There is a common perception that the main cyber security threats to a business come from hooded hackers halfway around the world.
However, there are many internal threats that come in the form of employees and/or contractors. These are also known as insider threats or insider risks.
Some of the threats are breaches and theft by insiders acting on their own.
There are also hybrid threats. These are threats in which the proverbial hooded hacker colludes with either an unsuspecting person or with a willing participant on the inside.
An example of unwilling collusion is when an employee pays a fraudulent invoice or unwittingly gives up their credentials due to successful phishing or other social engineering attacks.
An example of willing collusion is when a ransomware gang entices an insider to install and launch ransomware on a server in exchange for a percentage of the heist.
How can you protect your business from an ever-growing variety of internal threats? We have assembled a detailed list.
While this list may seem overwhelming, it reflects the fact that the convenience vs. protection balance of internal network security has moved toward the risk mitigation end of the spectrum.
1. Adopt a Zero Trust stance
Zero Trust is a security concept. It means taking a stance of not trusting anything internal or external by default. Anything or anyone trying to connect to company systems must first be verified.
The approach can be stated as, “untrusted until proven trustworthy.”
Zero Trust is not a one-and-done proposition. Users and permissions must be monitored on an ongoing basis.
2. Enforce internal software and firmware patching compliance
Continually updating all internal software and firmware with the latest updates from vendors is essential for patching vulnerabilities.
The CVE database is the most comprehensive source of information on current vulnerabilities. This Twitter user has compiled and regularly updates vulnerabilities that are used by ransomware gangs.
Minor updates to the “Vulnerabilities Abused by Ransomware Actors” chart https://t.co/zXRpbdjWHt— pancak3 (@pancak3stack) September 27, 2021
Internal threats can go undetected for a long time. This is why it’s critical to make sure that all internal systems are always up-to-date.
Patch management software is important for automating as much of the software and firmware updating process as possible.
Check with your managed service provider about their patch management software solution.
3. Be aware of all software being used within your organization
If your IT team doesn’t know about all of the installed software and firmware on employees’ machines, they won’t know everything that needs to be patched.
A good internal security practice is to know about all the software being used across your network and make sure it is consistently updated.
This may require establishing an inventory of all endpoints and the endpoints’ installed software.
Note: While patching should be at the top of your security tasks list, it is not a silver bullet due to zero-day vulnerabilities. A zero-day attack happens when a flaw or vulnerability is exploited by an attacker before a vendor has had an opportunity to create a patch to fix the vulnerability.
4. Replace end-of-life software
While it’s possible to subscribe to security updates to certain software that’s past its end of life, like Windows 7, there can be some software that’s so old that updates are simply not available.
One organization experienced a ransomware attack that succeeded in part due to a vulnerability in an 11-year-old installation of Adobe ColdFusion 9.
5. Implement a company-wide password manager & policies
While the use of strong passwords is well-worn advice, it always bears repeating.
From an internal threat perspective, strong passwords are an important layer of protection against Kerberoasting attacks.
In a nutshell, if a cyber attacker compromises the account of any domain user, they can use offline cracking tools to easily crack weak passwords.
Strong passwords are facilitated across the board by a company-wide password manager along with appropriate password policies.
6. Require the use of multi-factor authentication
When a password is an employee’s only account authentication requirement, and that password is weak, a hacker can log into their account by brute force in minutes or even seconds.
A good internal security practice is to use multi-factor authentication whenever possible. Multi-factor authentication requires an additional step beyond a username and password to gain access to an online account. Examples are:
- Email services
- Cloud productivity software such as Office 365 and Google Workspace
- Document storage such as Box and DropBox
- Online banking services
- Social media accounts like LinkedIn, Twitter & Facebook
- CRM, ERP, and tax preparation software
The benefit to this is that if the first level of authentication is compromised, the second level will still be in place.
7. Add a layer of email filtering
Both Microsoft Office 365 and Google Workspace have native email filtering capabilities that can warn users about suspicious emails.
However, there are third-party products that give more control over email filtering policies.
An email filtering application can catch suspicious emails that may have been missed by a vendor email server.
8. Implement better antivirus/EDR software
In some small businesses, antivirus software is a “catch-as-catch-can” with employees using different types of AV software. There is no verification as to the reliability of installed AV software.
Centrally administered AV or Endpoint Detection and Response (EDR) software ensures that reliable and up-to-date software is installed on all endpoints.
9. Provide Zero Trust remote network access
When members of a distributed workforce have remote access to the corporate network, the Concept of Zero Trust security should be applied.
Cloud-based remote access technologies such as Secure Access Service Edge (SASE), along with integrated software-defined perimeter (SDP) capabilities, enable organizations to more easily implement Zero Trust network access.
For example, you can deny administrators the ability to have administrative access from outside the internal network.
Hybrid workers can have more restrictive remote privileges compared to when they are in the office.
10. Give internal users access to the minimum needed resources
The Principle of Least Privilege (a.k.a. Least Privilege Security Model) states that each of a user’s accounts should only have the access privileges necessary for a person to do their job.
For example, some users may not be granted privileges for installing new desktop software.
