The recent catastrophic Twitter hack that happened shook the cyber security world and industry. The tweets generated from these high profile accounts are asking for donations in cryptocurrency. It was a “co-ordinated” attack targeting Twitter employees with access to internal systems and tools. This incident once again bought us to question that an insider threat is the one having detailed information about cyber security practices and even the best security teams struggle to detect an insider threat.
An insider will always have legitimized access to any cyber security protocols, information and assets of the organization they working for and it is very difficult to understand any normal or malicious activity. The twitter hack has reminded us that it was not a result of any sophisticated attack due to any faults or vulnerability in technology. There are many questions to be answered about the hack, which witnessed the hack of biggest accounts on the social network, including those of Joe Biden, Elon Musk and Barack Obama.
In an official statement Twitter has confirmed that Twitter employees were tricked or coerced into handing over privileged access to the company’s innermost systems, and from there, the attackers could run riot.
We can say that the more effective the controls are within the organizations the success rate of detecting any threat is more. The surveillance tools in an organization are majorly used to protect and control accounts .These tools are required to be protected adequately with restricted access and logs.
The concept of an “insider threat” is widely used by information security experts as they routinely advise companies to practise limiting access within a secure network, so that even if an attacker breaks through the perimeter, the damage they can do is limited.
Vishal Bhatia Head Infosec Banking, FIS Global, says “Cyber experts should guide organizations by connecting the dots in entire security solution at granular level rather than highlighting risk at compartment level and sugar-coat”.
He further outlined few guidance where some of the controls which needs re-evaluation and reconsideration are as follows:
- Review and re-examine BYOD, remote working controls and after office hours changes at regular intervals.
- In many cases Administrative tools are required for testing and support. These tools need to be locked down in specific non-production environment with high security clearance to individuals with hardened company devices only.
- While using Slack/ any communication tool, most of the teamwork and communication happens in channels. A channel is a single place for a team to share messages, tools and files. Try to avoid saving any credentials on channels.
- Individuals who have access should be cultured to not do ostentation about having such access, as by doing so they become more vulnerable.
- Initiate a company-wide security awareness training & phishing security test within the company.” Also that service should to be end to end encrypted.
Various research report also finds that a data breach caused by insiders is significantly more costly than one caused by external threat actors. In the Ponemon Institute’s 2019 Cost of a data breach report observed that the average cost per record for a malicious or criminal attack was $166, versus $132 for system glitches, and $133 for human errors.
The various means of detecting Insider’s threat
There are two ways of understanding and detecting insider’s threat. Behavioural warning signs and Digital warning signs.
Behavioural signs include the employee suddenly starts taking excess interest in tasks that require privileged access could indicate foul play. At the same time accessing sensitive data not associated with their job and making multiple requests for access to tools or resources not needed for their job. Other indicators include using unauthorized external storage devices like USBs and logging in outside of usual hours.
Digital signs include violating corporate policies, which include failing to apply software patches and attempting to bypass access control. Sometimes it has been seen the person is frequenting the office premises during the odd hours and turning of the encryption to sensitive data indicates fishy behaviour.
In such circumstances it is important to deploy solutions that can track employee action and correlate activity across multiple sources. Therefore it becomes more important to increasing visibility across multiple functions by deploying various solutions and correlate activities. Organization who are aware of threats from insiders have already invested in multiple security controls, followed by email security best practice guides increasing the awareness of cyber security training within the organization.
Subhajit Deb, CISO, Dr Reddys Lab says “The alleged involvement of an insider in the Twitter hack only underscores the pervasiveness of Insider Threat for all organisations; unless there are policies and systems to defend the defenders, such situations are likely to happen with any organization”.
(Image Courtesy: www.infinigate.co.uk)