Insider Risk: The Call is Coming from Inside the House

[BONUS POINTS IF YOU CAN NAME THE MOVIES THESE GIFS COME FROM IN THE COMMENTS]

In IT, we tend to think of threats as external. Hackers, scammers, bots, and DDoS attacks are all external in origin. But surprisingly, insider risk is often one of the biggest network security challenges facing IT.

As they say, sometimes it’s the ones closest to you that can hurt you the most.

What is insider risk?

Insider risk is the danger related to the actions of an authorized person, either directly or indirectly, that negatively impact an organization.

There are some notable examples of the fallout from insider risk being ignored, such as Alphabet and Uber’s legal battle over a stolen Waymo trade secrets, but there are plenty of lower-profile higher-frequency insider risks facing organizations of all sizes.

That broad definition is consistent with the definition of insider threat from both Carnegie Mellon and NIST’s Computer Security Resource Center. Frankly, that’s because the terms are closely related and often used interchangeably. However, there is some nuance between risk and threats that I’ll dive into shortly, but first, let’s unpack the definition a bit more.

What’s an “insider”, or authorized person?

Anyone who has (or had) legitimate access to organizational resources like intellectual property, manufacturing equipment, IT systems, data, and facilities. Think about it this way: a thief who cracks a safe isn’t an insider, but a bank employee with the key is.

What kind of negative outcomes can insider risk create?

In the world of risk management, theft, property damage, physical harm to people, financial loss, damage to an organization’s reputation, and compromise of digital assets are all typical examples of negative outcomes resulting from insider risk.

Does intent matter when it comes to insider risk?

Nope. A technician that was jailed for cyberattacks at Welland Park Academy in Leicestershire is a textbook example of insider risk manifesting as a real-world negative outcome. But, so were the employees at an Australian university that fell victim to a very sophisticated spear-phishing attack. In one case, the insider was allegedly malicious, in the other, they were completely unaware they were doing something to hurt the organization.

A malicious insider threat is a current or former employee, contractor, or business partner who has or had authorized access to an organization’s network, system, or data and intentionally exceeded or misused that access in a manner that negatively affected the confidentiality, integrity, or availability of the organization’s information or information systems.

Insider risk vs. Insider threat

Let’s get back to the nuance between insider risk and insider threat, because it’s an important distinction: threats are about the specific events that can occur, while risk is about the probability and potential impact of events.

There are several advanced approaches to calculating risk, but, at a high level, we can boil the math down to this risk assessment classic: Risk = Threat + Vulnerability + Consequence.

Suppose company A has a public-facing website that uses WordPress. Like any server on the Internet, they face the threat of someone hacking the site. Their vulnerability to that risk will depend on how frequently they apply patches, handle credentials, what security solutions they use, etc. The consequence of that threat being exploited will depend on the size of the organization’s loss if the site is compromised (e.g., lost customers, loss of revenue, compromised data, etc.). Taken together, the threat, vulnerability, and consequence will determine how much risk the company faces.

So, insider threats are specific events with potentially negative outcomes, such as employee theft. Insider risk is about the probability and impact of those threats actually occurring. While most organizations face many of the same insider threats, insider risk assessments help individual teams analyze their actual risk.

What does this mean for IT teams?

For IT teams, insider risk is about data, networks, and IT infrastructure. Insiders are considered any authorized users, contractors, third parties, or staff with physical or digital access to an organization’s IT assets. Common examples of insider threats in IT are data theft, data deletion, ransomware, crypto mining, bots, and phishing attacks.

In their Cost of Insider Threats report, IBM groups the top causes of insider incidents into three categories:

• Negligence. An incident resulting from an insider’s inadvertent or negligent actions falls into this category. Examples of negligence include accidental deletion, clicking a malicious link, and misconfiguration. According to the IBM report, negligence was responsible for 63% of insider incidents.
• Criminal insider. 14% of the events from the IBM report involve insider incidents that are the result of a malicious user. Malicious deletion of data and intellectual property theft are typical examples of threats from criminal insiders. Frankly, this is one of the toughest threats to completely mitigate, because ultimately you have to trust someone in your network.
• Credential theft. Stolen credentials caused 23% of the insider incidents in the IBM report. Once an attacker compromises a set of credentials, they can steal, delete, or otherwise compromise data from any system that the account can access.

How to mitigate insider risk

What can you do to protect yourself from insider risk? No magic bullet will eliminate insider risk (wouldn’t that be great?). But, defense-in-depth goes a long way, and there are several practical steps IT can take to mitigate insider risk.

