Cookies help us display personalized product recommendations and ensure you have great shopping experience.

By using this site, you agree to the Privacy Policy and Terms of Use.
Accept
SmartData CollectiveSmartData Collective
  • Analytics
    AnalyticsShow More
    data analytics for pharmacy trends
    How Data Analytics Is Tracking Trends in the Pharmacy Industry
    5 Min Read
    car expense data analytics
    Data Analytics for Smarter Vehicle Expense Management
    10 Min Read
    image fx (60)
    Data Analytics Driving the Modern E-commerce Warehouse
    13 Min Read
    big data analytics in transporation
    Turning Data Into Decisions: How Analytics Improves Transportation Strategy
    3 Min Read
    sales and data analytics
    How Data Analytics Improves Lead Management and Sales Results
    9 Min Read
  • Big Data
  • BI
  • Exclusive
  • IT
  • Marketing
  • Software
Search
© 2008-25 SmartData Collective. All Rights Reserved.
Reading: Managing Cyber Security Threats from Inside
Share
Notification
Font ResizerAa
SmartData CollectiveSmartData Collective
Font ResizerAa
Search
  • About
  • Help
  • Privacy
Follow US
© 2008-23 SmartData Collective. All Rights Reserved.
SmartData Collective > Data Management > Privacy > Managing Cyber Security Threats from Inside
Data ManagementPrivacyRisk Management

Managing Cyber Security Threats from Inside

onlinetech
onlinetech
11 Min Read
SHARE

Note: The following article is part of a shared content agreement between Online Tech and InfoSec Institute. This post is by Tom Olzak, a security researcher for the InfoSec Institute and an IT professional with over 27 years of experience in programming.

In addition to the excellent points Olzak makes about managing insider threats, Online Tech suggests creating an environment of education in the workplace and stresses leadership must be willing to surface areas of concern with all employees.

Note: The following article is part of a shared content agreement between Online Tech and InfoSec Institute. This post is by Tom Olzak, a security researcher for the InfoSec Institute and an IT professional with over 27 years of experience in programming.

In addition to the excellent points Olzak makes about managing insider threats, Online Tech suggests creating an environment of education in the workplace and stresses leadership must be willing to surface areas of concern with all employees.

More Read

Image
The Federal Government Should Fund More Data Pilot Projects
Taking a Dimension-Free View of Data
How to Stay Ahead of the Data Protection Curve in 2016
FTC report puts Data Privacy in the spotlight.
Is Facebook Taking Big Data Analytics Too Far?

The number of annual security incidents caused by insider threats is increasing. In The CERT Guide to Insider Threats, Capelli et al write, “Insider threats are an intriguing and complex problem. Some assert that they are the most significant threat faced by organizations today.”

Disgruntled system administrators damage data and systems, skilled professionals steal intellectual property, and less skilled employees use information to achieve political or financial objectives. Any of these can constitute a critical national defense breach or breach of public trust.

To defend against completion of damage or theft, an organization must hold every employee responsible for detecting and reporting both behavior and technical evidence indicating a possible employee defection from policy and compliance. Further, technical controls help monitor suspected offenders and the network overall for evidence of criminal behavior.

Behavior Monitoring

In a 2008 article I wrote for CBS Interactive/TechRepublic, I listed employee characteristics that warn of potential defection from organizational and social policy and norms, including

  • Appearing intoxicated at the office
  • Actual or threatened use of force or violence
  • Pattern of disregard for rules and regulations
  • Attempts to enlist others in illegal or questionable activity
  • Pattern of lying and deception of co-workers or supervisors
  • Argumentative or insulting behavior toward work associates
  • Attempts to circumvent or defeat security or auditing systems

In general, any negative change in an employee’s behavior is concerning. Further, actions taken by management can trigger a borderline defector to cross into criminal behavior. For example, an already disgruntled employee might feel justified in stealing and selling intellectual property after being passed over for promotion. Any potential problem-employees are candidates for additional monitoring.

Terminating an employee is one way to deal with a potential problem. However, we often value employees who are simply going through rough personal times. Further, termination without prior efforts to resolve issues can result in litigation. It is often better to remediate than quickly terminate.

First, we should ensure all employees understand organizational policies regarding use of information resources and workplace behavior. Second, any policy violation should result in quick response by management. The response should match the level of the offense. Further, every employee, without exception, should understand the consequences of defection.

Finally, problem employees often do not engage in inappropriate behavior in front of management. This means we must train employees, as well as managers, to detect suspect behavior and report it. Since many employees would rather not become personally involved, an anonymous tip line is a possible solution. For example, a large organization for which I worked had a toll-free number any employee could call to report policy violations or any other concern or complaint. Weekly, a compliance committee met to go over all reports, and there were many. Anything that appeared critical did not wait for the weekly meeting but was handled immediately.

Technical Monitoring

While behavior monitoring can alert us to many incidents, it often fails when dealing with network and server administrators who go rogue. In addition, we can easily miss behavior signals when an employee does her best to hide them. When behavior monitoring fails or is insufficient, technical monitoring should fill the gap.

