TechRepublic/Scot Matteson: 10 tips for reducing insider security

TechRepublic

Security
10 tips for reducing insider security threats

Insider threats can pose greater risks to company data than those associated with external attacks. Here are some techniques to help you spot and mitigate them as quickly as possible.

By Scott Matteson | September 4, 2017, 7:00 AM PST

    0

istock-545662400.jpg
Image: iStock/LeoWolfert

A report recently released by the Institute for Critical Infrastructure Technology pointed out that most cybersecurity incidents (both intentional and accidental) are the result of some action by insiders.

Earlier this year, I covered some ways to reduce insider security risks. As a follow up, I want to look at further strategies which can assist system administrators in quickly detecting and reducing the threat of insider risk — a critical requirement given the fact some insider security breaches can go undetected for weeks, months or years.

Here are 10 more tips to reduce insider threats:
1. Establish a security incident and response team

Even if it consists of one individual, a dedicated team is essential to security success. This team should be responsible for preventing, detecting and handling incidents and have documented plans and procedures for each. Provide them as well as general IT staff with security training to keep up on the latest tactics and threats is also a key factor in identifying insider threats as quickly as possible.
2. Use temporary accounts

Set up third-party employees such as contractors or interns with temporary accounts

which expire on a certain date, tied to the end of their contract or project. This will ensure the accounts are inaccessible after the individual departs. You can always extend their account expiration if needed.

SEE: How to build a successful career in cybersecurity (free PDF) (TechRepublic)
SEE: Special report: Cybersecurity in an IoT and mobile world (free PDF) (TechRepublic)
3. Conduct frequent audits to look for unused accounts and disable or remove them if possible.

A simple use of the "dsquery' command on a Windows Active Directory Domain Controller can do the trick.

Let's say you have a domain called company.com and you want to check for accounts not used in the past 12 weeks. Type:

dsquery user dc=company,dc=com -inactive 12

You can check a specific OU by prefixing it to the above command. For instance, if user accounts are kept in the CompanyUsers OU, you would enter:

dsquery user ou=CompanyUsers,dc=company,dc=com -inactive 12

You can also pipe the results to a text file if you want to refer to it later or document your actions:

dsquery user ou=CompanyUsers,dc=company,dc=com -inactive 12 >> c:\inactive.txt

4. Follow employee termination principles carefully

Remove access and disable accounts as soon as possible when staff departs. HR and employee managers should be in direct contact with IT when employees leave or there is a plan for them to do so. Many financial companies alert IT staff in advance of planned terminations so the former employee's access can literally be shut off as they are being walked out the door.
5. Identify unhappy employees

Disgruntled employees may be more liable to pose as insider threats out of a desire for revenge, a plan to steal data and sell it to competitors, or simple greed combined with lack of respect for the organization. Not only should these employees be monitored, but you should also make an effort to alleviate the source of their unhappiness, if possible, to improve the situation.
6. Use two-factor authentication

Often described as "something you have and something you know," the most common example is the use of an RSA token which displays a rotating sequence of numbers that consists of an authentication code. Users need to type a password or PIN followed by this ever-changing code to gain access to a system, so anyone who obtains either the password or the token (but not both, obviously) will be blocked at the gate, as it were.
More about IT Security

    Nine ways to disappear from the internet (free PDF)
    Top 5: Things to know about how ISPs use your data
    EU General Data Protection Regulation (GDPR): The smart person's guide
    CISSP: Certified Information Systems Security Professional Training (TechRepublic Academy)

7. Use encryption of confidential data either in motion or at rest.

This one is straightforward; encrypt data using whatever software or hardware technology fits the bill, and make sure to use this as it is stored or traveling over a network. That way if someone is capturing traffic, steals a hard drive from a server, or gets their hands on a backup tape they won't be able to get to the data involved.
8. Consider third-party products

One type of product which can help is an identity access management solution, which can help manage the provisioning and de-provisioning of identities, access, and privileges, and assist in managing the authentication and authorization of individual users within or across system and enterprise boundaries.

Data loss prevention and user activity monitoring are also referenced in the ICIT report as two more key solutions to help reduce insider risks.

