Risk Management, Insider Threats and Security Leaders in the Age of COVID-19
An insider threat is a security risk that originates from within an organization. According to the Department of Homeland Security, insider threats often results in theft or destruction of data or the compromise of networks, communications or other information technology resource.
Insider threats are on the rise, according to a study from The Ponemon Institute, sponsored by ObserveIT and IBM. The number of insider-caused cybersecurity incidents increased by 47 percent since 2018. The average annual cost of Insider Threats has also skyrocketed in only two years, rising 31 percent to $11.45 million.
As COVID-19 has forced organizations to suddenly halt operations or institute work-from-home initiatives, there is greater opportunity for security incidents and greater data security responsibility with less direct oversight. Remote work poses its own challenges for enterprise risk managers, as well, such as addressing evolving vulnerabilities and threats unique to new environments. One area that will need to be monitored now more than ever is that of the insider threat, argue many enterprise security leaders.
How can enterprise security mitigate the insider threat right now and in the next months? Security Magazine spoke to many security professionals to obtain some insight on this matter.
Steve Durbin, managing director of the Information Security Forum, a London, U.K.-based authority on cyber, information security and risk management:
“The insider threat is one of the greatest drivers of security risks that organizations will face as a malicious insider utilizes credentials to gain access to a given organization’s critical assets. This is especially true with COVID-19 and employees who are currently working from home. Many organizations are challenged to detect internal, nefarious acts, regularly due to limited access controls and the ability to detect unusual activity once someone is already inside their network.
Risk management and security leaders need to manage the delicate issue of the insider threat during a time when many employees have concerns, need support and require protection. Employees subject to new working arrangements may well react maliciously due to limited hours, lowered compensation, reduced promotion opportunities, and even expectations of redundancy. These concerns at work can be compounded by increased levels of stress outside of the work environment due to worries about the health of their families, livelihood and uncertainty about the future. Under these conditions, employees might become resentful or disgruntled towards the organization, resulting is occurrences of information leakage and theft of intellectual property.
I anticipate that this trend will continue as the volume of information insiders can access, store and transmit continues to soar – and mobile working for multiple employers become the status quo.”
Rick Holland, Chief Information Security Officer, Vice President Strategy at Digital Shadows, a San Francisco, Calif.-based provider of digital risk protection solutions:
“The most significant complication in addressing the insider threat in a COVID-19 remote workforce world is that the security controls designed to monitor and capture activity may not be as capable as they were in the traditional on-premises world. Employees may be connecting from new devices and new networks where the security controls aren't on par.
Organizations should conduct an insider threat risk assessment on their critical business functions that could be leveraged by an insider to conduct fraud. How do employees connect to the applications that are in scope? What types of devices are the employees now using? What security controls are in place to capture activity and alert upon suspicious behavior?
In the pre-pandemic world, identifying Shadow IT was easier; outbound web traffic would often be used to identify services procured outside of the IT department. Now that traffic is being routed through ISPs like AT&T and Spectrum. Organizations should work with accounting departments to identify Shadow IT expenses. Once Identified, these services and applications should be incorporated into Single Sign-On solutions with Multi-Factor Authentication (MFA) enabled.
When it comes to identifying insider threats, it is all about visibility. The adage "logs or it didn't happen" is applicable. Companies must ensure that the tools for monitoring the remote workforce are effectively deployed.”
Joseph Carson, Chief Security Scientist and Advisory Chief Information Security Officer at Thycotic, a Washington D.C. based provider of privileged access management (PAM) solutions:
“Global employees have gone to the office over the past few weeks, packed up their laptop, put it in the trunk of their car and taken it home to their unsecure home office so they can continue to work remotely. This has significantly increased insider threats from employees taking risks with company assets, such as stealing sensitive data for personal use or gain as employers have less visibility to what employees are doing or accessing. As more employees work remotely, they have taken company devices that may have been very dependent on network security such as email gateways, web gateways, intrusion detection systems or firewalls to protect those devices. Now, most of those protections are pretty much useless when the devices have been moved to the public internet. Sensitive data, along with privileged access on those systems, are more exposed than ever before making new targets for cybercriminals to take advantage of unsuspecting victims trust or curiosity.
