Negligent là gì

Insider threats come from users who have authorized and legitimate access khổng lồ a company's assets and abuse it either deliberately or accidentally.

Insider attacks are costly for organizations, too. In the Ponemon Institute"s 2020 Cost of Insider Threats study, researchers found that the internal data breach"s average annual cost was USD 11.45 millions, with 63% of the incidents attributed to lớn negligence.

Bạn đang xem: Negligent là gì

Whether accidentally or deliberately, insiders can expose—or help expose—confidential customer information, intellectual property and money.

Types of insider threats

Current employees, former employees, contractors, business partners or business associates are all insiders that could pose a threat. However, any person with the right màn chơi of access lớn a company"s computer systems và data can harm an organization, too, including suppliers or vendors.

Insiders vary in motivation, awareness, access level và intent. Ponemon Institute identifies insiders as negligent, criminal or credential. And Gartner groups insider threats into four categories: pawns, goofs, collaborators và lone wolves. Note: Ponemon Institute & Gartner generate and provide independent research, advisory & educational reports to enterprise & government organizations.

The Pawn

Pawns are employees who, unaware, are manipulated into performing malicious activities. Whether downloading malware or disclosing credentials lớn fraudsters through spear phishing or social engineering, pawns harm an organization.

The Goof

Goofs are ignorant or arrogant users who believe they are exempt from security policies. Out of convenience or incompetence, they actively try lớn bypass security controls. And against security policies, goofs leave vulnerable data & resources unsecured, giving attackers easy access. "90% of insider incidents are caused by goofs," according lớn Gartner"s report, "Go-to-Market for Advanced Insider Threat Detection."

The Collaborator

Collaborators cooperate with outsiders, like a company"s competitors or nation-states, khổng lồ commit a crime. They use their access to steal intellectual property và customer information or cause business operations disruptions, often for financial or personal gain.

The Lone Wolf

Also, often for financial gain, lone wolves act independently & maliciously without external influence or manipulation. Lone wolves are especially dangerous when they have elevated levels of privilege, such as system administrators or database admins.

How fraudsters use vulnerable insiders

If a fraudster"s target lies inside a protected system, they focus on attaining an employee"s access privileges. Fraudsters prey on pawns and goofs for their cybercrimes. They use many tactics and techniques khổng lồ get credentials: phishing emails, watering holes và weaponized malware, to name a few. With those credentials, fraudsters can move laterally within a system, escalate their privileges, make changes và access sensitive data or money. Fraudsters can access data or information from unsecured locations during outbound communication, using a command-and-control (C2) server. They can make outbound attempt changes or perform volume outbound transfers.

How fraudsters attack:

Seek vulnerabilityDeploy phishing email or malwareIdentify a rogue userAttain compromised credentialsExploit accessMove laterally to lớn the desired targetEscalate privilege as neededAccess assetsAbuse accessObfuscate network activityAlter dataExfiltrate data

How lớn mitigate insider threats

There are different technical & non-technical controls that organizations can adopt to improve detection & prevention with each insider threat type.

Each type of insider threat presents different symptoms for security teams to diagnose. But by understanding the motivations of attackers, security teams can approach insider threat defense proactively. To mitigate insider threats, successful organizations use comprehensive approaches. They might use security software that:

Maps accessible dataDefines policies around devices & data storageMonitors potential threats & risky behaviorTakes action when needed

In a 2019 SANS report on advanced threats, security practitioners identified significant gaps in insider threat defense. The report found that the gaps are driven by a lack of visibility in two areas: a baseline of normal user behavior and privileged user accounts management. These gaps become attractive targets for phishing tactics & credential compromise.

Xem thêm: Styrene Là Gì - Độc Tính Của Styrene

Know your users
Who has access lớn sensitive data?Who should have access?What are end-users doing with data?What are administrators doing with data?
Know your data
What data is sensitive?Is sensitive information being exposed?What risk is associated with sensitive data?Can admins control privileged user access lớn sensitive data?
Detection & remediation

After establishing a threat model, organizations focus on detecting and remediating insider threats and security breaches.

Security teams must distinguish between a user"s regular activity & potentially malicious activity lớn detect insider threats. Khổng lồ differentiate between activities, organizations must first close visibility gaps. They should then aggregate security data into a centralized monitoring solution, whether part of a security information and event management (SIEM) platform or standalone user và entity behavior analytics (UEBA) solution. Many teams begin with access, authentication và account changelogs. Then, they broaden the scope to additional data sources, such as a virtual private network (VPN) và endpoint logs, as insider threat use cases mature.

