Why would we start an article about a complex information security topic like insider threats with a story about a castle built in the 11th century? It’s simply because history can be an incredible teacher, as you’re about to see.
We only need to look at Corfe Castle in the English county of Dorset, a shining example of “cutting-edge defensive technology” during its time. Many historians still consider Corfe Castle one of the best designed fortifications in history.
Corfe was among the first castles built in England using stone rather than earth and timber. This change of building material made its thick walls strong and resistant to heavy barrages. The castle was built on a high elevation and surrounded by several moats and earthwork barriers. Attackers would need to penetrate not one but five gates to reach the inner keep.
There’s hardly a better example in history for the idea of perimeter defense. Because Corfe Castle was protected by numerous overlapping layers of the most advanced tech available, it was considered — in cybersecurity terms — unbreachable.
This was proven during a Parliamentarian-led siege. In 1645 when the resident Lady of the castle, Mary Banks, held off an army of over 600 soldiers with only five defenders. But humans are nothing if not clever. And it seems like someone can always find a way through even the tightest security.
Corfe Castle eventually fell shortly after the Parliamentarian army was turned away from the walls. There was no gap in the outer defenses to exploit, and the castle was certainly not overwhelmed with force.
Corfe Castle was taken because Lady Banks unknowingly had enemies within her own walls. There were actually Parliamentarians hidden amongst the castle’s residents who simply unlocked the sally port — the back entrance — of the castle and allowed the attackers to walk right in.
This is the very definition of an insider threat.
No amount of protection, regardless of how advanced it may be, can defend from threats that are already inside. Just as Corfe Castle was brought down by Parliamentarian infiltrators, many networks are compromised by legitimate users with malicious intent.
These users may be disgruntled employees, corporate spies, sympathizers, foreign agents, or simply an opportunist who wants to steal intellectual property. Though, in some recent cases, a person in the organization’s IT team was actually responsible for the breach. In other attacks, a hapless employee was exploited by social engineering and turned into an “inside agent” without their knowledge.
While threats like ransomware are far more common in discussion, insider threats pose more danger to a secure network than nearly any other method of attack. This is simply because potential insider threats are already inside. They’re trusted.
This is why no discussion about complete cyber defense should ignore inside threats.
What Are Insider Threats in Cybersecurity?
The cybersecurity arm of the Department of Homeland Security defines insider threats to include sabotage, theft, espionage, and fraud that are carried out through abusing access rights and exploiting legitimate privileges. These threats can also result from carelessness or security control violations that inadvertently allow system access to malicious outsiders. Although insider threats typically persist over time they affect all types of organizations from private companies to government entities.
What Are Types of Insider Threat?
It’s important to note that insider threats can be either unintentional or intentional. A poorly-trained employee with admin rights can be just as dangerous as a deliberately-placed infiltrator. Let’s explore these different types of inside cyber threat in more detail:
Negligence exposes an organization to cyberattack through careless behavior. By definition, a negligent insider knows the security policies but chooses to ignore them. They often make this decision based on convenience, choosing to ignore system updates or protocols simply because they interrupt their own workflow. This creates the most risk when the user has legitimate access at an admin level.
Accidental insiders create unintended risk sheerly through mistake. The most well-known example of this is the employee who clicks on a phishing email. By clicking on the malicious link in an email they inadvertently expose the network to malware. These days, such social engineering attacks tend to fall more under the category of negligence, but insufficient training and cybersecurity awareness certainly leaves room for mistakes.
Intentional threats are actions taken with deliberate desire to harm the organization or for personal gain. Common goals include leaking information, harassing stakeholders, and sabotaging equipment. Those who seek monetary gain will typically hold data for ransom or steal valuable information in hopes of reselling it.
Collusive threats involve one or more insiders with administrative privileges collaborating with an external threat actor. In many cases an insider or several insiders are recruited by an outside malicious actor to gain access.
Third-Party threats are typically contractors or vendors who have been granted some level of access to facilities, systems, networks, or people. A common example is the managed service provider (MSP) who is a privileged user in a client’s network and is used as an intermediary for breaching that network.
How to Evaluate Risk of Insider Threats
Insider threats can be hard to identify until they take action, but an organization can minimize their risk of insider threats nonetheless. The best method is to seek out and address aspects that have been known to lead to an increased risk:
- Employees are not trained in basic cyber security skills including awareness and risk avoidance. They do not know how to secure devices they use for work and avoid social engineering.
- Employees are not versed in regulatory requirements related to their specific industry.
- The IT team has not restricted admin privileges following security best practices.
- Confidential data is allowed to travel to or through unsecured locations, exposing the organization to risk. This includes work-from-home situations which are not controlled by a security policy.
- Employees place convenience above policy and take shortcuts which violate security best practices.
- Employees/IT staff do not adhere to a patch management policy which ensures that all hardware and software is kept up to date.
Defending Against Insider Threats
Risk mitigation (largely through cybersecurity training) is only part of the equation. An organization must take active steps to prevent insider threats from compromising their security.
Build a Culture of Security
Every organization should begin by cultivating a culture of information security. Such cultures must begin at the top, especially with the company leadership, and permeate all the way down to every stakeholder.
Empowerment and accountability are key. Generally, staff must be made aware of their roles and responsibilities as well as how their work affects security as a whole. Security is everyone’s responsibility.
Cyber Education and Training
To avoid unintentional insider threats, employees must be educated on how to spot, avoid, and report attempted social engineering attacks. Every employee should know basic cybersecurity terms, common forms of attack, and especially how to adhere to best-practices like password hygiene and software patching.
Even if a network is monitored by a skilled IT team, employees can be the weakest link in the overall defense.
Privileged Access and User Permissions
Hackers often gain access to the network through the system administrator account or a user account that has admin access. These attacks often begin with social engineering. If authorized access is given to users who don’t need it, the bad actor need only compromise a low-level employee’s device to gain access to the entire organization.
Access to systems should be limited to what is required for the user’s job function, and the principle of least privilege should always be followed. Tools like AutoElevate make access control easy for IT teams and MSPs. AutoElevate uses easy-to-install agents to quickly inventory an entire network’s privileges, augment threat detection, make necessary changes, and monitor user behavior.
Insider threats represent one of the greatest threats to cybersecurity today. In a world where perimeter defenses are as strong as medieval castles, hackers often turn to infiltration tactics which leverage trusted users already inside the network. Worse yet, organizations can be at risk from malicious actors embedded right within their ranks.
One of the most important steps to take against insider threats is to lock down privileges and remove admin rights from unnecessary users. While this can be a sizable task for a large organization, tools like AutoElevate are purpose-built to address this particular cyberthreat vector.
AutoElevate gives IT providers a Privileged Access Management tool to manage and secure admin rights, control applications on endpoints, gain insight into install requests, and monitor and analyze privilege requests in real time.
Follow the rule of least privilege security to reduce insider threats
- Meet Security & Compliance goal in minutes
- Not Active Directory Dependent
- Fully Customize Windows Privileges
- Remove Local Admin Privileges – Without Frustrating Users
All with AutoElevate. For more information and to start your free 2 week trial of AutoElevate today.