What Are Internal Threats in Cyber Security?

What are internal cyber security threats?

Shockingly, around 22% of cyber security incidents are caused by internal threats. However, companies too often neglect to consider the risk of internal threats, even though they can result in critical data breaches.

Internal cyber security threats are threats posed by individuals that originate within an organisation itself. They can be current employees, former employees, external contractors or vendors. Essentially anyone who has access to company devices or data. This form of data breach involves an internal attacker accessing sensitive company information with malicious intent. Attackers can include both current and former employees.

There are many forms of data misuse by individuals that can pose a threat to organisations. They often rely on a user having access to networks and assets to disclose, modify and delete sensitive information. Some of this information could include:

1. Organisations security practices
2. Login credentials
3. Customer & employee data
4. Financial records

Due to the nature of internal cyber security threats, traditional preventative security measures are often rendered ineffective.

Why do people carry out internal security attacks?

Malicious activity

Individuals that pose a threat to an organisation may have very different goals from external cybercriminals. The main motivations of internal threats include:

Fraud: The theft, modification or destruction of company data with the goal of deception.

Espionage: Stealing information for another organisation (generally a competitor).

Sabotage: The use of legitimate access to a company’s network/assets to damage or destroy the company’s functionality.

Intellectual Property Theft: The theft of a company’s intellectual property, with the intention of either selling or utilising the property.

Revenge: Employees who have been fired or otherwise made unemployed by a company may seek to damage the company’s reputation by accessing sensitive information.

Negligent practices

It’s important to note that not all internal threats are carried out by malicious parties. Many times internal threats arise from employees who unintentionally or carelessly expose sensitive company information. This is why employee training and education are critical in combating the risk of data breaches.

There are numerous ways in which employees can inadvertently contribute to data breaches:

Phishing or social engineering victims: Phishing involves an attacker sending fake communications to an employee, usually posing as a legitimate company. The user is then persuaded to supply credentials or details, through a fake login page or directly. By releasing sensitive credentials or data, users can inadvertently provide 3rd party criminals access to private systems. You can learn about the most common types of phishing attacks here.

Using unauthorised devices: The use of unauthorised devices can pose a huge risk for security teams, especially given the difficulty in monitoring them. USB sticks are an example of a seemingly harmless device that employees might not consider to be a breach of security. However, an infected USB drive has the ability to provide remote access to 3rd party hackers who can then attempt to access sensitive company data.

Using unauthorised software: As with unauthorised devices, employees may choose to use 3rd party software for legitimate business purposes. The threat arises from illegitimate or pirated software that can include malware and backdoors allowing access to attackers.

Loss of company devices: The loss of unsecured/unencrypted company hardware is an extremely common cause of data leaks. Heathrow Aiport was fined £120,000 for “Serious” data protection failings when an employee lost an unencrypted USB storage device containing highly sensitive information.

Improper Access Control: Managing access control is vital in combatting insider threats. Whether it’s managing internal users’ access, third-party access or revoking ex-employees’ access, managing access is critical. The process of managing access control can easily be overlooked but can cause huge issues if incorrectly implemented.

How can you prevent internal threats?

Generally, internal threats can be avoided by thorough company-wide policies, procedures and technologies that help prevent privilege misuse and mitigate the damage it can cause.

The core policies that a company should focus on the reduce the risk of internal threats include:

Regular enterprise-wide risk assessments: Knowing what your critical assets are, their vulnerabilities and the potential threats posed can give a great insight into how to enhance your IT security infrastructure. Combine this with the prioritisation of risks to continuously develop security.

Documentation of policies and enforcement: Generally policies and regulations should be accurately documented to ensure efficient security software deployment. Policies should be created to personalise what access certain employees may have to avoid the risk of all employees accessing confidential & sensitive data. Access can often be assigned on a departmental basis.

The most effective policies to focus on include General Data Protection Regulations, password management, and third-party access policies.

