20% of cybersecurity incidents and 15% of data attacks are reported to originate within the company itself, motivated by financial gain or entertainment. Verizon has established 5 personalities of threat employees, and 11 measures for an internal threat control program.
Internal threats are generally considered by companies as a taboo subject. These attacks, which exploit access privileges to the system and internal data, are often not discovered until months or years after they occur. Companies are often reluctant to identify, report or take action against these employees who have become a threat. However, their impact can be considerable. This is shown by the Verizon DBIR 2018 reports (data breach investigation reports), published on March 5, 2019.
FIVE CRITICAL PERSONALITIES
THE CAREFREE WORKER
It is an employee or partner who diverts resources, violates acceptable use policies, manipulates data without caution, installs unauthorized applications and uses unauthorized workarounds. His actions are more inappropriate than malicious. Many of them belong to the shadow IT or Shadow IT (the IT department and management did not authorize them).
THE UNDERCOVER AGENT
It is an internal agent recruited, solicited or purchased by external parties to extract data.
THE DISGRUNTLED EMPLOYEE
It is an internal employee who seeks to harm his company by destroying data or interrupting activity.
THE MALICIOUS INTERNAL AGENT
It is an employee or partner who has access to company resources and uses his or her privileges to access information for personal gain.
THE IRRESPONSIBLE THIRD PARTY
It is a business partner that compromises security through negligence, abuse, malicious access to or misuse of a resource.
ELEVEN MEASURES TO COMBAT THE EFFECTIVE INTERNAL THREAT
The aim is to reduce risks and improve incident response initiatives.
1- INTEGRATE SECURITY STRATEGIES AND POLICIES
Strengthen the effectiveness, cohesion and character of the fight against internal threats.
2- CHASING THREATS
Companies need to refine their threat-hunting capabilities (monitoring, dark web monitoring, behavioural analysis, EDR solutions – detection and response at the point of arrival) to search, monitor, investigate and investigate the suspicious user and his account activities within and outside the company
3- PERFORM VULNERABILITY ANALYSES AND INTRUSION TESTS
Use vulnerability assessments and intrusion tests to identify vulnerabilities within a security strategy, including possible ways to implement internal attacks.
4- IMPLEMENT STAFF SECURITY MEASURES
The implementation of human resources controls (employee termination process), security access principles and security awareness training can reduce the number of cyber security incidents associated with unauthorized access to company systems.
5- USE PHYSICAL SECURITY PRINCIPLES
Companies may require physical access methods, such as identity badges, security doors and guards, to limit both physical and digital access, such as magnetic cards, motion detectors and cameras to monitor, alert and record different forms of access and activities.
6- IMPLEMENT NETWORK SECURITY SOLUTIONS
Implementing perimeter and segment network security solutions, such as firewalls, intrusion detection / prevention systems, gateways and data loss prevention solutions, will detect, collect and analyze suspicious traffic potentially associated with internal attack activities. These solutions will highlight unusual out-of-hours activities, outgoing activity volumes and the use of remote connections.
7- USE SECURITY SOLUTIONS AT THE END POINTS
For example, inventories of critical resources, removable media policies, encryption and file integrity monitoring tools to discourage, monitor, track, collect and analyze user activity.
8- APPLY DATA SECURITY MEASURES
Data ownership, classification and protection measures, as well as data disposal measures, to manage the data life cycle and ensure confidentiality, integrity and availability by considering internal threats.
9- BETTER MANAGE IDENTITY AND ACCESS
By using identity management, access and authentication measures, the company will be able to limit and protect internal access. These measures can be optimized by opting for a priviledge access management (PAM) solution
10- OPTIMIZE INCIDENT MANAGEMENT CAPACITY
The implementation of an incident management process that includes an internal threat program with trained and competent incident managers also helps to generate more useful and effective cyber security responses to internal threats.
11- MAINTAIN DIGITAL SURVEY ACTIVITIES
Having an investigation-based response resource allows, in the event of an incident that is often sensitive and associated with human intervention (or a user account), to carry out a whole spectrum of in-depth investigations such as the analysis of controls, files, network traffic and that at the end points.