Security Fridays: Week SevenChris Cassell 06/03/2020 Industry News
Are all insider threats malicious?
This post brings to attention something very interesting immediately, it’s being a little bit click bait and it knows it as it explains the same thing later on. Still it’s a point worth discussion, that being Intentional doesn’t have to mean malicious. While it’s true all malicious acts have to be intentional it’s not a given the other way around.
Hanlon’s razor is a perfect test here, “Never attribute to malice that which is adequately explained by stupidity.” Though that’s not true in most cases it’s more, “Never attribute to malice that which is adequately explained by a lack of understanding.” A small but significant change.
So it’s very important to note that insider threat is on the rise, but a lot of it is down to a lack of users’ ability to understand the implications of their actions. This becomes increasingly common when organisations start to adopt new ways of working. Cloud Environments allow users to ‘share’ files outside their organisation, a lot of people have increasingly large amounts of storage on devices they carry with them, be it phones, USB drives or external hard drives. Don’t even get me started on the ridiculousness of allowing them to use their virus riddled, insecure bring your own device environments.
All of these involve new waves of threats to an organisation that have to be managed and a lot of that weight is traditionally put on the users, who aren’t trained security professionals. They don’t understand that sending a file to themselves at home, to work on at the weekend exposes it to significant risks. It’s suddenly resident on someone else’s mail server, on a machine that doesn’t have the organisation’s security tools, meaning that information could be copied to other documents without being monitored, etc. This is a multitude of threats, but none of them are malicious, it’s someone working with the best of intentions that’s just creating risk by a lack of understanding.
This is where security professionals need to work to make allowances for this sort of user thought process, why do they feel the need to send it to themselves at home? What data do they actually need? What other options could be provided for them to make them capable of doing what they need safely?
Removing the need for risky behaviour would reduce the risk. Then we can concentrate on the other side of the coin which is true malicious behaviour which is covered in all the other posts we do.
1 – Do a full data lifecycle exercise inside the organisation and include the users in the process finding out how they want and need to process data (the ultimate solution is likely between these two). Use this to generate a true understanding of what the situation needs to look like and where the organisation isn’t providing the right tools.
2 – Secure all other channels, once you are provided a channel for the work to be done appropriately, safely and efficiently. Then it’s time to implement tools such as DLP and CASB along with data governance measures. Make sure that now they have a method to do what they need, that the old, bad behaviours are no longer an option by applying rules that stop sending data in unapproved ways. This also helps to block those malicious insiders by taking away their opportunities to send data out via unapproved channels as well.
3 – Audit everything. Over time, the data you use, the processes and the technologies will alter and the old data lifecycle you did won’t hold up any longer. By auditing all those data touches and transactions you can spot when things start to yaw off point and that should be a pre-emptive warning that the process needs to start again, a new lifecycle and adjust the tools; keeping that balance between keeping the business working and secure.
Read the original article that was analysed here: www.infosecurity-magazine.com/news/intentional-malicious-breaches/