Insider attacks are particularly difficult to defend against. Insiders have internal knowledge of the network, and often know a system’s vulnerabilities. Even if they don’t violate security policies, they can perform authorized actions in a malicious way.
I like Common Sense Guide to Mitigating Insider Threats. It’s light reading, if you like that sort of thing. Here are the recommendations in brief:
- Consider threats from insiders and business partners in enterprise-wide risk assessments.
- Clearly document and consistently enforce policies and controls.
- Incorporate insider threat awareness into periodic security training for all employees.
- Beginning with the hiring process, monitor and respond to suspicious or disruptive behavior.
- Anticipate and manage negative issues in the work environment.
- Know your assets.
- Implement strict password and account management policies and practices.
- Enforce separation of duties and least privilege.
- Define explicit security agreements for any cloud services, especially access restrictions and monitoring capabilities.
- Institute stringent access controls and monitoring policies on privileged users.
- Institutionalize system change controls.
- Use a log correlation engine or security information and event management (SIEM) system to log, monitor, and audit employee actions.
- Monitor and control remote access from a ll end points, including mobile devices.
- Develop a comprehensive employee termination procedure.
- Implement secure backup and recovery processes.
- Develop a formalized insider threat program.
- Establish a baseline of normal network device behavior.
- Be especially vigilant regarding social media.
- Close the doors to unauthorized data exfiltration.