Insider threats take several forms for federal government agencies. In a classic scenario, highly privileged contractors install spyware that exfiltrates sensitive data to them long after their project is complete. In another, a disgruntled, well-placed IT admin actively conducts sabotage on your systems, then resigns. Even people without privileged network access can pose insider threats, whether deliberately (collecting secrets for future leverage) or inadvertently (falling for a spear phishing email).
However insider threats may originate, they affect endpoint security because they defeat the trusted relationship between the endpoint (computer, tablet, smartphone, IoT device) and the rest of the network. By examining the different types of insider threats outlined below, you can spot common characteristics and harden your own network against them.
1. Employee internet usage
As more of your employees work remotely and from a home office, does the insider threat increase or decrease?
The conventional wisdom is that being inside the government agency firewall translates into greater security. That’s true, of course, until a threat gets into your network; then, your security is compromised. It’s a fact of digital life that granting your employees internet access runs the risk of bringing outsiders onto your network, where they can do whatever they want. At the same time, the security model of building the wall as high as possible to keep everybody out just doesn’t make sense.
When you go through the crucible of enabling secure, remote access for your employees, the required technologies (e.g., authentication, single sign-on) can make your organization a harder target. Multi-factor authentication (MFA) is a good first step, but don’t rely on it blindly; after all, some authentication products depend on text messages, which can be hijacked or phished.
Think of guarding against insider threats using a “lasagna” of security: If any single layer is compromised, another layer is waiting right behind it. That’s why more-sophisticated products reinforce your authentication with techniques for examining location, device and user behavior at login. They build a digital fingerprint around the who, what, when, where and how of your users’ logins. Whenever there are anomalies, like an unexpected attempt from a distant time zone and country, they assign a risk score.
The things that you put in place for remote access ultimately make your network more secure, even on the inside.
In every federal agency, endpoints outnumber servers and services by a ratio of hundreds or thousands to one. That’s why the greater danger from insider threats lies with misconfigured endpoints than with misconfigured web applications and SharePoint folders.
Mainly, this is a problem of over-provision. With so much on their plate, IT runs the continual risk of granting more or higher access than a given class of users need to do their job. Maybe it’s just one share or one small privilege. But when it’s attached to thousands of user accounts and accessible from thousands of endpoints, it becomes a vulnerability, a door that any bad actor can open.
On the other hand, you can present your home workers and remote workers with only the services they need through Office 365 or Azure, rather than with VPN access. Microsoft has simplified provisioning with templates you can use over and over so that users see only a web interface or only a SharePoint interface. Keeping users off of your internal servers exposes you to far less risk of misconfiguration than when you open up ports and have to configure your firewall perfectly.
3. Inadvertent insider threats/user behavior
Besides everything you deploy to limit your vulnerability to insider threats, keep in mind everything you don’t deploy to limit it.
IT has to perform a delicate balancing act when it comes to granting rights. The more you lower the bar, the easier it becomes to penetrate your network defenses. But if you raise it too high and don’t grant users enough access, they’ll find alternate routes for sharing files and getting their work done. It’s a kind of inadvertent insider threat driven by user behavior.
This is frequently a problem when it comes to shares. You may scan for open shares on the network and stumble onto a spreadsheet that lists employee salaries, sitting alone in a folder. That means someone said, “I need to share this with Louise, but she works from home and can’t access this folder, so I’ll just create a share off my system.”
Or, suppose your co-workers want to share a file with an outside partner. If you haven’t set up a secure SharePoint for that purpose, they may decide to use Dropbox, and suddenly your secrets are on the internet.
If you make it too hard for people to get their work done, they will find another (usually less secure) way to accomplish the same thing. Then, when you apply for cybersecurity insurance, and the carrier finds your files on Dropbox or GitHub, it’s embarrassing.
The only way to really get ahead of shadow IT is to make sure there’s no reason for your users to take that route. It’s a hard balance to strike, especially when you have to take security into account.
