Revisiting the Insider Threat

In a previous post, I commented on the insider threat as an area often overlooked, particularly in smaller enterprises. Two variations of the insider threat were discussed: (1) the insider out for financial gain, and (2) those intent on settling a score. Reading various news articles this morning, it occurred to me that there is a third variation which is much more passive and insidious.

Sophisticated hackers these days are less focused on attacking the perimeter of organizations since many larger organizations have invested in effective security measures. Instead of battering away at the corporate gates, criminals are focusing on individuals and those individuals just happen to be a company’s insiders. If we leverage the analogy comparing this passive insider threat to the world of microbiology, our insiders would be carriers since they may not necessarily be outwardly trying to do the business harm, yet they carry the malware which infects the enterprise and subsequently can cause harm.

The sophisticated attackers are targeting our users because they represent the low hanging fruit of opportunity:

  • Up to three quarters of vulnerabilities exist in user systems and often, these are not patched on a timely basis which renders then easily vulnerable to know exploits.
  • Approximately a third of our users will lose their devices in any given year.
  • There exists a generational gap where younger workers are more trusting, apt to share their devices, and have different views on privacy than older workers.

There are also differences between larger enterprises and the smaller businesses. Small businesses frequently have less to invest in security and hence become targets for criminals seeking a path into the larger organizations.

While traditional, static perimeter defenses are still necessary, the real perimeter is increasingly at the user level and an adaptive defense posture is necessary where each user essentially has a customized policy. A four pronged approach should be deployed at the user level including:

  1. Mobile Device Management (MDM) – Employees are increasingly bringing more “things” into the corporate network and the proliferation of tablets and smartphones is just the start of it. Recently, it was reported that the next version of Google Glass will be focused on the business market! While ownership of the devices remains with the employee, MDM applies the appropriate levels of controls to the demarcation of user vs. corporate data and applications.
  2. Network Access Control (NAC) – Mobility means that devices come and go as well as connect in many different places. The business has no way of initially knowing what, if any malware has been acquired by employees when their devices were connected elsewhere. NAC, when implemented correctly, assesses the situation whenever a mobile devise comes back to the corporate network and determines what level of access will be allowed. In cases where malware is found, access can be restricted to a very basic level until the issue has been resolved by the IT and/or security teams.
  3. Data Leakage Prevention (DLP) – DLP can require significant upfront effort to configure although once effectively implemented, can help prevent sensitive company data from being leaked or stolen. Combined with MDM and NAC, adding DLP implements an effective trifecta of adaptive controls around the user perimeter.
  4. Lastly, as discussed in a prior post, implementing egress filtering is important for any organization, regardless of how large or small. There simply is no reason, short of laziness, to permit all traffic to traverse outbound unless it is necessary.

Have questions? Not sure where to start? Contact us for a free assessment.


Leave a Reply