Security training won't solve the negligent insider threat
Philip Lieberman, CEO, Lieberman Software
Google reported indications that its employees either intentionally or unintentionally helped make the attack possible. This detail hardly surprised many security experts, myself included, who have long written about the threats that enterprises face from inside the corporate firewall.
Our warnings haven't gone completely unnoticed — awareness about insider threats has grown in the recent past. But many companies' responses have the appearance of ineffective security theater.
One case in point: security training for rank-in-file employees. Some CIOs seem to expect that by educating users about the dangers of clicking risky links or downloading unvetted applications onto their machines, these users will stop their risky behavior.
The truth is, though, that while employee training can offer some ROI by eliminating a small percentage of IT incidents, it's hardly a cure-all.
Adding fuel to the fire
According to many security experts, the most prevalent IT security threat arises from negligent insiders. Malicious hackers prey upon enterprise users with the knowledge that no matter how many times your employee may hear about security policies and risks, eventually that user will click a questionable link on Facebook, respond to a phony email from the ”IRS,” or be duped by a targeted spear phishing attack.
It is inevitable that costly mistakes will be made because there is a human working at each keyboard attached to those networked PCs. Humans are fallible. They have bad days. And sometimes they don't stop to think whether they're putting their employer's assets at risk.
In the case of an employee who has elevated access levels needed to carry out his job, an attacker who entices the worker into infecting one computer now also has privileged access into the network. The worker's account becomes the proxy for the hacker, who knows how to leverage this access for further attacks deeper and deeper into the network.
To mitigate the threat from negligent insiders, organizations can take a cue from the way that Southern California firefighters tackle our annual wildfire season. Firefighters understand that with dry terrain and unfavorable winds wildfires are bound to occur. That's why these professionals are relentless in their efforts to limit wildfires' damage, encouraging every resident to search out and remove combustibles around vulnerable buildings. Firefighters also plan ahead to develop the rapid response strategies needed to keep the fires contained once they break out.
Sadly, the security practices of many organizations are akin to a community of reckless Southern California homeowners that allow groves of eucalyptus trees to hang over the eaves of their abodes. Examples of the dangerous combustibles in your IT environment can include:
- Administrative users who are not required to periodically change their elevated, “super-user” credentials. This leads to privileged account passwords that may never expire becoming known to too many current and former workers.
- Computers and network appliances that share common username and password logins, exposing large portions of the infrastructure should a single account be compromised.
- The storing of administrative passwords on spreadsheets that are placed in well-known or unmonitored locations.
- Failure to adopt a ”continuous auditing” approach to security, never enacting the processes to search out new vulnerabilities and mitigate them before they provide the opening for an attack.
Regardless of how much your organization spends on security, if any of these examples apply to your situation, you could be vulnerable to attacks made possible by negligent insiders.
All about reducing risks
Today, if your organization runs a network, you're a target for attack. We may never eliminate the threat but with a sound, layered security approach we can do much to reduce its potential impact. And when it comes to mitigating the risks of negligent insiders, organizations need to move beyond basic training and look for ways to limit the damage.
Your first step is to ensure that administrative passwords are regularly changed; that multiple computers, network appliances, or applications don't share identical credentials; and that no passwords are stored on spreadsheets that have unmonitored access. Next, enact processes to continuously scan the infrastructure for new vulnerabilities and take action before there is an attack.
Regardless of whether you accomplish these steps through manual processes or by deploying privileged identity management software, you'll be well on your way to building stronger security and limiting the potential damage of an attack.