A recent survey by Homeland Security Today found that 88% of companies that were questioned recognise insider threats as a cause for alarm but have difficulty identifying specific threatening actions by insiders
How to mitigate the insider threat within your company?
Often the reason for not being able to identify the threatening actions is that we can't recognise the insider, the threat or the possible damage.
What is an insider threat?
An insider could be someone who has authorized access to an organization facilities, data, information systems and networks :
- Trusted Business Partner
- Maintenance Personnel
We normally think of the insider being an employee, but as the list shows an insider could be anybody with a link to your business
Insider Threat Actions could intentionally or unintentionally compromise an organization's security, affect the confidentiality, integrity and availability of an organizations data, information systems and networks and degrade an organizations ability to accomplish its mission or business function.
Again we tend to think of the insider threat being a malicious, this is not necessarily correct. Often the threat is caused by accident, perhaps a file copied and forwarded to the wrong person via email, or an unsecure link to a server. There is the possibility (especially when using domain accounts) of connecting to ESNBENSERVER1 instead of ESNBESSERVER1 and opening up a link or deleting a file.
Insider Threat Damages can include, but are not limited to, espionage, criminal enterprise, and unauthorized disclosure of information (Sensitive Information, Intellectual Property, and Trade Secrets), Information Technology Sabotage, violation of laws, or any other activity resulting in the loss or degradation of an organization resources or capabilities.
How do we address these threats and help secure our data?
With the Wallix AdminBastion we offer the ability to secure the connections to only authorised personnel. By removing the domain admin user accounts we reduce the possibility of unauthorised users being able to connect and jump from server to server
The WAB provides a granular access point that is logged on to via a local user, the user is authenticated via Username & Password or 2FA using x509 certificates. The user is then given access to only authorised devices, of which he or she has no knowledge of the password. This removes the need to for individual local accounts or accounts added via Active Directory / LDAP. This also removes the ability for a user to connect directly to a device or to piggyback from one to device to another in order to bypass the WAB.
The Ex-Employee Threat is also reduced as there is only one point of administration. On termination a user’s account can be disabled or removed from the WAB, this removes the necessity of auditing all devices and servers, this is vital if the employee had access to customer networks.
Timelines can be put in place for IT contractors, this ensures that the account automatically becomes disabled at the end of the contract, if the contract is extended the WAB Administrator can simply extend the timeline. Timelines can also be put in place for regular employees too, e.g. Monday to Friday 09:00 – 17:30, this ensures that an employee that only works during the working week would not have access to files out of hours.
The recordings can also be used as evidence when troubleshooting or in forensic investigations, session data and system logs can help improve existing SIEM infrastructures buy filling in the blanks and providing data beyond the standard event logs provided by most servers
All this can only help to protect you, your employees and your customers.