• Backups, backups, backups. You’re in IT, so we know you know this already. But you also know it’s so important we have to call it out. Have reliable and recent backups of all your mission-critical systems, data, and configurations. And make sure to test your backups regularly! If you fall victim to a ransomware attack, or disaster strikes, backups can save the day.
• MFA and password management. Compromised credentials and account hijacking are the root cause of many insider threats. Multi-factor authentication (MFA) and secure password management (using strong passwords, not reusing passwords, leveraging a password manager, etc) are great ways to reduce the chances of compromised accounts compromising your IT systems.
• Don’t trust by default. Traditional castle-and-moat IT security—where everything behind the firewall is trusted—simply doesn’t cut it anymore. With IT assets and users spread across the cloud, home offices, and branch locations, network perimeters are very dynamic. Zero trust networks, where access must be explicitly granted as opposed to implicitly assumed, help ensure authorized users can get to the assets they need, and nothing else.
• Limit attack surfaces. Port not used? Turn it off. Application not needed? Uninstall it. As we saw in our 2021 Network Vendor Diversity Report, a lot is going on in modern networks. Different devices have different vulnerabilities and potential for misconfiguration and exploitation. Turning off unused services and implementing granular security policies help limit the east-west spread and reduce the scope of attacks if they occur.

• Educate users. We’ve seen that insider incidents aren’t usually the result of malice. Often, they result from actions taken by an unwitting or complacent user. Education that focuses on security basics like identifying phishing emails, safe browsing habits, and password management can reduce the probability a user unintentionally enables a network breach.
• Protect mailboxes. Attackers looking to compromise accounts loooove email. Why? Because it works. Time after time, we see cybersecurity incidents begin with a user clicking a link or attachment or even simply previewing a malicious email. IT can reduce insider risk by preventing malicious emails from ever hitting the inbox with strong anti-spam and anti-malware protection on mailboxes. Similarly, strong endpoint protection limits malware spread if a malicious email hits a user’s inbox.
• Maintain physical security. In a digital world, it’s easy to overlook the physical side of IT security. However, if a malicious actor has physical access to your network devices, they’re not your network devices anymore. Accidents like spilled drinks on server hard drives or accidentally unplugging a critical device can occur if gear isn’t properly secured and protected from the elements. Make sure all your on-prem IT gear is properly secured, implementing physical controls such as locks, key-cards, and IP or NEMA-rated server racks with accommodations for rough environmental conditions.
• Offboard employees quickly and completely. Former employees and contractors that still have active credentials or access can pose a major threat to IT assets. Make sure to develop and enforce an IT offboarding checklist to ensure former employees don’t retain access.
• Monitor network traffic and logs. Network traffic monitoring and system logs can tell a very precise story about where your data is going and how your systems are performing. One of the biggest indicators of an attack are anomalies in traffic flows and logs. As a result, effective network monitoring plays a major role in mitigating insider risk.

How can network monitoring reduce insider risk?

Visibility helps your team understand the current state and behavior of the network. With the right network monitoring tools, IT can detect suspicious behavior, respond to incidents faster, and even implement continuous security validation to prevent and mitigate threats.

Specifically, network monitoring helps IT:

• Gain visibility into access logs and user activity. Audit logs record exactly who is doing what and when they’re doing it. Using network monitoring tools to aggregate, centralize, and parse logs make it easier for IT to detect, analyze, and respond to suspicious activity. In a world where malware dwell time is often measured in weeks and months, logs can be the difference between preventing an exploit or losing critical data.
• Detailed traffic analysis. Flow protocols and traffic analysis tools allow IT to see which applications are generating traffic flows. As a result, IT can drill down to identify specific bandwidth hogs and sources of suspicious traffic to stop exploits in their early stages.
• See where traffic is going. An “insider” communicating with a server in a country you don’t usually see traffic sent to is a potential indicator of a bot, compromised account, or other malicious activity. Network monitoring tools that can associate traffic flows with geolocation data help IT contextualize threats and improve insider risk management.
• Tune alerts for suspicious activity and traffic patterns. Network alerts are often a way to detect when something is wrong from a network performance and optimization perspective. However, that’s only part of the benefit. They can also provide early warning signs of malicious activity. A surge in network traffic between two endpoints or a user scanning for open ports could be an attack. Similarly, a spike in CPU utilization is a common cryptojacking symptom.

Probability is a big component of insider risk management. At the end of the day, it’s IT’s job to assess the risk of common hacks and insider threats, and put mitigations in place based on their risk tolerance. However, for most IT environments, that means striking a balance between accessibility and security that mitigates risk.

---

With features like TrafficInsights, customizable alerts, and robust network mapping, Auvik is a network monitoring tool that emphasizes network visibility, privacy, and security and can enable IT to protect against insider threats and improve overall network security and performance. If you’d like to try Auvik for yourself, Get your free 14-day Auvik trial here.