The ‘Insider Threat’ is Privileged Access, not a Person
October 14, 2014 | Security and Risk | John Worrall
By John Worrall
The standard reply to “what is an insider threat,” generally circles around the concept of a bad apple within the company and this is shortsighted. Principal investigators in Oxford University’s Corporate Insider Threat Detection research program have it right in their recent Harvard Business Review article, “The Danger from Within,” as:
The Insider threat comes from people who exploit legitimate access to an organization’s cyber assets for unauthorized and malicious purposes or who unwittingly create vulnerabilities.
However, researchers David M. Upton and Sadie Creese miss the mark on one critical aspect of the problem: privileged access is not restricted to employees, contractors or other individuals. They layout the problem like this:
You must diligently manage the privileges of all employees—including those with the highest levels of access to company systems, who are often the instigators of insider attacks. Prune your list of most privileged users regularly—and then watch the ones who remain to verify that they deserve your trust. Look for insider-threat-detection systems that can predict possibly preventable events as well as find events that have already occurred. Big data can be helpful in linking clues and providing warnings.
The problem is not where an attack starts or if an individual works for the company – it’s about an attack that’s already behind the traditional security perimeter. It would have been more accurate to stop at, you must diligently manage privileges. Simply put, privileged accounts turn an external attacker into an insider, moving freely across the network without detection. These privileged credentials are the true threat lurking inside your organization. If left unprotected, a malicious insider will use them to hurt your business, or an outside attacker will use them to act like an insider.
These accounts represent a huge attack surface, and are used by IT staff and exist in every piece of technology connected to your network – hardcoded passwords in applications, across devices, etc. They are the real insider threat to an organization. These accounts can provide absolute control over a company’s infrastructure, which is why security researchers like CyberSheath have highlighted that they have been at the epicenter of 100 percent of all advanced attacks.
The most common cybersecurity safeguards – vulnerability management, strong boundary protection, password policy, awareness programs – just don’t work when it comes to these types of situations, according to Upton and Creese.
If these common practices are so ineffective, then what can we do?
- Integrate a company-wide privileged account security solution. Many companies chose only ‘high-risk’ network environments to protect, however, recent retail breaches show that every piece of the organization needs to be protected – from third-party vendor access to HVAC systems to PoS terminals.
- Deploy analytics-based security practices to monitor privileged user-behavior. By monitoring the behavior of even those with the highest level of access to company systems, you will be alerted to anomalous behavior more quickly so you can respond as necessary.
- Reassess your list of privileged users regularly. Many companies are unaware of the number of privileged accounts that are left forgotten and unused – many times left behind after an acquisition or merger. Make sure to locate and close any of these discarded accounts that can be easily exploited.
- Use one-time passwords that expire after a single use. Using one-time passwords takes the onus off of your IT staff to choose passwords complex enough or change passwords often enough. Since we’re far from a world without passwords, one-time password use is one of the best solutions for secure authentication.
The sooner organizations understand its privileged accounts are the true insider threat, the quicker effective security strategies can be deployed. If you’re not identifying, controlling and monitoring all privileged account activity, then you’re leaving the door wide open for a breach.