Insider threats are the worst possible security threat to any organization. Most think that outside threats are terrible and will take down an organization, but in reality, the insider threat is the most damaging. The reason that insider threats are so bad is simple. They are already inside the organization, and they have access that outsiders do not. Insiders know where the server room is and might even have access. They have access to file shares with sensitive corporate documents and/or documents that deal with matters of national security. This is scary stuff!
Prevent Insider Threats
There are ways to avoid falling victim to insider threats. Here’s a list of some of the best methods you can employ.
1. Enforce Least Privilege Access Control
There have been times in the past where I’ve been given the metaphorical keys to the kingdom as a systems administrator. I have held domain administrator credentials, and super user/root credentials for applications that are extremely crucial to the success of the organization as a whole. I haven’t always needed that much access and that’s why the rule of least privilege should be enforced by every organization. Least privilege means only granting access to users/administrators for that which they need to do their job effectively. The junior network administrator doesn’t need domain admin level access to Active Directory. They likely need access to the switches and routers and definitely shouldn’t need root level access. Likewise, the Active Directory admin doesn’t need root level access to the core switch. By enforcing least privilege, you eliminate the possibility of someone doing something they should not and/or accidentally causing an outage. Audit your user and administrator accounts frequently to ensure least privilege principles are followed.
2. Change Passwords Frequently
Password management should be a priority for everyone on every project, regardless of scope. In the case of users needing access to a SCIF, each and every time a user leaves the organization or the program, the SCIF door code should be changed. Irritating, yes, but so important when it comes to preventing insider threat. The same goes for applications and servers that are sensitive… when John Doe leaves the company, change the password. In fact, one of the best things you can do in situations where a user is terminated, is to disable that user’s account immediately. Do an audit of their accesses and ensure that all necessary passwords are changed.
3. Employ Separation of Duties
Employing separation of duties is one of the most effective methods to prevent insider threat. Instead of a pool of administrators having domain/root level access to all network resources, their accesses should be determined by their job role. The domain administrator for Windows Servers needs access to all things Windows; they don’t need root access to the Linux servers. The creation of teams based on their roles is a good thing. Separation of duties is not the same thing as silos. Silos are generally seen as negative entities because you have individuals working alone or with a group of like administrators that make it difficult to collaborate. You can have separation of duties while ensuring cross collaboration is in effect as well.
4. Thoroughly Vet Prospective Candidates
Human resources and the recruiters in an organization need to vet their prospective candidates thoroughly. Each interviewer plays a vital role in making sure that the candidate is solid technically as well as trustworthy. It isn’t always easy to tell if the candidate gives off an insider threat vibe. Insider threats aren’t always shadowy characters in black hats… they can take the form of careless workers that make grave mistakes. Candidates that exude qualities such as attention to detail, timeliness, and honesty are who you should be looking for.
Learn and Adapt
Sometimes, insider threats happen. Even after all we can do to prevent them, they often slip through the cracks. Whether it’s a disgruntled employee or a careless, sloppy employee, it happens. In situations where insider threats cost an organization, it is a perfect learning opportunity on how to prevent future threats. After action reports provide leaders with the information needed to learn and adapt. Insider threats don’t have to cripple your organization. By paying close attention to the signs, and taking the necessary precautions, your organization can protect themselves against insider threats and carry on.