This is the second blog in a four-part series delving into information security concerns and what you can do to keep your organisation safe.
Information security is fundamentally about risk management. "Threat actors" are the people that find and exploit vulnerabilities to make the risks real. It's important to understand the threat actors you're facing so you can make better decisions about your risks and how best to mitigate them.
In this blog post we'll talk about three types of internal threat actors that are often overlooked in risk assessments. There are others, we may cover those in another post.
Often we're so focused on external threats we don't consider the people we assume are on the same team. Here in support, though, we've had to diagnose and respond to incidents where insiders have deliberately caused damage within the organisation's CMS (usually between finishing their contracts and leaving the building.) Our last post on "Changing the locks" has some thoughts and principles around mitigating the damage that can be done by insider threats. If there's enough demand we might do some technical articles covering the application of some of those principles.
There are a lot of factors that may cause an insider to become malicious. Money or substance troubles, a missed promotion, a toxic workplace culture, blackmail, greed or just plain maliciousness are all possibilities. Many of these can be resolved with sound HR practices and encouraging supportive workplaces, but some can't. That's why it's important to practice the principles of least privilege and separation of duties.
Internal user accidents
A clumsy insider has the same effect as a malicious insider without the malicious intent. The good news is that the same technological mitigation techniques used to prevent damage from malicious insiders will be effective against mistakes. Identifying activities that can cause inadvertent damage or disclosure of data is key. Once those activities are identified, mitigation strategies can be put in place.
Compromised internal user
It is a well known axiom that the most vulnerable point in most modern information systems is the user. Phishing, vishing, smishing and whaling are all becoming more widespread and the people behind them are almost invariably achieving their goals. A recent study showed that 50% of users will use a USB they find, and USB attacks are effective in 45-98% of attempts, with a median timeframe of 6.9 hours. Kevin Mitnick, who runs a penetration testing company, claims that using a combination of technical and social engineering attacks he is successful in compromising organisations 100% of the time.
The best defense against social engineering is user education. However, the delivery of user training is an area where lines of responsibility can become cloudy. Is it HR's job as staff training facilitator, or the IT team's, as the holders of expertise? Is it the CISO's (if there is one)? The result is often a case of the starving cat.
Again, the principles of least privilege and separation of duties are effective technical tools in minimising the damage that can be caused by compromised internal users.