Physical security: A professional security team guided by your instructions can help greatly reduce the risk of internal threats. There are many layers to physical security which can help prevent malicious people from entering areas within an organisation that they should not have access to:

• Mantraps: An individual wanting to access a specified area must go through an initial door into a holding room. Within this room, they are inspected from a window or camera before the second door is unlocked.
• Turnstiles/Gates: This efficient control is very common in office buildings and requires employees to tap their ID pass on a reader, which will unlock the gate and allow them to pass through.
• Electronic Doors: These secure doors should be used throughout the facility, to limit the areas that a person can access, based on their role. Only allowing certain people in specific areas not only reduces the risk of malicious activity but can also help find the person accountable as the list of potential suspects is much shorter.

Monitoring controls can be implemented to provide real-time monitoring and give security personnel the ability to detect and respond to intruders or internal threats:

• CCTV: This enables monitoring from multiple interconnected cameras across your site. This gives security teams expanded visibility of on-site activity.
• Security Guards: While it’s of the utmost importance to have stringent policies in place, there also needs to be a team that is trained in their use and maintenance so they can fully utilise the security controls and respond to incidents.
• Intrusion Detection Systems: These systems have several different triggers that can generate alerts or set off alarms, including thermal detection, sound detection, and movement detection. An example of this would be a sound detection system that can recognise the sound of glass smashing (such as an intruder breaking a window to gain access to the building) and trigger an alarm.

Security controls that act as deterrents include warning signs and barbed wire. Their purpose is to deter potential attackers and make them less likely to attempt to gain entry:

• Warning Signs: Signs such as “DO NOT ENTER” and “You Are Trespassing” can be enough to make people turn around, as they have been informed that any further activity may be illegal.
• Fences: Chain-link metal fences are very common practice, with barbed or razor wire on top. This creates a barrier that can’t be climbed over and requires more effort for attackers to bypass, slowing them down, and giving more time for them to be detected.
• Security Lighting: Lighting is used to prevent low visibility areas caused by darkness, which could allow an intruder to bypass security controls such as CCTV and Security Guards. Lighting the areas in conjunction with cameras is a great deterrent and monitoring solution.

Monitor and control remote access from all endpoints: Deploy and properly configure wireless intrusion detection and prevention systems, as well as a mobile data interception system. Regularly review whether employees still require remote access and/or a mobile device. Ensure that all remote access is terminated when an employee leaves the organisation.

Harden network security: Configuration of a firewall specifically designed for your organisation can help mitigate the risks of internal threats. This can include blacklisting all hosts and ports and then whitelisting only the ones that are required improving monitoring capabilities and reducing the movement of an internal threat. Configuring and implementing a DMZ (demilitarised zone) will ensure no critical systems interface directly with the internet. Segmenting a network is another effective method as this helps to prevent users from freely traversing a network.

Recycle hardware and documentation properly: Before discarding or recycling a disk drive, completely erase all of its data to ensure it is no longer recoverable – insiders may attempt to recover deleted data if not erased in the correct manner. If you are wanting to dispose of an old hard drive that could have potentially contained sensitive information destroying it physically would be the best approach to take.

Threat awareness & security training for all employees: Train all new employees and contractors in security awareness before giving them access to any computer system. This should be set up as a standard procedure.

Train and test your employees against social engineering attacks and sensitive data left out in the open.

A good example would involve performing your own phishing attacks on their mailboxes or conducting social engineering attacks. Encourage employees to report security issues and train them on how they can help reduce internal threats. Consider offering incentives that reward those who follow security best practices.

Unfortunately, it’s difficult to entirely eliminate the risk of internal threats completely however implementing an internal threat detection solution is the strongest defence.

Develop employee termination process: Develop a strong knowledge base or automated procedure for the termination of employees’ access to organisation systems.

How can Aspire help with internal security attacks?

Here at Aspires Security Operations Centre, we utilise a managed EDR (Endpoint Detection & Response) system. This system allows us to continually monitor endpoints and servers on a 24/7 basis 365 days a year and immediately act upon known and recognised threats utilising machine learning and custom IOC (Indicator of Compromise) rules set up by our analysts and engineers.

This gives you the upper hand against those internal threats allowing us to analyse and act before any damage is caused. The platform is constantly being developed in such a fast-moving industry, our threat hunters provide us with the intel so we can be proactive to reduce the amount of reactivity required. We utilise Crowdstrike which is an industry leader when it comes to EDR platforms.