By RJ Gazarek
NISPOM defines insider threat as “Anyone with authorized access to government resources that uses that access to do harm to the security of the U.S.”
In the government space, both agencies, contractors, and IT staff will typically have a high level of privileged access. In some cases, they have specialized clearance levels so they can access most of the IT systems across different classified programs without having to be read in and out of every single program whenever they need to access that highly sensitive and classified system. As such, these type of people must be highly monitored and audited to ensure they are not abusing their privileged access to classified systems and information.
Thycotic recommends starting with these 5 steps to help protect your organization against insider threats.
1. Identify Assets
Before you can do anything, such as assess your existing risk level, you have to identify all of your assets on your network in scope. It’s important to identify physical and data assets, owners of those assets, and who has access to them. Physical/data assets can include things such as servers, workstations, databases, and cloud services. Once you’ve inventoried all of those assets, it’s important to mark who is the owner of the data on those assets. Lastly, it’s important to note who has access to those assets. In addition to the owners of the data, you have both human identities that have access, but you may also have non-human accounts (like local admin accounts) that can give someone access without being tied to a single person’s identity. These privileged accounts are extremely critical to identify, due to the lack of tie into a single identity.
2. Activity Monitoring
Most organizations have data, activity, and access logging, and while these are extremely important and required, they can sometimes be overwhelming to try and aggregate and analyze. This is where solutions such as a SIEM (Security information and event management) tool can help organizations input these logs from many desperate systems, and try to correlate user activities across several systems. However, depending on the number of data sources and users, this aggregation of data can turn into a lot of white noise that is difficult to sift through and prioritize. Because of this, some organizations have opted to add some sort of Behavior Analytics engine in addition to, or on top of, their SIEM solution. There are a number of different Behavior Analytics engines out there, but in general, most of them operate by attempting to create a behavior baseline for each user and data source using machine learning and behavioral pattern recognition algorithms.
3. Remote Access
It’s extremely important to monitor and control remote access to both internal employees and any 3rd party contractors to your system. Insider threats will often attack or compromise systems remotely because no one is physically looking over their shoulder. Also, depending on their level of access, they may have ways to get around the logging and monitoring on systems. It’s important then to ensure that your organization is limiting remote access and setting up policies around the level of access remote workers can have to your critical data and systems. In addition to limiting this access, it’s also important to monitor these sessions, and potentially couple it with a Behavior Analytics tool to flag when sensitive systems are accessed or sensitive data is reviewed.
4. Separation of Duties
In most cases, from what we know, insiders looking to compromise systems or data will typically act alone. Therefore, ensuring that access to your most critical systems requires two people for approval (sometimes referred to as Dual Control) can help prevent most insider threats. Requiring a second person to know about, and approve, an insider’s access can be a very strong deterrent from abusing that access. Whether you’re protecting a sensitive system, or helping add extra layers of security for 3rd party groups, adding additional workflows to your system can greatly decrease the chances of a breach.
5. Employee Termination
Organizations must have proper procedures for when an employee is terminated, including a system that can quickly help administrators identify every asset that the terminated employee had access to during his time with the organization. Your procedure, whether manual or automatic, must include immediately revoking of all access they had when employed. In addition to this, you must also take into account the possibility any username/passwords could have been written down by the employee – so all systems they had access to, and all passwords they may have seen or used, need to be changed. Without a system in place that records and audits this during their entire tenure of employment, ensuring that full access has been revoked can be a tremendously difficult procedure.
At the end of the day, it’s not difficult – and these 5 considerations can vastly improve your security protection from insider threat and abuse. It’ll be up to you to decide the best way to implement these controls, whether manually, or using an automated solution set such as Thycotic’s Secret Server, Privilege Manager for Windows, and Privileged Behavior Analytics together. To learn more about preventing insider threat in federal agency’s watch our on-demand webinar.