As important as it is to protect your company’s network from outside attackers, recent research says businesses are becoming more vulnerable to insider threats. How can IT prevent attacks that come from inside the company?
Based on an analysis of more than 700 data breaches carried out by insiders, Carnegie Mellon University’s CERT Program has identified patterns that businesses can use to help identify potential insider threats.
Two frequent types of insider attacks are
- IT sabotage, in which disgruntled current or former employees use their access to disrupt the company’s computer system, and
- intellectual property theft, in which exiting employees take proprietary information to help them in other jobs.
In a recent interview, CERT researchers described ways companies can try to identify and stop those insider threats:
1. Who performs the attacks?
According to CERT researchers, most cases of IT sabotage are carried out by system administrators, programmers, or technically sophisticated or privileged users. Typically, intellectual property theft or espionage is committed by engineers, scientists, programmers and others with the most knowledge about the company’s products or services.
2. When do they do it?
Most instances of theft and sabotage occur around the time an employee leaves the company — for example, when a disgruntled employee is fired, or when someone resigns and brings confidential information to a new job.
In cases of IT sabotage, the attack is usually set up before an employee is fired — for example by opening a hidden back door to the network — then carried out after the termination. Intellectual property or other sensitive data is usually stolen within 30 days of an employee’s resignation.
3. How are the attacks carried out?
According to CERT, intellectual property is most often taken out of the company using email, with employees sending the data to themselves or to outside companies through their corporate or personal email account.
4. How can IT stop them?
The biggest key to stopping insider threats is communication — the people in charge of IT security should be notified if someone with the potential for carrying out IT sabotage is going to be fired so they can monitor appropriately. Likewise, if someone with access to a lot of sensitive information is leaving the company, IT should know as soon as possible.
In the case of an employee with access to confidential data, CERT recommends checking email logs for messages sent within 30 days of the resignation that are sent to addresses outside the company and contain attachments or are above a certain size. For some employees, if a large number of those messages are found, it could be cause for suspicion.
Knowing that someone with a high level of privilege is about to be fired can also allow IT to monitor for suspicious activity in parts of the network that employee can access.
Visit the CERT Program’s website for more information on insider threats.