4. Unpatched endpoints/software
With access, connectivity and sharing sorted out, you can turn to ensuring that all of your endpoints are patched and secure. A big part of that is knowing what’s running on them. When a zero-day threat strikes, the first thing you need to know is whether it will affect you. For example, when the flaw was found in the Apache Log4j logging library, how quickly could you determine whether and where your network was affected internally? Were any of your servers running Log4j? Answering those questions becomes more difficult when a big chunk of your users are remote or working from home.
That’s when a unified endpoint management tool can save you. It holds the inventory of all the endpoints (computers, tablets, smartphones) connected to your network. You can see immediately where they are, what software is running on them and how old it is. If you determine that the threat is localized to a specific region, you can tell your network operations team and let them decide whether to quarantine it. They may want to prevent access to internal systems from people in that region.
If you don’t think that inventory and patch management are high priorities, just think about Equifax. If they had simply taken inventory and compared it regularly against released patches, they would have spotted their out-of-date software. They could have patched Apache Struts and saved themselves $1.7 billion overall — not to mention that they’d have kept the records of 148 million people secure.
5. Outdated software
In the same vein as unpatched software there is outdated software. You’re asking for trouble if your organization (and your security) depends on software that is no longer being updated.
Operating systems are the most notorious targets, of course, because there aren’t very many, so they’re appealing targets for bad actors. For instance, if you’re still running Windows Server 2008 somewhere on your network, you’re vulnerable. Your only hope is to harden your firewall, but you should do that anyway.
Keeping outdated applications around is a bad idea, too. What’s the use of protecting your operating systems if your enterprise resource planning (ERP) system, with all of your financial data, is 15 years old and vulnerable? You shouldn’t own an application if you can’t invest time in maintaining it. You have to factor maintenance into the overall cost.
Unless you can keep an eye on everything that everybody in your government agency is doing and control it, you’ll probably find that you’re guilty of this at some point.
6. Unmonitored software installation
There are two types of behavior monitoring in the modern stance of security. First, your identity and single sign-on (SSO) providers monitor login patterns; second, endpoint detection and response (EDR) systems watch for attempts to install malicious or unauthorized software. Microsoft, for example, offers Defender, and CrowdStrike is another vendor.
You can think about this in the context of ransomware, which is made to start encrypting all of the files on the computer. The EDR software is monitoring everything in the system when suddenly it notices a process it has never seen before. Next, the encryption APIs are activated, suggesting a ransomware attack. EDR uses complex heuristics and indicators of compromise (IoCs), but fundamentally it’s watching the behavior of the system, network, processes and APIs. Each time a new attack emerges, its models are retrained to the behavior of that particular endpoint.
If the EDR system sees that you’re editing a document on your computer, then you switch to encrypting files, then you start sideloading another DLL, it knows there’s a problem. Or if you work in Accounting and have a history of accessing only certain systems, EDR considers it an anomaly if you try to access systems unrelated to your job.
EDR helps with the hard work of responding to abnormal behavior. If you think a system may be under attack, you can quickly firewall it from everything except Defender console and Office tools. That cuts it off from internet access but leaves it able to communicate so you can deal with it. In time, you can start automating EDR to quarantine systems with anomalous behavior even in the middle of the night.
Scripting is another useful tool for handling insider threats and endpoint security. You can write scripts to look for and eliminate specific IoCs on your network in a kind of threat hunting.
7. Disabled firewall on servers
The single greatest thing you can do to protect your on-premises footprint is to activate the firewall — even Windows Firewall — on your servers and open only the ports you need. Many people in IT ignore this step and run servers with the firewall disabled.
For example, the first thing most techs do when building a server is to turn off the firewall. But you should adopt the model of documenting every server you deploy in a production state, including documenting the service ports that are required for your operations. Then you should activate the firewall and exclude those ports. Try to make each server its own island wherever possible.
