Published on January 24th, 2023
Every day, companies battle a data paradox. In order to foster innovation and empower teams to push boundaries, data needs to flow freely between all relevant parties. However, the line between open coordination and glaring vulnerability is an incredibly skimpy tightrope to walk.
A major area of oversight is when employees leave – the human brain doesn’t immediately forget all company secrets upon a notice being turned in. Insider threat prevention is critical in today’s hyper-flexible, jobseeker marketplace.
The Inside Threat
Not all inside threats are deliberately malicious. Accidents do happen, and have single-handedly contributed to major security events over the past decade. An insider threat can include any employee, whether on-site or not. For instance, anyone who knows the organization’s business goals and strategies is able to leak and share such info.
Those employees given access to sensitive information – with almost every department handling its own chunk of sensitive info – represent not just hard-working colleagues but also areas of significant breach potential. Most glaringly obvious of all insider threats are those who are supplied with authorized access to its key systems.
This doesn’t just incorporate employees, but also those who have continuous or periodic access to network components – contractors, for example. Vendors, repair technicians, and visitors all pop in and out of the network at various times, however, broadening the attack surface to even greater extremes.
While the breadth of information spanning every single employee and contractor is substantial, the threats don’t stop there. By dissecting the potential insider threat vertically, the users with highest privilege become of most concern.
These users fundamentally hold the keys to the most sensitive information being handled by your organization. This info is coveted by external hackers and competitors alike. In order to keep this data solidly within the confines of your own organization, an in-depth overview of security practices is necessary.
Firstly, some groundwork rules can help build a solid foundation against insider threats. ‘All powerful’ accounts need to be the first to go. These accounts are often developed during a product or company’s minimum viable product (MVP) stage, and – though sensible at the time – represent a major concern to a stable organization. Instead of this scattershot approach to user privilege, data access should be scaled precisely to the requirements of each end-user – backed up with a specific password and username that identifies them.
From an attacker’s point of view, insiders already have all of the authorized access they could hope to gain from other ways in. Their options boil down to finding an external attack vector, such as software vulnerability, or simply hijacking an account with all its built-in access capabilities.
Privilege escalation from an existing user account is miles easier than engineering complex vulnerability exploitation. Hijacking an employee, or their account, can be as simple as a social engineering attack that imitates an interested client or partner.
Fundamentally, companies are battling the visibility surrounding their own mission-critical data. Nowhere is this more evident than in the cases of employee security breaches.
When The Inside Exits
In July 2020, details were shed around a particularly long-running insider job at General Electric. Jean Patrice Delia was an employee for eight years, managing large swathes of proprietary data and information. He further persuaded the IT team to grant him access to even more files and commercially-sensitive calculations.
One critical question that went unasked for 8 years was ‘why?’. Well, Delia was planning on exfiltrating critical trade data, in order to start his own rival company. Gaining a co-conspirator, he sent them over 8,000 sensitive files throughout his time at GE. Eventually, GE noticed this data exfiltration, and began asking questions. Pleading guilty to charges of trade secret theft, Delia was recently given up to 87 months in jail.
Insider threats remain as such, even after they’ve left the organization. In 2018, Coca Cola was forced to send alerts to thousands of employees, after a worker made off with a hard drive that stored swathes of human rights records. Given that the employee had recently left their potion, it’s assumed that they were going to sell or otherwise abuse the data.
The ease with which insider attacks can occur is a bubbling threat across industries. A recent report conducted by Teleport has shown precisely as much: when asked for their confidence in whether old employees could still access company infrastructure, less than a quarter of companies claimed that access had completely been revoked.
In fact, nearly half of tech leaders questioned were less than 50% confident in the access removal of former employees. Not only is this lack of confidence concerning, but it is also falling. Potentially as a result of today’s fragmented WFH environments, the amount of companies claiming less than 50% confidence has actually increased by half compared to last year.
The report also revealed a further divide between security and employees: 57% of respondents claimed that – despite the fact their organizations had brought in new security methods over the past year – these had not been followed by employees.
Protecting Against Current And Past Insider Threats
Database blindness is exposing employee and customer data alike to nefarious actors. An insider threat prevention solution is built from a few core concepts – chief of which prioritizes database visibility. You need to know not only where data is, but also who’s accessing what – and where it’s being sent. With a user-focused approach, database activity monitoring can establish a baseline of genuine user behavior. Once this is clear, it becomes possible to detect potentially malicious commands and access behaviors.
Next-generation inside threat prevention will analyze each suspicious action within a broader context. This helps eradicate false positives, and is vitally important in today’s security landscape.
Security staff are constantly battling an overwhelming number of alerts – even small improvements in accuracy make for dramatic downstream load reduction. By automatically prioritizing high-risk incidents, security teams are able to cut through the noise.
Image Source: unsplash.com