Organizations can reduce the risks by removing overprivileged users, such as local administrators or power users on systems, before they get moved to unsecure home networks, thus reducing the risk of those privileged accounts getting compromised. Using the principle of least privileged will allow employees to continue doing their job staying productive while reducing the risks of abusing privileges. Combining both the Principle of Least Privileged with Privileged Access Management (PAM) will allow a company to not only reduce the threats from insider abuse, but also have better auditing on who is using which privileged and for what. Monitoring privileges reduces the risks of employees abusing their permissions and access.
As employees have moved outside the company perimeter and firewall, the criticality of Identity and Access Management (IAM) combined with Privileged Access Management, will help organizations maintain a full audit trail. Once an audit trail is difficult to hide an employee’s tracks, they will have less motive for abusing privileges as they are unable to get away with the crime. Sometimes accountability and auditability is enough to force an employee into not committing any criminal activity rather than detecting it.”
Matt Gayford, Principal Consultant at the Crypsis Group, a McLean, Va.-based incident response, risk management and digital forensics firm:
“Many companies were forced to quickly adapt amid the COVID-19 pandemic, and one of the primary challenges they needed to address was allowing employees to work remotely. To keep business operations running continuously, organizations may rely on technology that is the easiest to use and offers the lowest barrier to entry. The number one remote work tool for Windows platforms is, of course, Remote Desktop Protocol (RDP).
While RDP allows employees to quickly and natively access their organization’s resources, it is not without risk – not just from outside threat actors, but from insider threats as well. One of the features of RDP is that it enables a remote user to copy and paste to and from the remote and local machine. A user could remotely connect to a computer in their organization and simply copy files from the remote machine to their home machine. The problem is that there is no logging for these types of activities, and there are very few resulting forensic artifacts. This is a serious problem, since the act of copying and pasting is so natural; it allows for data exfiltration without any additional tools.
The potential for insider threat attacks has grown significantly during the pandemic. This is largely because many organizations do not have a mature remote work policy. There is no silver bullet to prevent insider threats, but organizations can employ defense in depth to provide the best security posture possible. Organizations should implement controls at each step in the remote work process, starting from the connection. VPN solutions using Multi-factor Authentication (MFA) should be used to protect the point of access. If a company opens RDP to the public without any controls in front of it, they are setting themselves up for failure. MFA used in combination with a VPN can help protect the account from a brute-force or credential reuse attack.
Many companies enforce security policy checks when connecting via VPN, and that helps protect the network from the remote user’s computer. Think of it as a mini security audit that takes place every time an employee connects to the VPN. The remote user’s computer is scanned for security patches, vulnerabilities, and any running software that might be malicious. If the computer does not meet the security requirements, the connection is refused.
In addition to implementing MFA, it is very important to limit remote access to only users who need it. Many organizations may be in a situation where all workers are currently remote and require access, but IT should regularly audit their user accounts to limit access where possible. Another safeguard is implementing geoblocking to refuse logon attempts from countries where employees do not normally connect from. This should not only apply to the remote connection, but to files, servers, and other assets in the organization. If an employee does not need access to critical data, their account should permissions should reflect that.
Activity logging should be a priority for organizations going remote, but it is critical that the logs are monitored and reviewed; otherwise, you’ll only know about an insider threat after the fact. The log data should not only be analyzed from an IT perspective, but from a behavioral perspective as well. Inspecting network traffic for signs of large volumes of data being copied or suspicious applications and protocols in use is a good indicator that something atypical is occurring. The number of connections an employee makes in a day can also be telling. Is an employee suddenly connecting to the network at off-hours and accessing sensitive data? Those activities call for a deeper review.
Organizations need to be proactive in assessing the impact of remote work on their IT infrastructure. Early identification of accounts, permissions, sensitive data locations, and the controls in use goes a long way in determining the impact going remote will have on an organization. Continuous monitoring and adding controls where necessary can prevent insider threats before they begin.”