Best Practices for Mitigating Insider Threats
By Veriato - August 21, 2017
The Software Engineering Group (SEI) at Carnegie Mellon has a highly regarded report called Common Sense Guide to Mitigating Insider Threats that outlines a number of best practices for dealing with insider threats. Here we highlight 5 of the 19 practices that we believe can have a significant positive impact on your ability to secure against the insider threat
Practice 1: Consider Insider Threats in Enterprise-Wide Risk Assessments
It is important to evaluate how to deal with insider threats within the context of an enterprise-wide risk assessment. This includes conducting employee background checks, understanding what critical assets are on the network and where they are located, determining which of those assets should be protected, and knowing who has access to them now and in the future. All too often, inadvertent access to an important asset is the source of vulnerability. In addition, consider having employees sign non-disclosure agreements, place controls over what can or cannot be printed from a network drive, and avoid direct connections to trusted business partners. It is also important when hiring new employees to train them on how to handle sensitive corporate information. For example, a company acceptable-use policy should stipulate that it is not all right to transfer documents to a personal device. In addition to a strong corporate policy, an organization needs proper monitoring tools in place to catch these offenders.
Practice 2: Enterprise Risk – Know Your Assets
When determining enterprise risk, it is important to know which assets require protection. This step can include, but is not limited to, identifying where the devices with critical data are located in a building, a distributed network or the cloud, then noting all the individuals who have access to the devices and the individuals' credentials. This inventory should include all devices connected to the network, such as printers, scanners, network-attached storage and mobile devices. Next, inventory all the sensitive data types that are processed daily, such as employee records, customer lists, current suppliers, and intellectual property. It is also important to identify IT assets that could harm the company should they be compromised in any way. Once these steps have been completed, put a mechanism in place to regularly audit and review the inventory, and loop senior management and data owners into the process.
Practice 3: Beware of Disgruntled Employees
Employee disgruntlement can be a catalyst when it comes to insider compromises and IT sabotage. Disgruntlement can be attributed to a number of factors, but the most common include:
- Insufficient salary increase or bonus
- Limitations on use of company resources
- Diminished authority or responsibilities
- Perception of unfair work requirements
- Feeling of being treated poorly by co-workers
When an employee is identified as having one of these factors, treat them as though an incident is inevitable and begin authorized and appropriate monitoring. While many organizations have an insider incident plan in place, more times than not, they do not include processes for dealing with a disgruntled employee. In an SEI report, Spotlight On: Insider Theft of Intellectual Property Inside the United States Involving Foreign Governments or Organizations, researchers revealed most employees who steal intellectual property commit the theft within 30 days before or after leaving the organization. When sufficient levels of technical and behavioral monitoring tools are in place, it becomes a lot easier to discover such potential threats.
Practice 4: Parting is Such Sweet Sorrow
Every organization should have a comprehensive employee termination policy. It may seem odd to address a topic that normally falls under human resources’ purview, but in the case of a disgruntled employee, there is a 30-day exit period that requires vigilant monitoring. Organizations must assume that at least 50 percent of their employees are going to try to take information with them when they leave. To protect against this type of insider treat, look for signs of employee flight risk, such as employee disengagement, and then deploy the appropriate tools to keep a closer eye on the employee. Go back to the employee lifecycle and review the corporate policy, which should have included rules about acceptable network behavior and been signed by the employee. In the event an employee is tagged with a 30-day risk window, immediately bring the corporate policy to the employee’s attention, begin appropriate and approved asset tracking, and proceed with an off-boarding process that respects both the employee and the need to protect the company. This last stage would be a good time to remind the affected employee of the corporate policy they agreed to and signed at their date of hire.
Practice 5: The Extended Team – Planning and Response
Insider threats are influenced by a combination of technical, behavioral and organizational issues; they must be addressed by policies, procedures and technologies; and they require a coordinated response by a wide range of organizational staff. Staff should include representatives from management, HR, legal, IT, information assurance, those responsible for the building’s physical security and executives who own the data. As a group, this executive body should ask themselves, “What would happen if an insider breached our data?” And as they answer that question as a group, they should determine what role they would play in the event of a real-world scenario. For example, an organization cannot just take an employee’s computer without HR and/or legal authorization. This simple exercise helps to flesh out holes in the plan that could ultimately become stumbling blocks. Legal is a great ally for this exercise because it knows many of the liability issues that may arise during incident-response policy planning.
Quick tip: Evidence Handling
Evidence gathered by internal tools that points to an insider breach can be used in court, but that evidence must be appropriately gathered and maintained. This requires a chain of custody, particularly if evidence moves from entity to entity. For example, if an email is used as evidence, all of the detail associated with it - its position in the log, a copy of the log and a copy of the original email - must be maintained and preserved. Next, that evidence needs to be put on a disk that is placed in a secure physical location, such as a locked safe. If somebody needs the disk, give them a copy; never hand over the original. If an organization is going to terminate an employee and take that person to court, all data and evidence must be handled consistently.
Putting it altogether
In summary, to best detect and deter insider threats, organizations need to identify potential threats before they become true threats. This requires that organizations have the proper behavioral analysis and monitoring tools and an incident response plan in place.