Skip navigation

Duo Security is now a part of Cisco

About Cisco

Industry News

Protecting Against the Insider Threat

The insider - seemingly innocuous and a fairly small percentage of overall data breaches, but still a viable threat to any organization with valuable information such as payment card, financial, intellectual property and any type of proprietary business data.

Insider-related industry breaches According to Verizon’s 2014 Data Breach Investigation Report, nearly 12k total insider-related data breaches occurred from 2013 to 2014, with the top insider threats found in the administrative (27 percent), real estate (37 percent) and mining (25 percent) industries.

The report also found that most crimes committed by ‘trusted’ parties are perpetrated by financial or personal motives. However, in the past year, there’s been a marked shift toward insider espionage targeting internal data and trade secrets.

The report also shows an increase in a broader range of hacking tactics (though the report makes the distinction between actual changes in data vs. “increased visibility from insider-focused partners,” meaning the apparent increase could be due to the fact that more specific data was simply more available this year compared to last).

A recent survey from Lieberman Software Corp. measured a number of IT professionals and their attitudes toward password management and cloud security at a recent IT security conference. They found that just over 13 percent of IT security professionals admit they were able to access previous employers’ systems by using their old credentials, as reported in InformationSecurityBuzz.com.

Insider external actors Another 23 percent can get into their previous two employers’ systems by using old credentials, while another 16 percent report they actually have access to all of their previous employers’ systems. Verizon’s DBIR backs that up by listing the top three external actors within their Insider Misuse category as those seeking to commit organized crime (36 percent), former employees (24 percent) and unaffiliated persons (24 percent), acknowledging that former employees often “exploit still-active accounts or other holes known only to them.”

While there’s obviously limits to what you can do when it comes to internal threats from current employees, with former employees, there’s the obvious: disable outdated user accounts immediately after employees exit the organization, especially administrators and other users formerly employed on your IT security teams.

The article and survey recommend a number of ways to safeguard against the threat of of former employees, including:

  • Implementing a policy in which privileged account passwords are automatically updated on a frequent basis
  • Passwords are updated with unique and complex values
  • Establish/enforce a policy to ensure contractors can’t access corporate systems after exiting the company

Centralized Management with Two-Factor Authentication

While passwords are an integral part of primary authentication, secondary authentication should also be taken into account, particularly for administrator-level access and privileges.

If you have two-factor authentication enabled for these accounts (which is considered an industry best practice and required by many different compliance standards), an easy way to manage users is by using either the two-factor vendor’s provided administrative controls dashboard or by using administrator APIs, if made available through your two-factor service.

By leveraging administrator APIs, developers can create, update and delete users, devices, administrators and even integrations. Developers can also write applications that programmatically read different types of authentication logs in order to analyze any particular patterns of activity and help identify potentially malicious insider behavior.

And by using an accounts API, developers can programmatically create and delete individual two-factor user accounts under an administrator account.

Protecting Against the Insider Threat with Two-Factor

In addition to former employees exploiting old credentials, the Verizon DBIR found that insiders would also elevate privileges by stealing other employee credentials, circumvent controls and use social engineering and malware like keyloggers and backdoors as hacking techniques to get to the information they wanted.

Protecting against the threat of stolen credentials and elevation of user privileges is pretty straightforward with the use of two-factor - by choosing the authentication option of push notification, an administrator can ensure only he/she has access to their account by tying access approval to their personal smartphone. So even if another employee within the same company is trying to log into an administrator’s account, they wouldn’t be able to without access to their personal device.

A quote from InformationSecurityBuzz.com states that:

Basic security best practices include minimizing the insider threat and sophisticated criminal hackers by managing the powerful privileged passwords that grant access to systems containing sensitive data.

But instead of trying to manage, generate and rely solely on the complexity of passwords to protect your accounts and data, imagine a world where two-factor authentication can provide a reliable security defense without requiring frequent updates and oversight.

Find out more about two-factor authentication in:
BYOD Risks Obviated by Two-Factor Authentication
Verizon DBIR 2014: Stolen Credentials to Blame, Again and Again
What to Look for in a Modern Two-Factor Authentication Solution