The Insider Threat in IT Security


 
Thread Tools Search this Thread
The Lounge What is on Your Mind? The Insider Threat in IT Security
# 1  
Old 04-20-2019
The Insider Threat in IT Security

Over my very long career in unix and linux system programming, network security, network system engineering, and cybersecurity as a whole, the number one threat to any organization is what we refer to as the "insider threat". Disgruntled employees, dissatisfied team members, lax security practices, and day-to-day poor operational security (or a lack of security, such as no backups and weak passwords by privileged accounts) leads to much more serious breaches than the "outsider threat".

For example, decades ago which I was a part of the original network engineering team for the early Internet backbone, the biggest damage done to our network were from "software updates" performed by well-intended employees who would do unplanned and untested software updates on network. On at least one occasion the entire network for customers was brought down by a well intended employee on the midnight shift. I had to write a wrapper keystroke logging program after that, so all employees keystrokes in the production environment would be logged to a private, secure server. This secure data was kept under strict "lock and key" and could only be accessed in the case of a security breach and subsequent review by the senior IT security team. This is just one of dozens of similar "insider" incidents I have had to respond to, and write mitigation code and controls for, over the many long years of my career.

Just recently, while debugging authorization code for an organization, I found that some very privileged user accounts were using very trivial (weak) passwords. These passwords were so weak that any brute-force (recursive) bot on the network could have gained entry into the privileged account in a matter of seconds, minutes at most. These kinds of lax security practices by "insiders" are dangerous to any IT organization, especially when users have privileged accounts with various high degrees of permissions.

In addition, not long ago, an organization I'm familiar with had a disgruntled team member leave the site after years of being a valued member over "differences in opinions and perspectives". In this incident case, the unhappy team member contacted his associate in the same organization and instructed them to use a privileged account to change the status and information of the disgruntled team member's account, completely bypassing the system administrators. This is clearly an IT security breach by an insider. In this case, we had to write additional control and mitigation code to protect the site from malicious activity from "insiders".

All cybersecurity and IT professionals know (and are trained to know) that the greatest threat to any organization is from disgruntled insiders. Everyone who works in IT security and all system administrators have the responsibility to protect their IT from security breaches and they often forget that the most serious breaches come from disgruntled team members and employees.

If you are an IT security professional you must stay on top of your systems, especially when you see signs that team members are unhappy or disgruntled at work. You should review your IT security triad of "Prevention", "Detection" and "Recovery" in the event of a breach. In addition, you should constantly review the triad of IT security controls, including "Logical" (generally software), "Physical" (generally barriers and physical locks) and "Administration" (policy) controls.

Decades ago we found one of our most valued employees at a major telecom company was engaged in commercial espionage by taking key software developed by the company they worked for in the US and were sending that info, almost nightly, to an organization on the other side of the planet. We wrote software and added additional IT security controls to monitor the activity of that employee. Under direction of senior management, we monitored that person's activity (unknowing to the criminal employee) for many months before turning the evidence over to the company's security team for adjudication.

My message to IT system administrators is this:

Always keep your "eye" on the IT activities of disgruntled employees (and their associates) because it has been proven time and time again, that it is the "valuable and privileged insiders" in organizations who are greatest threat to any organization and that is especially true for IT security.

As an IT security professional, I strongly advise all system administers to never forget the fact that the greatest threat to IT security is not the "outsider" where most of the IT security focus tends to be. The greatest threat is always the "insider" with higher system privileges and authorizations. Manage your systems based on this fact and your systems will be much more secure for all concerned.
These 2 Users Gave Thanks to Neo For This Post:
Login or Register to Ask a Question

Previous Thread | Next Thread
Login or Register to Ask a Question