Speaking from experience, a product like Tripwire can also be a godsend here. Tripwire monitors systems and notifies you when any element on them changes, such as a password file, a confidential spreadsheet, or an SSH key. Now, many files can and do change each day, so there may be a high signal to noise ratio at first, but you should be able to filter out normal activity from abnormal activity after establishing baseline patterns of activity to detect suspicious behavior.
9. Don't forget to guard your perimeter.

Remember the movie When a Stranger Calls? That was the film whereby a babysitter kept receiving threatening phone calls and had the police trace them, then was told, "We've traced the call...it's coming from inside the house!" You might argue that this was the ultimate insider threat, but keep in mind the villain had to have gotten in somehow. Don't assume you have to only guard the interior of your network; focus your security initiatives and efforts upon all external-facing devices as well.
10. Consider investments in products and staff more than just "insurance"

This is really more of a mindset than an action item, but it's worth discussing. Too many execs seem to think security products are just mindless insurance they have to pay for or else something bad might happen. That's the wrong approach and can lead to grumbling over budgets. Certainly we don't view policeman as a drain upon a town budget, especially when we need their help.

Many of the techniques and products I've discussed can do more than just provide security. Splunk, for instance, can send alerts regarding all kinds of system issues such as failed hardware or exceeded capacity thresholds. Good security practices can reduce scrutiny (or penalties) from auditors for certain institutions. And it's important to keep in mind that spending a little (or a lot) on security can help prevent much larger costs down the road, such as lost revenue in the wake of a public humiliating data breach.
Subscribe to our Cybersecurity Insider newsletter and keep up with the latest cybersecurity news, solutions, and best practices.
Also See

    Why ex-employees may be your company's biggest cyberthreat (TechRepublic)
    100% of government IT workers said employees are biggest threat to cybersecurity (TechRepublic)
    Hospitals beware: New Bitpaymer ransomware attack highlights need for better IT security (TechRepublic)
    Passwords: Workers say they will hand them over for next to nothing (ZDNet)
    Information security incident reporting policy (Tech Pro Research)
    Employee termination checklist (Tech Pro Research)
    Security awareness and training policy (Tech Pro Research)

    0

About Scott Matteson

Scott Matteson is a senior systems administrator and freelance technical writer who also performs consulting work for small organizations. He resides in the Greater Boston area with his wife and three children.

    Full Bio
    Contact
    See all of Scott's content
    Google+
    scott_matteson

| Commenting FAQs | Community Guidelines
Join Discussion
Editor's Picks
Cyberweapons are now in play: From US sabotage of a North Korean missile test to hacked emergency sirens in Dallas

Cyberweapons are now in play: From US sabotage of a North Korean missile test to hacked emergency sirens in Dallas
Elon Musk and the cult of Tesla: How a tech startup rattled the auto industry to its core

Elon Musk and the cult of Tesla: How a tech startup rattled the auto industry to its core
The truth about MooCs and bootcamps: Their biggest benefit isn't creating more coders

The truth about MooCs and bootcamps: Their biggest benefit isn't creating more coders
How Mark Shuttleworth became the first African in space and launched a software revolution

How Mark Shuttleworth became the first African in space and launched a software revolution
Free Newsletters, In your Inbox

    Tech News You Can Use

    We deliver the top business tech news stories about the companies, the people, and the products revolutionizing the planet.

    Delivered Daily
    Best of the Week

    Our editors highlight the TechRepublic articles, galleries, and videos that you absolutely cannot miss to stay current on the latest IT news, innovations, and tips.

    Delivered Fridays

Latest From Tech Pro Research

Research: How big data is driving business insights in 2017

Mobile device computing policy

Hiring kit: Salesforce developer

Corporate gaming policy
Services

    About Us
    Newsletters
    RSS Feeds
    Site Map

    Site Help & Feedback
    FAQ
    Advertise
    Reprint Policy

Explore

    Blogs
    Downloads
    TechRepublic Forums
    Meet the Team
    TechRepublic Academy

    Tech Pro Research
    Resource Library
    Photos
    Videos

© 2017 CBS Interactive. All rights reserved. Privacy Policy | Cookies | Ad Choice | Terms of Use | Mobile User Agreement
A ZDNet site | Visit other CBS Interactive sites: