A large percentage of cybersecurity resources are spent on identifying and mitigating external threats. But a malicious insider can cause the same, if not more, damage to your organization.
This article explains what insider threats are, looks at insider threat examples, and discusses ways to prevent them.
According to the National Institute of Standards and Technology (NIST), an insider threat can be defined as "An entity with authorized access (i.e., within the security domain) that has the potential to harm an information system or enterprise through destruction, disclosure, modification of data, and/or denial of service." These insiders can be current or ex-employees, consultants, vendors, or other third parties who have knowledge of or access to the organization's systems.
Insider threats are difficult to detect and, if left unchecked, can cause a lot of damage. Here are three examples where malicious insiders have wreaked havoc in organizations.
It took the FBI seven years to uncover the fraudulence of Jean Patrice Delia and his partner, Miguel Sernas, a former employee of General Electrics (GE). These former users downloaded thousands of files including GE's trade secret to calibrate turbines used in power plants. They also convinced the IT administrator to grant them privileged access to GE's files.
Following this, they started their own company using the stolen intellectual property and competed with GE in calibrating turbines. This resulted in GE losing many bids. Once GE discovered that their lower-priced competitor was a former employee, they alerted the FBI. Delia and Sernas were convicted in 2020 and were ordered to pay $1.4 million in restitution to GE.
The issue here was that GE's cybersecurity systems did not trigger an alert when the insiders downloaded a number of large files all at once.
A former software engineer of Amazon Web Services (AWS), a software cloud application used by Capital One, took advantage of a vulnerability to hack into accounts and credit card applications of more than one million Capital One customers. She knew how to navigate the infrastructure and discovered a misconfigured web application firewall and used it to query and obtain the credentials stored in an AWS Simple Storage Service bucket.
Interestingly, the perpetrator who carried out the attack was found to have disclosed her hacking methods to colleagues using their chat service. She also posted her attack techniques on GitHub under her real name.
Capital One reported that this breach cost the bank $150 million.
In 2019, Tesla filed a lawsuit against Martin Tripp, who reportedly exported several gigabytes of data including thousands of photographs and videos of Tesla's manufacturing systems.
He created false usernames to make direct changes to Tesla's Manufacturing System's source code and also managed to export large amounts of highly confidential data to anonymous third parties.
Monitoring user activity goes a long way in preventing insider attacks. User and entity behavioral analytics solutions help do this by continuously monitoring user and entity activities, creating a baseline of typical behavior for each, and immediately alerting the security team when a user or entity performs any activity that deviates from the baseline.
Closely monitoring the behavior of employees can help with recognizing any unusual behavior or activity. Using a SIEM solution that periodically monitors user behavior can help you by instantly alerting when large amounts of files are being downloaded.
When using shadow IT solutions, employees may have access to data that they are not supposed to have access to. Avoid shadow IT by periodically monitoring user behavior and controlling remote access to employees. Intrusion detection systems (IDSs) and an intrusion prevention systems (IPSs) help you achieve this. Ensure that former employee accounts are terminated and that they do not have remote access to any of the organization's systems.
Deploying a SIEM solution with an IDS and IPS can help fend off attacks, as these systems typically use a database for signature recognition and can be programmed to recognize attacks based on traffic and behavioral anomalies.
Most insider threats are due to complacency and lack of awareness. For example, negligent employees could send an email with sensitive information to the wrong person, email company data to themselves to work on over the weekend, or fall victim to a phishing attack. Conduct awareness training programs periodically to ensure that employees do not unintentionally turn into insider threats.
Check out Log360, a unified SIEM solution with integrated DLP and CASB capabilities for investigating, detecting, and responding to security threats.
You will receive regular updates on the latest news on cybersecurity.
© 2021 Zoho Corporation Pvt. Ltd. All rights reserved.