Where are you most at risk?
Is your IT security as effective internally as it is externally?
Typically, organizations understand the need for outward/public-facing IT Security. However, IT Security as a means of preventing insider attacks can often be overlooked or relegated to a lower priority
What can IT Security do to prevent, detect, and mitigate against insider threats?
Implement simple and effective prevention and monitoring measures pertaining to:
- Account creation
- Shared accounts
- Account expiration
- Workstation inactivity
- Unauthorized use
- Disabling accounts upon separation
- Disabling remote access upon termination
- Access control
- Password management
Enforce task separation (Who watches the watchers?)
Impose company device/BYOD technology management:
- Personal use policy
- Return of company equipment upon separation
Establish appropriate employee collection and monitoring strategies regarding:
- Retention policies
- Remote access monitoring
- User authentication
- Abnormal processes/Activities
- Alteration of critical data
- Exceptions/Expedited processes
- Suspicious downloads
- Encrypted traffic
- Communication applications
Enforce additional mitigation strategies related to:
- Data Integrity
- Software configuration
- Hardware configuration
- Device modification
- Vulnerability exploits
- Access to backup media
- Account compromise
- System privilege abuse
- Theft of IP
- Denial of services
- Access to sensitive information
- Access to out of scope information
Establish standard incident response protocols including:
- Response to tech complaints
- Disaster recovery strategies
- Notification of employee separation
- Termination procedures for trusted business partners
RELATED BLOG POSTS
An employee was a former student at a public school district. During his time as a student, he shoulder-surfed the password of a school employee who had a privileged account. A few years later, the former student was able to log into the administrative system of the school district using the stolen credentials, which had not expired.
The school’s information system was hosted by a third party, who hosted many of the information systems of the public school districts in that same area. The employee then used the compromised account to log into the payroll information system of another school district, at which point he stole personally identifiable information (PII) of approximately 5,000 current and former district employees.
Using the stolen identities, he started applying for fraudulent credit cards and made fraudulent checks. He was caught when the rightful owners of the stolen identities began noticing strange account activity occurring in their names. The employee was finally arrested at a store where a clerk had noticed that a check he had tried to cash was fake. The former student was sentenced to 10 years in prison for 1st degree computer trespassing, identity theft, forgery, and an unrelated count of drug possession.
What could IT security have done to reduce the risks posed by this employee?
- Create a password expiration date for all employees.
- Ensure trusted business partners have equivocal security measures in place so as not to become the attack vector of least resistance.
- Ensure the organization has a policy to safeguard personally identifiable information from inadvertent and intentional disclosure.