Insider Threats and the Principle of Least Privilege
The majority of cybercriminals operate outside of the organizations they target, but some threats come from within the organizations themselves. The Department of Homeland Security defines an insider threat as the “threat that an employee or a contractor will use his or her authorized access, wittingly or unwittingly, to do harm to the security of the United States.” However, insider threats jeopardize the security of businesses too. One notable example involved Tesla. In 2018, Lora Kolodny of CNBC shared an email by Elon Musk that informed all Tesla employees about an insider threat: A disgruntled employee hacked Tesla’s manufacturing operating system and exfiltrated sensitive data to third-parties because he did not receive a promotion. Insider threats are generally rare compared to external threats, but they can lead to devastating consequences. Fortunately, there are best practices that all types of organizations can use to mitigate insider threats.
Last month, the Cybersecurity and Infrastructure Security Agency (CISA) published an Insider Threat Mitigation Guide. According to the guide, an organization with “IT or cybersecurity programs can use their existing infrastructure as the foundation for insider threat mitigation” (page 28). With that in mind, it is worth noting that most operating systems (such as Windows and macOS) and collaboration platforms (such as SharePoint) have built-in permissions features that can be used to mitigate insider threats. The principle of least privilege normally applies to processes within computers, and it is used to ensure that processes cannot harm parts of the system that they do not access as part of their duties. Applying the principle to an organization boils down to the following policy: only give members the privileges necessary to perform their duties. For example, if an employee only works in the lobby of a building, they should only have a key to the lobby. They should not have a master key that opens every door in the building. If the employee betrays the organization or is tricked into giving up the key, the bad actor can only damage or steal from the lobby and not from the offices above. This principle also applies to IT infrastructure. Most operating systems let administrators control what specific users are permitted to do to specific files or directories, and collaborative platforms like SharePoint have similar permission systems. Unfortunately, it is possible for bad actors to navigate through a hierarchy of privileges. If a bad actor has access to one level of the hierarchy, they can use resources available on that level to reach higher levels. This includes manipulating individuals via social engineering. For example, a bad actor with access to the lobby may try to trick a privileged employee into letting them access the higher levels. A previous blog post about social engineering referenced a recent Twitter hack in which bad actors stole employee credentials, used them to learn more about the organization, then used that knowledge to steal more credentials and gain administrative access. However, having a hierarchy in place makes a security breach more challenging.
Insider threats can be unintentional or malicious. In most cases, insider threats are unintentional. Humans are the weakest link in the security of any organization, and careless employees may fall victim to social engineering or make some other mistake. Carelessness can be mitigated by fostering a culture of cybersecurity awareness and continually educating employees about maintaining proper cyber hygiene. Malicious threats can be mitigated by creating a positive environment, as well as monitoring and reporting suspicious behavior. Both human and computer resources can be used to identify potential threats. An insider threat mitigation program should allow employees to submit anonymous reports. According to page 62 of the guide, software tools like SIEMs can be used to detect suspicious computer activity. Although methods of monitoring employees are helpful, focusing too much on finding and punishing misbehavior can backfire. According to the guide, “successful insider threat mitigation programs employ a balance of positive and negative incentives, promote employee satisfaction and performance, avoid overly aggressive reactions following notification of a threat, and are not designed to catch people doing things wrong” (page 32). Overall, mitigating insider threats starts with having an environment that cares about the well-being of employees and promotes accountability and awareness.
Building an insider threat mitigation program is a multidisciplinary task. Employees can be monitored with various tools but applying the principle of least privilege could mitigate insider threats without excessively encroaching on the privacy of employees. Although technology is useful for identifying insider threats, mitigating insider threats requires not only technology, but good policy-making and human resources.