The Principle of Least Privilege can also apply to database software such as CRM and ERP. Users can be given access to only records and to fields within records that they need. Encrypted fields, such as fields containing certain personal information and passwords, can be visible to users who need to see the information.
11. Give administrators the minimum privileges they need
The Principle of Least Privilege should also apply to internal administrators. Just because an admin can control several system settings, it does not mean that they should be able to control them all. Role-based permissions can be applied to admins, just as permissions can be applied to users.
Administrative accounts usually have the highest risk of insider threat. Microsoft provides tools to help with this.
Removing unnecessary administrator rights helps defend against attacks such as Pass-the-Hash.
12. Segment your network into subnets
Network segmentation involves creating a set of smaller networks within an organization, rather than having a single, large network. The flow of traffic between networks can be tightly controlled.
This can be used to completely wall off departments from one another. For example, the engineering and the marketing department may have no need to access one another’s network applications or files.
In the “execute ransomware for hire” scenario we described above, an employee who is willing to execute ransomware may not have access to the machine on which it needs to be executed.
13. Immediately disable a departing employee’s accounts
Accounts that were created by an employee who now no longer works for the company should be deleted, deactivated, or have the password changed as soon as possible.
When employees quit, are laid off, or are fired, they often take internal data — intentionally or unintentionally.
Your IT services provider may be able to supply a formal offboarding template to ensure everything is locked down when an employee leaves the company.
14. Monitor high-risk employee activity
The computer-related behavior of soon-to-be-departing employees and other high-risk employees can be monitored.
There are available applications that can add departing employees to a risk detection lens for data exfiltration — and then monitor them for any suspicious file transfers.
“We discovered in our research that insider threats are not viewed as seriously as external threats, like a cyberattack. But when companies had an insider threat, in general, they were much more costly than external incidents. This was largely because the insider that is smart has the skills to hide the crime, for months, for years, sometimes forever.” – Dr. Larry Ponemon
15. Implement internal security awareness training
It’s important to conduct security awareness training for employees and contractors. Many Managed Security Service Providers (MSSPs) include this in their offering.
This partly involves training users on how to spot phishing and business email compromise (BEC) emails. Employees should be instructed to forward any suspicious-looking emails to an IT representative.
Other forms of social engineering by hackers, including phone calls, text messages, and in-person visits, can cause an employee to give up their password to a third party. When this happens, email filters and strong passwords are irrelevant.
16. Use voice analytics to assess the risk level
Voice analytics technology company Clearspeed provides an innovative technology that can be used to screen prospective employees or current employees for risk.
A “yes” or “no” response to each of a set of questions can clear a prospective employee or flag them for additional screening.
If an incident has already occurred, the technology can flag a current employee for further investigation.
17. Set internal session timeouts
To protect your network against internal threats, session timeouts should be used.
This will help users maintain security by not leaving Windows and other sessions active while they are away from their desks. If users are left logged into an internal network for an extended period, they may unintentionally or intentionally be giving up computer access to someone else who may be posing as a user.
18. Disable unnecessary services and protocols
SMBv1 is an old version of the Server Message Block protocol that Windows uses for file sharing on a local network. It’s been replaced by SMBv2 and SMBv3.
However, some devices like MFDs (printer/scanners) still require SMBv1. As of 2019, there was a long list of SMBv1-dependent applications and devices.
If you have web servers, you may be running TLS 1.0 and TLS 1.1 even though current versions of modern browsers no longer support those versions for security reasons.
Even if some website visitors use an old browser that only supports TLS 1.1 or lower, you may also choose to disable TLS 1.0 & 1.1 because the risk of keeping it enabled with the current known vulnerabilities is too high.
19. Restrict access to critical internal systems to only certain users
It is also important to restrict access to internal systems to only certain users. This is especially true when it comes to internal administrative access with internal systems that are critical for the business.
Internal users who might have access to internal networks or internal servers should be monitored closely for unusual activity. Access levels with permissions on different internal systems should also be managed carefully, which is usually done with an internal system management tool.
Security experts often overlook internal threats; internal-facing threats are difficult to detect, whether they are viruses or internal security breaches.
20. Keep up to date with internal security news, internal threat intelligence
To protect your internal networks from internal threats, you should keep up to date with security news and internal threat intelligence.
Websites that focus on business security include:
Some headlines alone may draw needed attention to a newly discovered vulnerability or a creative new social engineering approach that employees should be made aware of.
21. Conduct internal (and external) penetration tests
An Internal Pen Test requires having or hiring a competent auditor who can emulate the behavior of an attacker who has gained access to your network.
An experienced tester will create a map of your internal network. The tester will then perform brute force attacks on employee accounts and exploit any vulnerabilities to break into servers and other devices.
Internal threats are ever-present in many organizations — even in small businesses. Business owners, managers, and IT teams must be more vigilant than ever.
Adopting a Zero Trust stance and employing the right blend of technology can help mitigate these threats.
Also, a regular Network Security Assessment will identify group policies that need to be tightened down, user access vulnerabilities, and other services that may present an attack vector.