Threat Management: Internal & External
Threats to the enterprise abound from many different avenues. There basically is no limit as to where the threat may be directed from. A basic binary selection from this would be to bifurcate this into the threats from internal and external sources.
The external threats are well-known. These are in the news seemingly daily. There are the hacktivists involved with politically-oriented hacks, people attacking to steal credit card information or PII, and others who look to encrypt your data and servers until a fee is paid. Internal threats are less publicized. These generally are from disgruntled employees leaving the staff member may simply leave and never think about the business again. Others may leave a cyber-back door open so the person would be able to re-enter the enterprise at a later time to be disruptive or misappropriate data. Also with an involuntary termination, the staff member could lead an effective attack if their position was in networking or info sec.
This happened recently with a Monsanto employee that left the company seemingly on good terms. The issue was his job was to develop algorithms and code the programs Monsanto would use. This allowed him access to areas in the network that contained confidential information. The person copied 52 files containing confidential information. He happened to be changing employment to a Chinese competitor.
This is only one example of the insider threat. Within the last few years there also has been a programmer who worked at a financial firm on an algorithm engineered to make stock trades faster than the competitors. He allegedly took the code with him as he planned on moving to a position at a competitor.
There are a number of actions to take in order to secure the enterprise from insider threat.
Log management: The employee’s activities should be monitored. This can be manifested as reviewing email usage, the amount of data being moved through the email, what files and folders are being access, and other activities.
Remote Activities: The employee may have access off-site. There would be the distinct possibility certain files would be emailed after work.
USB usage: The act of emailing a file creates an audit trail. A person seeking to steal data and files would not want this. A potential way around this issue may be to save files onto a USB and manipulate them later. To avoid this issue, disengaging the USB may be explored, unless this is used for the person’s role significantly.
Unknown users: An employee who is aware of their impending departure may act maliciously and add a new yet fictitious user to the enterprise and give “Bob” full admin rights in AD. The intent here would be for the soon to lapse employee to have an avenue open to enter the business at their leisure at a later date. The potential issue may be resolved directly after this person was to leave and rights removed. A simple examination comparing the Human Resource list of active employees and user’s should be sufficient to find any issues.
Overall, there are methods to secure the enterprise against insider threats. An employee is not likely, as defined as a statistically significant event, to act in a malicious manner. To be conservative, it may be better to hope for the best, but plan for the worst.
About the authors-
Charles Parker II has been working in the info sec field for over a decade, in the banking,
medical, automotive, and staffing industries. Charles has matriculated and attained the MBA,
MSA, JD, LLM, and is in the final stage of the PhD in Information Assurance and Security
(ABD) from Capella University. Mr. Parker’s areas of interest include cryptography, AV, and