Non-administrators

For non-administrators, we control how much information an employee can access (and what he can do with it) by enforcing need-to-know, least privilege, and separation of duties. Organizations enforce all three by properly managed authorization policies and processes.

The first two are closely related. Need-to-know restricts the information a user can access only to that required for daily task completion. Least privilege controls what a person can do with the information accessed. For example, need-to-know might allow me to see electronic information classified as top secret, but least privilege would prevent me from changing or deleting it unless my role in the organization requires it. Together, they strictly limit insider threat damage.

Separation of duties, when properly implemented, prevents any one person from performing all tasks associated with a critical process. If in place and working, separation of duties prevents a software developer from creating malware and placing it in a production environment. In other words, developers should not be able to place their work into production systems.

Finally, organizations must control the movement of sensitive information. If not possible using direct means, such as data rights management, then through indirect means. One of the most effective indirect monitoring methods is NetFlow analysis. NetFlow, emerging as the IPFIX standard, collects network traffic flow information at various points across the network. Information gathered and aggregated to an analysis and management server provides insight into anomalous traffic flow. If, for example, an employee decides to copy a large number of documents to an Internet location, NetFlow statistics would alert security to unusual behavior at one or more points on the network. This near-real-time identification of bad things happening on the network enables quick and effective response: stopping the document transfer or mitigating its effects on the organization.

In addition to NetFlow, security information and event management (SIEM) provides additional information about anomalous server or network behavior. SIEM solutions gather logs from various devices and systems, aggregating them into a correlation server. An event correlation application then mines unusual patterns or patterns known to be related to malicious behavior. Questionable activity is reported to security via email, SMS, or a Web portal.

Finally, employment termination and job change processes must include immediate revocation of all rights and privileges to previously accessed information resources. During a job change, removing all access and then granting access for the new role is a good approach. Failure to adequately perform these tasks is a significant cause of insider incidents… especially those caused by administrators.

Administrators

While the previous controls also work for malicious activities by administrators, they tend to fall short. Administrators can alter logs or create backdoor accounts for use after hours or post termination. Monitoring and separation of duties can help eliminate these vulnerabilities.

Administrator monitoring must extend to changes applied to special purpose files. One example includes log changes. Operating systems or other third-party solutions can track changes to logs, including who made the change and when. Security teams can identify unplanned changes and respond appropriately. This also applies to other files that might contain critical system management information and applications in the production environment.

In addition to file changes, any creation of a privileged account should raise a warning. For example, one security team ran a script every morning to determine if any accounts had been added to any Windows Active Directory administrator group. If so, the addition was reviewed against change management documentation to ensure it was approved. Any questionable account was removed and the offending employee was reported to his manager. A periodic audit of all privileged accounts, whether disabled or active, is another good way of identifying possible rogue IDs.

Sharing of administrator passwords also requires special attention. Each time a shared admin account is used, log it. Each time an administrator leaves the organization, change all shared passwords. If your budget allows, consider implementing a privileged password management solution that logs who checks out shared account passwords and changes the passwords after use.

Insider threats are real, and they will eventually cause an incident in every organization. Proper preparation, training, and vigilance can prevent or mitigate related negative consequences.

Share This Article
Facebook Pinterest LinkedIn
Share

Follow us on Facebook

Latest News

cybersecurity essentials
Cybersecurity Essentials For Customer-Facing Platforms
Exclusive Infographic IT Security
ai for making lyric videos
How AI Is Revolutionizing Lyric Video Creation
Artificial Intelligence Exclusive
intersection of data and patient care
How Healthcare Careers Are Expanding at the Intersection of Data and Patient Care
Big Data Exclusive
dedicated servers for ai businesses
5 Reasons AI-Driven Business Need Dedicated Servers
Artificial Intelligence Exclusive News

Stay Connected

1.2kFollowersLike
33.7kFollowersFollow
222FollowersPin

You Might also Like

big data structure and standards
AnalyticsBest PracticesBig DataBusiness IntelligenceData ManagementPolicy and GovernanceSocial DataSocial Media AnalyticsText Analytics

Big Data Analytics Doesn’t Have to Be the Wild West

6 Min Read
Image
Big DataBusiness IntelligenceData ManagementData MiningITMarketing

Examining Big Data’s Potential In Predictive Marketing

6 Min Read

Not Only SQL, Not Only Big Data

6 Min Read
Best PracticesBusiness Rules

Why Projects Fail: The Biggest Pitfalls You Can Easily Avoid

6 Min Read

SmartData Collective is one of the largest & trusted community covering technical content about Big Data, BI, Cloud, Analytics, Artificial Intelligence, IoT & more.

ai chatbot
The Art of Conversation: Enhancing Chatbots with Advanced AI Prompts
Chatbots
data-driven web design
5 Great Tips for Using Data Analytics for Website UX
Big Data

Quick Link

  • About
  • Contact
  • Privacy
Follow US
© 2008-25 SmartData Collective. All Rights Reserved.
Go to mobile version
Welcome Back!

Sign in to your account

Username or Email Address
Password

Lost your password?