Organizations must adopt a privileged-access-management (PAM) solution and feed data about access lớn privileged accounts from that solution into their SIEM. Once organizations centralize the information, they can mã sản phẩm user behavior và assign risk scores. Risk scores are tied to lớn specific risky events, such as user geography changes or downloading to removable media. Assigning risk scores also gives security operations center (SOC) teams the ability to lớn monitor risk across the enterprise, whether creating watch lists or highlighting the vị trí cao nhất risky users in their organization.

With enough historical data, security models can create a baseline of normal behavior for each user. This baseline indicates the normal operating state of a user or machine so that the system can flag deviations. Deviations should be tracked for individual users and compared khổng lồ other users in the same location, with the same job title or job function.

By adopting a user-focused view, security teams can quickly spot insider threat activity and manage user risk from a centralized location. For example, user behavioral analytics can detect abnormal login attempts at an unusual time of day or from an unusual location or multiple failed password attempts & generate an alert as appropriate for an analyst"s validation. In other words, any behavioral anomalies will help identify when a user has become a malicious insider or if an external attacker has compromised their credentials.

Once validated, a security orchestration, automation and response (SOAR) system can create an insider threat remediation workflow. Then, the playbook can specify what remediation is needed. Potential remediation could include challenging the insider with MFA or revoking access, either of which can be done automatically in the identity access management (IAM) solution.

Security threats have increased & become more complex as work-from-home and remote-work practices have expanded. As a result, remote work has fundamentally shifted security priorities and changed security measures. This security shift has introduced new challenges for security teams:

Increased phishing attacksLack of visibility of endpoints và servers not connected khổng lồ VPNChanges in employee behaviors due khổng lồ irregular work hours, different locations & web browsing behavior changesIncreased SaaS application use và lack of visibility

Chief information security officers (CISOs) must cope with the rapid shift in IT security as it moves outside of the corporate network. A CISO"s team must better understand their remote employees" distinct behaviors và remote-work implications to insider threat detection to lớn effectively secure a company"s assets. To address remote workforce challenges, CISOs must be able khổng lồ answer the following questions:

How can we verify the person logging into the corporate virtual private network (VPN) is the employee, not an attacker using stolen credentials?How can we verify an employee"s anomalous behavior isn"t a result of working remotely?How can we help secure employees connecting to open and unsecured mạng internet locations, such as coffee shops?

By understanding remote workers" behaviors, security teams can detect abnormal behavior that could signal credential compromise or malicious intent. They can often detect these behaviors at the VPN boundary before employees cause potential damage. On the perimeter, CISOs should determine if their current insider threat capabilities enable them to:

Get the appropriate visibility into access, authentication & VPN logs.Determine if employee credentials are being used in two places simultaneously or from an unusual geographic location.Identify if the employee uses credentials outside of regular working hours for the city of the primary employee location or if the connection duration is longer than usual.Terminate the connection, block the device và revoke credentials through IAM.

Suppose an attacker manages to evade detection at the perimeter và is inside the organization"s network. In that case, security teams should validate the threat by looking for several compromised credentials or abuse indicators.

Security teams can derive insider threat indicators through many methods, often assisted by machine learning. These methods can help determine if the access is from a legitimate employee or a credential thief. Within the organization"s network, CISOs should evaluate whether their current insider threat capabilities enable them to:

Model distinct standard activity patterns và frequency to detect baseline deviation. A deviation can indicate abuse, whether intentional or accidental.Monitor data exfiltration attempts by the number of outbound communication attempts or connections on a given day. If an employee"s number of outbound communications spikes, it could suggest monitoring that user"s credentials closely.Identify large, abnormal data volume transfers for a given employee. Monitoring the aggregate data transfer can offer a simplistic yet powerful, early compromise indication.Inspect endpoint integrity for suspicious applications, which might indicate malware activity. By identifying new processes or application executions, you can contain the malware and reduce the organization"s security risk.

Xem thêm: Hướng Dẫn Chơi Virtual Villagers 4, Chia Sẽ Kinh Nghiệm Virtual Villagers 2+++

By proactively adjusting their programs to lớn compensate for the shift in employee behavior và maximize existing tool investments, security teams can better secure an enterprise network.