Insider Threats – CompTIA Network+ N10-006 – 3.2

Some of our largest security concerns aren’t necessarily on the outside of your network. In this video, you’ll learn about the scope of insider threats.
<< Previous: Compromised SystemsNext: Zero-day Attacks >>

If you were to look through the access and permissions that people have on your network, you may be surprised at what you see. We tend to give people a lot more access than they really need. Generally we’re doing that to avoid any type of security issue or permissions problem when people are trying to use the normal applications they use from day to day. But unfortunately we often don’t apply the concept of least privilege which means that we should only give people access to exactly the information they need, and no more.

It’s so easy to give people extra rights and permissions to avoid any type of support issue down the line. Sometimes you’ll walk into an organization and everyone is an administrator because it was just easier to give everyone administrator access. This effectively provides everybody with access to all of your data and certainly opens you up for some type of insider threat. We spend a lot of time creating security controls around our network.

We’ve also created a number of security controls around our physical buildings as well. Normally when you walk into an office building, there’s a receptionist, and that person will determine whether you’re able to go into the building or not. Sometimes it’s a security guard or somebody whose job it is to check to see if you are allowed into the building or not. Once you get inside the building, you have a lot more control than somebody who might be outside of the building. And that’s where insider threats are always going to be your largest concern is once people are inside.

Many organizations have some very specific policies and procedures. If you’re not at your desk, all of your documents should be off your desk and locked away. And when you leave at the end of the day, everything should be locked away. Some organizations have very tight security requirements, especially if you’re dealing with financial information, health care information, or some other sensitive data. If someone on the inside was to gain access to that data and then use it in some way or give it to someone outside of your organization, it can create a number of significant problems.

It would certainly harm the reputation of your organization and make you less trustworthy to your customers. Certainly the systems that you’re using would be disrupted while you’re trying to determine where did the information come from, how did someone get their hands on this data, where did the data go after it left your organization, and that can certainly create some problems for your normal processes. And of course, this information might be company confidential. It might have someone’s personal, private information on it, and it opens up a whole other level of response that has to be taken when this type of insider threat makes that information available to the world.

So how bad is this idea of insider threats? Is it really something that we need to be concerned about? Well, in 2014, there’s a US State of Cybercrime Survey that was done by CERT, the Computer Emergency Response Team at Carnegie Mellon. You can find a copy of this at the URL here. This study found that 28% of the attacks were caused by insiders.

We spend so much time worrying about someone from the outside attacking our network, and in reality, over a quarter of these incidents all happened on the inside. 32% said the damage from the insider attack was more damaging than if it had come from the outside. So how do you handle this situation? Interestingly enough in this same survey 75% of these incidents were handled without any specific legal action. Certainly the organizations took care of it internally.

It did not become a public event. And this is probably why you don’t hear about so many of these in the news, because organizations will immediately handle it privately and not take it to a public legal realm. This is why a lot of organizations will constantly audit the rights and permissions given to the users to make sure that nobody is getting access to information that they would not normally need, and to avoid any problems that occur because of these insider threats.