If you run Internet Information Services (IIS), expose it through proxies only, such as Microsoft Azure AD Proxy. Proxy servers offer two advantages. First, they bypass your firewalls, which your VPN users will appreciate. Second, they also put MFA in front of your web apps — even apps that didn’t have MFA before. Then, turning on the firewall is a way of specifying that only the proxies can access the web server.
It’s old advice warmed over. But as you think about the cloud, realize that you’ll be spinning up servers in Azure and AWS. Firewalls and proxies have never been more relevant.
8. Outdated password thinking and policies
Passwords are like email: Almost all organizations agree that they’re a headache, but nobody’s ready to get rid of them just yet.
Say you impose a rotation policy so that your users will change their password regularly. Since most users pick their own passwords, many of them will take one of two routes. One route is to pick a memorable root-password, preface it with a capital letter and append the numeral 1 (e.g., “Password1”). When it’s time for them to rotate, they increment the numeral (“Password2”). Another common route — since the rotation prompt usually comes every 90 days or so — is to enter a password comprising the season, the year and an exclamation point (“Winter2023!”).
Unfortunately, the people who use widely available hacking tools know this. So, when they want to brute-force guess a hash, they load their dictionary attack, but they don’t even need to go through the full dictionary. They modify their tools to automatically capitalize, lower-case and append numbers. Perversely, then, when you impose a rotation policy, you’re actually making it easier for bad actors to crack your users’ passwords and launch insider threats.
In fact, even Microsoft has said that there is no reason to change a perfectly good password. The friction of changing it exposes the network to more risk than leaving a robust one in place. That’s why different ideas about passwords are evolving and taking hold in the enterprise:
- Non-expiring passwords — Forever-passwords are appealing because users don’t need to keep remembering new ones. That means fewer password resets and rotation headaches. The password need only be of a certain length — say, 14 characters — and it need not contain upper case, special characters or numerals.
- Passphrases — These are longer than ordinary passwords and generally easier to remember. A password like “I live at your address” or “banana gracious slipper” is more effective from the user’s perspective.
- Password validation — IT realizes that the way to keep password protection robust and viable is to think in the lasagna-context described above. So IT puts in place real-time password validation — in Azure, for example — that takes each password suggested by users and reviews it against an entire dark-web list. The validation routine looks at all the possible pieces a hacker could use to try to brute-force guess the suggested password. If any component of it is part of the dark web list, the routine greatly reduces the score — say, to Weak or Very Weak — and prompts the user to try again. This technique rejects easily brute-forced passwords before they can even be used.
- Password vaults — A product like Bitwarden or LastPass gives your users a place to store things that is more secure than notes taped to a monitor or stuffed into a drawer. It’s also more secure than tracking passwords in a spreadsheet (which a network security audit will likely find).
The lesson is that the hackers of the world are committed to evolving daily so that they can beat you. If your thinking, policies and endpoint practices remain static, you will lose. Attackers are not sleeping; they are constantly adapting. You must continually rethink the way you approach security, even down to the level of passwords.
9. Password spray attacks
While outdated password thinking and policies are insider threats, they are related to the significant outside threat from password spray attacks. A threat actor submits a full list of passwords in an attempt to get at least one accepted by the system. Tools like Hydra make it possible to automate the process of guessing passwords by sending them in huge numbers.
The most insidious part of the story is that the attackers have harvested the passwords from lists compiled during breaches of other sites and companies. They analyze the lists for the most common passwords and pare them down to, say, the one hundred passwords that have been used repeatedly by thousands of users. Then, with a list of your organization’s usernames, they try the same password once for each user on your network. The odds are that at least one of your users has used one of those top-100 passwords. And when the attackers use it on the right account, they can log in.
Most systems are not set up to monitor that kind of behavior and would never flag it. That’s when the lasagna-approach is valuable, because one of the fallback layers is your authentication engine. If it can detect that the failed login attempts keep coming from the same source, then it can block the IP address.