Defending Against Insider Threats (Part 2)

Insider Threats can cripple an organization, but a multi-layered security strategy can reduce the likelihood of success. Some of the best practices for guarding against insider threats also apply a range of security issues. When developing your overall security plan, it is important to prioritize implementation as well as establish a ranking of most critical challenges and most valuable assets.

I’ve been writing about the Common Sense Guide to Mitigating Insider Threats 4th Edition by CERT and want to provide one last post highlighting some of their recommendations for defending against insider threats. In addition to a robust strategy for dealing with people who have access to data it is important to consider the various technical issues relating to security and insider threats.

Here are CERT recommendations surrounding technical issues:

1. Clearly document and consistently enforce policies and controls.
Policies must have complete buy-in from upper level management or they will not be enforced consistently and eventually fail.

2. Know your assets.
Talk to all your data owners and learn what types of data you store. Conduct a regular inventory of data assets and data owners. Prioritize high value assets

3. Implement strict password and account management policies and practices.
When developing account management policies, address account creation, account review, and account termination. State who authorizes accounts and levels of data access for all accounts.

4. Enforce separation of duties and least privilege.
As employee roles shift, review and adjust access privileges. Conduct regular audits of employee accounts.

5. Define explicit security agreements for any cloud services, especially access restrictions and monitoring capabilities.
When engaging the services of cloud providers, it is essential to conduct a risk assessment of your data and services. It is essential to do a thorough background review of the potential cloud providers like their capacity to mitigate risks, their hiring practices (do they do security checks on all levels of personnel?), and review their security practices including plans to mitigate against insider threats.

6. Institutionalize system change controls.
Conduct regular reviews of configurations rules to assure there are no unapproved discrepancies.

7. Use a log correlation engine or security information and event management (SIEM) system to log, monitor, and audit employee actions.
Establish log management policies that addresses log retention, what event logs to collect, and who manages logging system.

8. Monitor and control remote access from all end points, including mobile devices.
Temporarily disable remote access to organization systems after an employee or contractor separates from organization. Collect all company equipment, wipe company assets from employee/contractor own devices, and update passwords.

9. Implement secure backup and recovery processes.
Follow a comprehensive disaster recovery process, including storing backup offsite. Utilize a professional backup service with vetted encryption and security processes.

10. Develop a formalized insider threat program.
Create an insider threat security team that works within an approved legal framework and addresses threats that include HR, Legal, Security, management, and IA.

11. Establish a baseline of normal network device behavior.
Implement network monitoring tools to develop an understanding and record of normal network behavior and trends. Establish normal baseline for network activity via ports and protocols as well as firewall and IDS alerts.

12. Close the doors to unauthorized data exfiltration.
Monitor cloud use and enforce a policy of approved cloud usage with approved cloud vendors.