How to Deal with Insider Threats: A Common Sense Approach

Beware the threat from within: How to deal with insider threats

IT security professionals and C-suiters are well aware of the threat from hackers. Cyberattacks have been all over the news recently. Major security breaches have resulted in millions of files being stolen. Patient health records have been targeted with the cyberattack on Anthem Inc., the largest ever healthcare data breach ever recorded. That cyberattack, discovered in February this year, involved the theft of 78.8 million health insurance subscriber records.

Target was attacked last year and hackers managed to obtain the credit card details of an estimated 110 million customers. The finance industry was also hit hard in 2014, with 83 million J.P. Morgan Chase accounts compromised by hackers.

Cybersecurity defenses naturally need to be put in place, monitored, and bolstered to deal with the ever changing threat landscape. However, it is important not to forget the threat from within. Malicious insiders can be just as dangerous, and often more so than hackers. Just ask the NSA. They know all too well how dangerous insiders can be. Edward Snowden managed to steal and release data that has caused considerable embarrassment. In his case, he wanted the world to know what the NSA was up to. The NSA had gone to great lengths to make sure that what occurred behind its walls stayed secret.

Malicious insiders are often individuals who have been given access to patient and customer records, as well as the intellectual property of corporations, company secrets, product development information and employee databases. They are therefore potentially able to steal everything. The harm that can be caused by malicious insiders is therefore considerable.

It is not just theft of data that is a problem. Insiders may use their access to computer systems to defraud their employers, destroy data, or install malware and ransomware. Unfortunately, tackling the threat from within is a much more difficult task than preventing external attacks.

Bear in mind that insiders are not necessarily employees. They can include business partners and associates, contractors and past employees.

Which insiders pose the biggest threat

Unfortunately, any employee can steal corporate secrets and data; but the potential for damage increases as privilege levels increase. In a hospital, a physician may only have access to his or her caseload of patients. It may be possible for that physician to access the records of other patients of the facility, but not without triggering alarms. Those alarms may not be klaxons, but a flag would be raised that would alert anyone checking access logs that there may be some inappropriate activity.

A member of the IT department may have the highest level of privileges, and could potentially access huge quantities of data. One member of the IT department may not have access to everything, but in theory – and sometimes in practice – they could elevate their privileges for long enough to gain access to the data they require.

Recent research conducted by the United States Computer Emergency Readiness Team (CERT) shows that half of insider security breaches are conducted by individuals who have access to data. These individuals already have the authority to access systems containing valuable data. If you do not deal with insider threats, it is only a matter of time before a security breach is suffered.

It can be difficult to identify insider threats. Some say “it’s always the quiet ones,” but in reality, there is no way of being 100% certain which employees will steal data or sabotage systems. There are many potential reasons why an individual may decide to steal or delete data. Employers must therefore be aware of the risk and take action to mitigate that risk as far as is possible.

CERT research is useful in this regard. Studies have shown that that security breaches and data theft are most likely to occur in the time leading up to an employee leaving employment, and shortly after that employee has left – typically, a month either side of leaving a company.

As soon as an employee hands in his or her notice, place alerts on their accounts and conduct audits. If a worker is disgruntled or is unhappy at work, this could be a sign that they are looking for employment elsewhere and it would be wise to keep a close check on data access. It is a wise precaution to lower account privileges shortly before an employee leaves and to ensure that access is blocked as soon as they do. Many companies are a little lax when it comes to closing accounts and may not block access immediately.

Fortunately, risk can be managed. Adopt the following best practices to help you deal with insider threats and you will limit the opportunity for an insider to steal or delete data. You will also limit the damage that can be caused.

Best practices to deal with insider threats

  • Minimum necessary information – Only give access to data critical for an individual to perform regular work duties
  • Provide temporary access as appropriate – If tasks need to be conducted to perform atypical duties, temporarily escalate privileges to allow the task to be conducted and then lower those privileges when the task has been completed
  • Monitor access to resources – Implement a system that monitors and logs access to data and regularly audit access logs to check for inappropriate activity
  • Control access to physical resources – Restrict access to confidential files, stored backups, old computer equipment, and servers. Keep them under lock and key.
  • Separation of duties – Restrict access as far as is possible: Do not assign full access to one individual, only allow part of a system to be accessed by a single employee. Use Privileged Access Management (PAM). This will limit the damage that can be caused.
  • Implement policies and controls – Make sure these are communicated to all staff members.
  • Restrict file transfers – As far as is possible, put controls in place to prevent data from being copied or exfiltrated. Prevent certain file types from being emailed outside the company and block peer-to-peer file sharing websites
  • Encryption – Employ encryption for all stored data and control who is able to unencrypt files. Always protect data at its source.

Habits Developed by the Best System Administrators

Not all habits are bad. Sure you should ease up on the alcohol, give up smoking, and stop biting your nails, but make sure you take some time to develop some good habits. Take a look at the best practices below, ensure you perform them regularly, and before long they will become second nature. You will then be able to legitimately rank yourself alongside the best system administrators. Even better, you should find you have far fewer bad days and even some when everything runs smoothly without a hitch.

