IT security risks involve more than just shadowy overseas hackers looking for millions or malware running amok on production or end-user systems. Employees themselves can pose a significant threat to the business if they possess inappropriate access, their activities are left unchecked, or they fall prey to external compromise or manipulation. Rogue system administrators who circumvent established security regulations and policies can be especially dangerous, even if their intentions are benevolent.
I spoke with Nir Polak, CEO of the security company Exabeam, regarding insider security risks and how best to mitigate or reduce them.
TechRepublic: What do you consider to be the most formidable insider threats?
Nir Polak: "There are actually two types of insider threats. One fits the common definition, i.e. a malicious insider who is purposely stealing data. The other type is the compromised insider, i.e. the insider whose credentials have been stolen and now a hacker is impersonating that insider on the network. Both types of insider threats can cause harm. In either case, one of the most formidable threats often comes from administrators with privileged credentials. This person's job often requires access to sensitive systems, so it can be difficult to distinguish between normal sensitive access and risky sensitive access."
TR: What recommendations do you have to remediate these threats?
NP: "To secure sensitive data, organizations need to start by asking a series of questions internally to clearly define policies and best practices: what are the policies we need? Who should be able to access which data? What access controls should be in place around information or systems?
Policies can be as straightforward as 'employees shouldn't have more access to confidential data than their current job requires' and then implementing a program to review access on a regular basis. Too often employees accumulate access rights that aren't revoked when they move to new projects.
Firms often roll out a 'privileged account management' tool to control what their IT admins do, and then ignore the far reaching risks associated with non-privileged employees: the call center reps accessing customer records, contractors accessing finance records, partners accessing design docs, etc. Strong security policies will follow the 'Mini-Max' rule - minimize access where possible, maximize monitoring of that same access, for unusual patterns."
TR: Any specific recommendations involving system administrators, who usually hold the proverbial keys to the kingdom?
NP: It's essential to regularly review and assess who has administrative system rights and whether those are needed. A best practice for system administrators is that no one can use the same account they use to manage data or apps to also check email or the Web. Allowing both activities from the same account increases the connection between internet-borne malware and privileged credentials. While these policies may seem straightforward, they can be hard to enforce sans analytics. Successful implementation will drastically decrease the threat surface for the future.
SEE: Remote access policy (Tech Pro Research)
TR: What types of devices and systems cause the biggest headaches?
NP: "The increase in IoT adoption causes serious security headaches. One of the pain points is that IoT devices often have embedded credentials, i.e. access rights to sensitive data, and these aren't monitored with the same scrutiny that human users are monitored. So, gaining controls of devices with privileged credentials means that you get all the privileges with less or none of the scrutiny. Combine this with a growing volume of connected devices and you have even more noise and detection difficulty.
These can be addressed by applying behavioral analytics to every person - and device - on the network. If one of those devices starts acting in an unusual and risky manner, you want to know about it before a breach and before a hacker uses that device to hop to others. Early warning of risky behavior cuts the risk and solutions need to be intelligent and adaptive."
TR: Are there any monitoring/alerting methods or solutions you recommend?
NP: "Companies should prepare for attacks by implementing technologies that detect attacks much earlier in the cycle and are better able to handle shades of grey. These include behavioral analytics solutions that perform activity baselining for every employee and contractor, with a goal of pinpointing an employee who suddenly begins acting in unusual and risky ways. For example, an HR employee who suddenly starts accessing customer databases for the first time and also creates new admin-level accounts has likely been hacked. This is a perfect scenario for behavioral analytics, where the system baselines normal behavior of users on the network, even with limited knowledge of who those users actually are. The goal is to find problems early enough to take action."
TR: Are background checks useful in thwarting threats, or do they merely weed out the people who weren't smart enough to avoid detection?
NP: Background checks are table stakes for good hiring hygiene, but are unlikely to prevent most insider threats. For a compromised insider, the check is likely pointless since credentials are usually stolen via malware that is inadvertently activated - you can't background-check for an inability to spot hidden malware. Checks are likely more useful for malicious insiders, assuming they repeat their data theft at multiple companies.
TR: What punitive/disciplinary methods do you recommend?
NP: "For the malicious insider, obviously termination and, depending on corporate policies, litigation. For the compromised insider, there is usually little to no disciplinary action taken."
The five big takeaways for TechRepublic readers:
- Assess access needs and build policies to determine what rights users and administrators should have, and adjust according to changes or new circumstances.
- IoT devices can place the organization at exceptional risk via embedded credentials. Use analytics on these to determine normal behavior and detect anomalies.
- Use logging/alerting mechanisms to notify personnel about suspected attacks as early as possible to reduce risk.
- Use separate accounts for administrators to perform routine tasks versus privileged operations.
- Background checks may provide some protection from malicious insiders (provided they have been caught in the past), but should not be seen as the end-all solution. Individuals with clean records can still be victimized via compromised accounts.
Scott Matteson is a senior systems administrator and freelance technical writer who also performs consulting work for small organizations. He resides in the Greater Boston area with his wife and three children.