The much publicized hacking of Anthem, Sony and Target (the biggest retail hack in U.S. history) has demonstrated that no matter how robust your perimeter security, cyber criminals will gain—or already have gained—access to your network.
This is because when protecting against cyber attacks, many companies focus exclusively on endpoint protection and breach prevention. But protecting the cyber perimeter with firewalls and anti-virus packages means they often only possess the ability to stop a threat by matching it to a list of threats previously detected and known.
While perimeter defense is essential, a more robust and layered cybersecurity program should also offer protection against “unknown unknowns”: previously unidentified or unseen threats or indicators of those threats that no one was aware existed. This includes detecting malicious activities from within your network.
(Related: How software security is lagging)
While external, highly sophisticated threats are certainly grabbing the headlines, the weakest link within an organization is often the human element or the insider threat. As a result, these threats are still a major source of security breaches.
According to a 2014 CERT study, 28% of all security incidents occur as a result of an insider—either from an employee or from an employee who allows an external threat into the network.
The question, therefore, is how can organizations best defend themselves against both external and internal threats that are evolving and have the potential to cause significant reputational, financial and operational damage?
While organizations should certainly keep perimeter security current, the smartest approach to cybersecurity should start with the assumption that threats are already inside your IT network. This may be the result of a sophisticated external attack that has infected your network with malicious code, lying in wait to discover, collect and extract your most valuable data, or an insider attack via an employee with “keys to the kingdom.”
To make things more difficult, the insider threat can come in many forms. It may be a result of an employee’s accidental actions, such as clicking on an infected e-mail or visiting an infected site that downloads malicious code to your network. A 2015 report on breach investigations by Verizon shows that nearly one in four employees is likely to open a phishing e-mail, and one in 10 is willing to open an e-mail attachment from an unknown person. Phishing e-mails can be a vehicle for malware, which, once opened, can infiltrate a network and quietly access information without the knowledge of the organization.
Intrusions like this can go undetected because the complexity of today’s computing environments creates the perfect hiding place for malware. On average, it can take 200 days from an initial compromise taking place to detection. By this time, the damage has usually been done.
Threats can also come from an employee committing straightforward fraud or IP theft for personal gain. Unfortunately, however, the insider threat is often more sinister. Criminal gangs are looking for account and credit card information, corporate trade secrets, financial reports, and employee and customer information. They understand that it is often easier to place one of their own members on the inside or encourage an existing employee to reveal information, rather than mount an uncertain attack on the institution’s cyber defenses.
While perimeter security layers, such as anti-virus and firewalls, are important to block out the vast majority of known external threats, they ineffective when it comes to insider threats or “unknown external threats.”
IT security professionals must be able to detect suspicious activities within their networks. A new approach is to use a proactive cyber-forensics solution that uses advanced analytic machine-learning techniques to search for anomalies. The anomalous activity could be a device trying to access an unusual amount of data or an unseen pattern of user login activity—possible indications of both external and internal threats.
When unknown threats are identified, an alert is triggered. Because this happens early in the timeline, it means potential harm and damage to the network can be identified, remedied and mitigated quickly.
But while analytics software may help companies proactively identify threats on the network, there are other steps that should be taken to address insider threats that can result from human error.
Implementing a solid IT security operations and incident response plan can help reduce the impact of threats. Similarly, duties and process should be segregated to ensure that users do not accumulate excessive privileges on critical information systems. For example, using the principle of least privilege will only allow users access to the information necessary to perform their individual roles.
Training can instruct staff on safe behavior practices, which will both inform employees of potential threats of the legal requirements they are obliged to carry out in terms of securing data and systems. For instance, using multiple unique passwords on computers and mobile devices used for work purposes, requiring employees to log off properly at the end of the day, and reporting any suspicious activity immediately.
Assuming that threats are already present on the inside, assurance and security practices should immediately be tightened. Organizations should look for information that is missing or altered, plus check for unusual login behavior from employees. The staging of data, where large quantities of information are being collected by one user, can be an indication that an insider is about to exfiltrate this data—whether via the network or storage devices such as USB drives.
While the ability of criminals to create, identify and exploit vulnerabilities in networks creates significant challenges for companies, a combination of technology and some common-sense approaches can go a long way toward mitigating insider threats.