Walking threat: why everybody - and everything - brings potential for cyber risk
Understanding common insider threat profiles remains an essential step in helping companies eliminate damage before it happens, says Virginia Satrom, social media manager at Forcepoint.
Forcepoint is as eager as any for the upcoming season 7 premiere of The Walking Dead this October. What's not to like about watching everyday heroes battle the zombie "walkers" among us?
In fact, with National Cyber Security Awareness Month also taking place this month, I often view the ever-evolving phenomenon of the insider threat much like AMC's zombie universe. It's not easy to tell who will become a walker and when. So, it's best to assume that anyone and everything is an insider and, therefore, a potential insider threat - and everyone is a potential victim. This mirrors The Walking Dead, since we know (spoiler alert) everyone is already infected with the zombie virus. What does this mean? Everyone and everything is a potential walker, says Virginia Satrom, Social Media Manager at Forcepoint.
This state of vigilance would serve modern enterprises far better than broken cyber defence models centred on "keeping bad stuff out". These outdated models depend on coupling disparate point solutions for perimeter defence - force-fitting a new, separate solution every time attackers alter their methods. In today's digital-first world, relying on such a disjointed approach to prevent breaches is about as effective as attempting to avoid a herd of walkers by covering yourself with leaves: good luck.
After all, the perimeter we once knew no longer exists. Not that it's as bleak as a post-apocalyptic Walking Dead world, but with the cloud, roaming users, mobility/BYOD and other innovations, the perimeter today is dictated by the location of data, user accounts and endpoints. Regardless of where these users and endpoints are located - on-premises or off - they are insiders. And, by extension, we must consider every program and app running within user accounts and endpoint systems as insiders too.
To be clear, I'm not saying security managers should no longer worry about external threats targeting their networks, but they cannot focus exclusively on them either. We need to constantly watch for anomalous activity by users and devices as well as the use, storage and movement of data, as potential indicators of insider-linked threats. One way to do this is to understand three common insider threat profiles. In a sense, they mirror certain qualities of characters from my favorite zombie show:
Accidental insiders. These are employees who inadvertently cause harm. For example, if they're participating in an industry-related social media chat, a hacker may pose as a helpful resource of information sending a URL, which appears to relate to the discussion, but actually leads to malware. In The Walking Dead, these insiders call to mind Dale, a good-hearted victim who met his end while surveying the groups' land for walkers and coming across an injured animal. Another example of accidental insiders are reckless insiders. These are employees who consider themselves "above the rules", ignoring best practices from IT and even bypassing clearly articulated policies. While they are not acting maliciously, they invite risk. Though one could argue he is malicious, this type of insider reminds me of Merle Dixon. Dixon foolishly (and fatally) put himself in harm's way by taking unnecessary chances in addition to trusting the wrong person (the governor).
Compromised insiders. These insiders have unknowingly had their machines or systems compromised. After the compromise, their systems are being controlled remotely and can be utilised to steal and/or leak data. Compromised insiders or hacked machines bring to mind most of the walkers in The Walking Dead. These individuals do not know that they are infected or compromised, and can be used by the living to protect or attack others. Walkers can be controlled to perpetuate attacks and, ultimately, more walkers.
Malicious insiders. These users are clearly, purposefully up to no good. They are disgruntled, greedy and/or otherwise ill-intended individuals who misuse access to confidential intellectual property or systems. They often scheme to commit theft, sabotage and fraud within an organisation. For example, an employee who has been hired by a competitor copies product schematics before resigning. In seasons one and two, Shane would make for the perfect malicious insider - especially when he intentionally injures and endangers others, with fatal consequences, for his personal vendetta.
Understanding common insider threat profiles remains an essential step in helping organisations eliminate damage - before it happens. So how can you mitigate this potential risk? From the human perspective, put all users through detailed training which educates them on best practices and how to recognise an adversary's stealth techniques. At the same time, teach them how to spot possible malicious insiders through the classic "trouble signs" they project. On the tech side, organisations can complement their firewall and anti-virus tools with insider threat-centric ones related to authentication/access control, data loss prevention (DLP) and user behaviour analysis.
Forcepoint's whitepaper: Unlocking Business Success: The Five Pillars of User Risk Mitigation, details these - and other - steps to significantly increase your chances of monitoring, detecting and mitigating insider threats, ultimately helping you emerge unscathed. And that certainly beats being a walker.