INSIDER THREAT PREVENTION: ONGOING, NOT STATIC
Cybersecurity threats come from both the outside world and inside a business. While surveying firewall traffic and reading twitter threads for threat intel, do not forget to implement safeguards to protect against criminals lurking within your own organization.
On October 21, 2020, the Manhattan District Attorney’s Office announced criminal charges against a former human resources systems administrator at Century 21’s Manhattan department store. Charged with Attempted Grand Larceny in the Second Degree, Computer Tampering in the Third Degree, Computer Trespass, and Petit Larceny, the former employee worked as a systems administrator and manager, giving him access to the company’s data management and timekeeping system. Before voluntarily resigning, the employee stole and altered other employees’ data and created an unauthorized “superuser” account on the company’s network (allowing him unfettered access to the network after his resignation) prior to leaving his post.
On October 23, 2020, Amazon sent a message to several of its customers advising that it terminated an employee who violated company policy in sharing customer names and email addresses with an unauthorized third party. Fortunately, Amazon reported to @Threatpost that it had internal controls that notified Amazon of suspicious activity that triggered an internal investigation. Law enforcement is now investigating the matter.
Sadly, most insider threat matters go unnoticed and unremedied. This is understandable. Neither executives nor their employees enjoy a climate of suspicion and mistrust. Toxic workplaces also bleed talent, which creates competitive businesses. However, there are mechanisms to minimize insider threats without creating daily reminders to “TRUST NO ONE!”
Using HIPAA, Gramm-Leach Bliley, and the NY Shield Act as basic guides, look at starting with three basic physical, administrative, and technical safeguards to combat insider threats:
1. Begin with Physical Security on Premises: Depending upon the particular nature of a business, you may have a server room, data center, paper records room, safe, vault, or even just an area where you keep expensive equipment. Hire a professional security team to enable simple key card access for sensitive areas and restrict employee access, issuing badges only to those who require access such as chief operations officers, IT directors, and office managers. The key card system will also log all accesses to sensitive areas. Cameras should also be added to avoid claims that “someone stole my key card.” Ancillary benefits of key card access are that less equipment will go missing such as loaner laptops, MIFI devices, and tablets and employers can use the same log system for internal investigations unrelated to cybersecurity (employee accused of “stealing time”).
2. Employee Termination/Resignation Protocols: Every time an employee is either about to be terminated or provides notice of resignation, his/her credentials must be tracked and terminated. For terminations, employees often sense the impending decision and can take adverse actions on the network. Therefore, as adverse administrative actions occur against problematic employees, audit logs should record his/her keystrokes and network activity. And, on the morning of termination, the IT department should be notified in order to disable that employee’s credentials and total access. For employees who provide notice of resignation, it is advisable to refuse the two-week transition period if able. However, if the customary two-week period is necessary to either train a replacement or transition work, ensure that employee’s credentials are set to expire within two weeks and his/her activity is closely logged and monitored during (not after) the two weeks. Failure to prohibit former and soon-to-be former employees from accessing networks leads to data theft, intellectual property theft, and even payroll fraud.
3. Employee Administrator Controls. The difference between businesses that are fully disabled by malware and those who simply must re-image a few computers is often a question of who had administrator privileges. Well-designed networks come in many different forms. However, most share a common feature: extremely limited administrator credentials. Excepting the Chief Security Officer, Chief Technology Officer, Chief Information Officer, Chief Information Security Officer, and his/her deputies – do NOT allow any other employee (especially other c-suite executives) to have administrator credentials on a network. If every employee has administrator credentials and one employee is phished, an entire network will likely have to be rebuilt. However, if only a highly trained CISO has administrative rights on the network and a junior manager is phished, only that junior manager’s computer may have to be re-imaged. And for interior threats, it prevents rogue employees from downloading inappropriate and malware-laced materials, intentionally or unintentionally, that can damage an entire network and business.