Develop a ticket system and keep on top of requests

You are likely to receive more requests for assistance than you can deal with in a single day. If you are regularly flooded with requests, some will invariably be forgotten. Sometimes you will deal with an issue only for a user to complain that you have not. It is useful to be able to prove that you have dealt with a problem in a timely manner. A ticketing system will allow you to do this, as well as help you prioritize tasks and never forget a single reported system or computer issue.

Your system need not be expensive or complicated. If you work on your own in a small business, you can set up a very simple MS Access database to log all requests. Even a spreadsheet may suffice. A word document would also work. The important thing is that all requests are logged.

If there is more than one system administrator employed in your company, it is probable that you may need to have a more complex system. Helpdesk software is likely to be required if you are having to deal with hundreds of requests. They will need to be allocated to staff members, and follow-ups will be required. Making sure all queries have been answered and all reported problems resolved will be a nightmare without such a system in place.

Keep a log of your activity

If you ever have to justify what you have spent all your time doing, your ticketing system is your friend. You can show the volume of requests you have received/resolved on a daily basis, and use that information to show that your time has been well spent.

One clever way of reducing the requests you get is to log the requests and send the user (and his or her line manager) an email detailing the request received and the likely timescale for resolution. If a manager is involved, you may find the number of requests you are given will decrease. A formal request process and confirmation procedure is a wonderful way of cutting back on many of the requests for support that are usually sent to the desk of a Sys Admin.

Be proactive and avoid power/cooling issues

Overheating servers and power fluctuations cause many headaches and waste a lot of a Sys Admin’s time. It sounds obvious, and it is, but managing power and ensuring server rooms are effectively cooled are well worth the effort. Being proactive in this regard will save a great deal of time in the long run.

Power issues can be largely solved by installing an Uninterrupted Power Supply unit (UPS) on each of your servers. When purchasing a UPS, make sure it has sufficient power to last for an hour and that it will shut down the server properly, not just give up when it runs out of juice. The latter is particularly important as it will ensure files are not corrupted and will mean fewer reboots are required.

Are your routers, switches and servers locked away in a closet without any cooling systems installed? If you work in a small organization, this may well be the case. If your equipment frequently overheats, consider investing in a small air conditioning unit. Does your server overheat frequently at the weekend, yet is fine in the week? Oftentimes, air con systems are shut down at the weekend when there is no one in the office. A separate unit will solve this problem, just make sure it vents into the ceiling.

Monitor your network and devices connected to it

It is vital to monitor your network and systems. This will allow you to take action before they crash and services are lost. Install a system to monitor everything, and then install a system to monitor your monitoring system. Get the system to send you alerts, and you can prevent a lot of problems from occurring and avoid time consuming (and expensive) system outages.

If your Monday mornings are usually spent dealing with system crashes that have accumulated over the weekend, you can make the start of the week a lot easier if you put a monitoring system in place. Do you have a service level agreement in place with your ISP? If so, you may be able to add in a monitoring function on your switches and router as part of your service level agreement. This may not be possible though if you have a highly complex system or atypical network configuration. Fortunately, in most cases, monitoring systems are inexpensive, yet can save a lot of time, money, and hair loss from stress.

Cut back on time consuming manual chores

Repeating the same tasks over and over again wastes and extraordinary amount of time, plus each time a task is performed there is the possibility of mistakes being made. Use the automation and scripting controls on servers and other devices, and updates and installations can be performed automatically.

If you use Powershell for instance, Windows 2012 Server support will be streamlined. It may take a little time to set up, but it will save you hours in the long run. If you cannot do this, create a detailed checklist containing all of the settings for different applications to reduce the possibility of errors being made.

Don’t let users waste your time

OK, this is much easier said than done, but there are ways to reduce the time spent dealing with user issues. For instance, create a website page that lists the correct contact numbers and persons responsible for dealing with particular IT problems. Remember that users are non-technical individuals, so the language used must also be non-technical. “Server problems” rather than “Windows NT problems” for example.

Instruct all users visit the webpage before contacting you. You can then place updates on the webpage that may answer many of their questions. Also include a self-help section. (have you tried turning your computer off and on again?)

Include sections for changing passwords and the common problems you are asked to deal with that can easily be resolved by following a simple set of instructions. You will find the volume of helpdesk calls will reduce considerably. Also create a login banner to advise of maintenance schedules etc., to avoid being bombarded with calls when a planned outage takes place.

Get involved in the business

It is your job to deal with technical aspects of the business, yet you will need to be aware of how the business operates. In order to get authorization for IT upgrades or new equipment, it helps if you can explain, concisely, why the purchases are necessary, the impact they will have on the business, and the consequences if purchases are not made. Work on your communication skills and learn how to communicate effectively with non-technical staff members. It requires practice, and a great deal of patience sometimes, but it will make your life easier in the long run.