Insider Threats

From Computing and Software Wiki

(Difference between revisions)

Jump to: navigation, search

Revision as of 01:44, 25 March 2008

Definition

Overview of Insider Threats

Etc

Sources of Insider Threats

Employees

Employees of an organization are amongst the greatest risk in terms of access to and potential harm with an organization’s sensitive material. Organizations typically assume that they can trust their employees. They believe that their employees are primarily interested in the productivity and successfulness of the organization. Therefore they are not considered to be of any possible danger and are considered last when a leak of sensitive material has occurred.

Contractors

Info

Former Employees

Former employees who pose a threat to their former organization are typically disgruntled employees. They believe that the organization has “done them wrong” and feel that revenge is justified. They are able to gain access to sensitive material either:

Directly: Through a back door. If an employee fears termination, he or she may prepare a backdoor access or alternative usernames and passwords in order to gain entry. They may also begin collecting proprietary data for later use.
Indirectly: Through former associates. A former associate may create a back door access for the former employee or may provide him or her with proprietary information.

Preventions

Background Checks

Several organizations do not perform adequate background verification on their new employees. Screening new employees properly, such as reference checks or inspecting criminal records, can reduce the probability of an organization hiring individuals that may be an insider threat. Background checks should be performed for all individuals who are given access to an organization's sensitive materials even if they are not directly employed by the organizations (e.g.: Contractors).

Monitoring Employee Behaviour

U.S. Secret Service studies have shown that most insider attacks were done by individuals who had disciplinary problems. www.google.com GOOGLE Procedures can be created and enforced for both the human resources and IT departments to monitor employee behaviours. Some examples include but are not limited to:

Through the use of access and account policies, an organization can associate online actions with the employee that performed them. Online actions should be logged and periodically monitored for suspicious behaviour. The logs can also be audited by the organization to discover and then further investigated for possible insider attacks. [news@sei]

Monitoring suspicious or disruptive behaviour by employees within the work place. An organization can institute policies that require their employees to report any suspicious behaviour which should be followed up by the human resource department. [news@sei]

Restrictions on Remote Access

Enforcing the Principle of Least Privlege

Monitoring Electronic Outbound with Software

References

Background checks
Monitoring employee behaviour
Restrict accounts
Restrict the scope of remote access
Enforce the principle of least privlege

[[1]]

@@ Line 21: / Line 21: @@
 ===Monitoring Employee Behaviour===
-U.S. Secret Service studies have shown that most insider attacks were done by individuals who had disciplinary problems. [www.google.com GOOGLE] Procedures can be created and enforced for both the human resources and IT departments to monitor employee behaviours including but not limited to:
+U.S. Secret Service studies have shown that most insider attacks were done by individuals who had disciplinary problems. [[www.google.com GOOGLE]] Procedures can be created and enforced for both the human resources and IT departments to monitor employee behaviours. Some examples include but are not limited to:
-* Through the use of access and account policies, an organization can associate online actions with the employee that performed them. Online actions should be logged and periodically monitored for suspcious behavour. The logs can also be audited by the organization to discover and then further investigated for possible insider attacks. [http://www.sei.cmu.edu/news-at-sei/columns/security_matters/2007/02/security-matters-2007-02.htm news@sei]
+* Through the use of access and account policies, an organization can associate online actions with the employee that performed them. Online actions should be logged and periodically monitored for suspicious behaviour. The logs can also be audited by the organization to discover and then further investigated for possible insider attacks. [[http://www.sei.cmu.edu/news-at-sei/columns/security_matters/2007/02/security-matters-2007-02.htm news@sei]]
-*
+* Monitoring suspicious or disruptive behaviour by employees within the work place. An organization can institute policies that require their employees to report any suspicious behaviour which should be followed up by the human resource department. [[http://www.sei.cmu.edu/news-at-sei/columns/security_matters/2007/02/security-matters-2007-02.htm news@sei]]
-In addition to monitoring online actions, organizations should closely monitor other suspicious or disruptive behavior by employees in the workplace. Policies and procedures should be in place for employees to report such behavior when they observe it in coworkers, with required follow-up by management.
 ===Restrictions on Remote Access===