes more critical. IAM is the process of ensuring that the right person has the right access to the right resources at the right time for the right reason.
What are the types of insider threats?
Not all insider threats are created equally. Some are purposeful, while others are accidents. Understanding them is one way to start mitigating risk. In their 2020 Market Guide for insider Risk Management Solutions, analyst firm Gartner outlines three primary insider threats.
A malicious user sets out with a specific mission to sabotage the organization or steal data for either personal reasons or financial gain. This type of user could be someone who takes client information and tries to start a competing business.
Careless users don’t intend to cause the company harm, but they have access to sensitive or proprietary data that they accidentally expose. This type of careless user might misconfigure a cloud resource leaving information exposed to the public internet. Another example would be a nurse who reads the patient’s record of someone he knows and shares a diagnosis with friends.
Compromised credentials are when someone’s login and password become known to someone outside the organization, exploiting this knowledge to steal data and/or sabotage the company. Often, this occurs because someone uses a weak password that cybercriminals can use in combination with their email address to gain access to your systems, networks, and applications.
Why are insider threats a problem?
Insider threats pose several risks because they’re difficult to detect. However, they also pose several other risks to your business as well.
Inability to detect
Problematically, insider threats are notoriously difficult to locate. Insiders don’t trigger traditional security alerts, because they already have access. Your security tools that monitor suspicious traffic won’t notice anything abnormal.
Gartner defines data theft as the exfiltration of or unauthorized viewing of data. As a threat activity, it can be broken down into two different types.
While cybersecurity often focuses on external threats to an organization’s digital resources, privacy incorporates internal user access to sensitive data. Having too much access to information, or having excess privileges, is a potential privacy violation even though everyone is a member of the same organization.
One of the first General Data Protection Regulation (GDPR) fines in 2019 was levied against a Portuguese Hospital. One of the cited violations was allowing “indiscriminate access to an excessive number of users.” For example, a doctor and a person taking a blood sample need different information to help a patient. The doctor needs to know everything about the patient including medical history, medications, and personal habits, like smoking. The lab technician taking the blood sample doesn’t need to know all of this. If the lab technician has too much access to electronic Protected Health Information (ePHI), a privacy violation could exist.
Insider fraud is when someone with authorized access to an organization’s systems, networks, and applications purposefully misuses the access to steal data or money. An excellent example of this would be someone who can both create vendor accounts and pay their bills in your Enterprise Resource Planning (ERP) application. The person could create a fake vendor, assign payments to an account they own, and pay the invoice to themselves.
According to Gartner, system sabotage is activities that impact data integrity and availability such as malware, ransomware, account lockouts, and data deletion. Often, these issues arise from careless users who either click on a link in a phishing email or go to a malicious website.
Ways to detect and mitigate insider threats
Detecting insider threats is a challenge because most of the time, the individual is allowed to access your systems and networks. However, organizations can put some controls in place to detect and mitigate risk.
Create a strong password policy
The first step to mitigating the insider threat of stolen credentials is to set a strong password policy. Since cybercriminals know how to access databases containing lists of weak passwords, making sure that your employees don’t use those is important. Every password should be unique, contain upper and lower case letters, have numbers, and include special characters.
Additionally, if you want to make sure that your employees use a unique password for every login they create, you should consider providing a password management tool.
Require multi-factor authentication
Multi-factor authentication means that when users log into your systems, networks, and applications, they need to use two or more of the following:
- Something they know (a password)
- Something they have (a token or smartphone)
- Something they are (biometrics like a fingerprint or facial identification)
The more authentication requirements you have, the more secure your organization is. Cybercriminals might be able to guess a weak password. They might even be able to intercept a text message used for multi-factor authentication. However, they won’t easily be able to manage all three at the same time.
Limit user access according to the principle of least privilege
The principle of least privilege means limiting users’ access as precisely as possible while still fulfilling their job functions. Often, IAM is difficult in hybrid and multi-cloud ecosystems because organizations onboard so many applications that they lose track of who has what access. Establishing and enforcing controls that limit user access to resources and within applications can mitigate excess access misuse.
Establish and enforce segregation of duties (SoD)
Segregation of duties is when you have multiple people engaging in different parts of a larger task to prevent a conflict of interest. For example, to avoid someone creating a fraudulent vendor linked to a bank account they own and paying bills to that account, you separate the vendor account creation and payment job functions. Applying the principle of least privilege to this, you limit access to each of those individuals to access the capabilities in the Enterprise Resource Planning (ERP) application so that they can complete their job functions but not access the other areas of conflict.
Create a robust privileged access management program
Privileged access is the riskiest type of access because it gives users the ability to change data and configurations beyond a standard user. This access can be both human or machine, including network administrators and service accounts. Because these privileges have so much access, cybercriminals look to gain access to these accounts through credential theft or weak passwords. Many administrative accounts for devices and software have default passwords that are easy to guess, making sure to change these passwords and monitor privileged users for abnormal behavior.
Although IAM controls act as a primary control, you can also use logical network segmentation to prevent people from accessing sensitive data. For example, as part of segmenting your network, you can consolidate similar information types to one network and control who accesses that network based on a need-to-use basis. Not only does this mitigate malicious insiders, but it can also prevent malicious external actors leveraging stolen credentials from moving laterally within your network if they gain access.
SecurityScorecard: continuous visibility
SecurityScorecard’s security rating platform monitors across ten categories of risk, including information leaks and social engineering risk, to help mitigate potential credential theft risks. Our platform provides an easy-to-read A-F rating scale giving you at-a-glance visibility into your security posture.