In my last blog I discussed the overview of cyber security and different type of attacks. Now let us explore insider attack in detail.
Employees and contractors have a significant knowledge of organization’s primary security mechanisms (e.g. firewalls, access controls, physical access controls). Systems are built for the untrusted external attacker and not for the trusted insider. People working for or within the organization are aware of the mechanisms in place and can use this knowledge to circumvent defenses.
In order to overcome this advantage and realistically address insider threats, organizations need better capabilities. Areas could be context-based monitoring, advanced behavior anomaly detection, and link-analysis driven investigation.
Authorisation Creep(Deliberate/Malicious insider):
If a user gets a set of access rights after joining the organisation and soon he gets transferred/ promoted to other departments. Thus, getting more set of access rights and also major productivity classes.
- Appropriate SOD (segregation of duties) must be defined for the access of systems.
- Only necessary privilege should be given to one user.
- All privilege should not be given to single person.
- System must have four eye or six eye principle to prevent such attacks, also it must be audited regularly.
- Ensure that security patches are reviewed and tested beforehand.
- Also, the deployment of the patches should be performed promptly to OS.
- For bigger patches, monitoring of the system is beneficial.
An employee can become a malicious insider threat when there is job frustration, persuasion by a competitor who is trying to hire him or a financial motive.
Based on the lack of security and control around critical information, the malicious insider will often copy large amounts of proprietary data either to the cloud, a USB device or a personal device. While this seems very simple and basic, it is extremely effective and happens on a regular basis.TAccidental Insider:
An accidental insider is someone who is tricked or manipulated into doing something that ultimately harms the organisation. Some people further categorize the accidental insider threats into “the infiltrator” and “the ignorant insider.” The infiltrator situation occurs when an adversary accesses a user’s system or steals credentials to gain access to a system.
The ignorant insider is a situation that occurs when an adversary convinces the user to click on a link or open an attachment, which ultimately causes the user’s system to be compromised.
Since both cases are caused by a user action that ultimately results in a system or account being compromised, we group these types of threats together.
Prevention and Mitigation of Internal Attack
- Enforce clear security policies and guidelines to minimize the risk posed by both intentional and unintentional security incidents.
- Implement the rule of least privilege which indicates that employees should only have access to information resources necessary to perform their daily tasks.
- Access control mechanisms enable companies to specify and implement monitoring and auditing requirements
To be continued…..