Week-11, CERT - Common Sense Guide to Prevention and Detection of Insider Threats

Week 11

November 13, 2015

CERT - Common Sense Guide to Prevention and Detection of Insider Threats, 3rd Edition- Version 3.1

            This CERT document outlined several issues regarding Insider Threats with real-time practice cases and situations came across the business practices. In this blog, I would like to discuss about using layered defense against remote attacks, one of the Insider Threats outlined in CERT document.

While providing the remote access to employee, there is a possibility of attack remotely using legitimate access provided by the organization, although, the main purpose of remote access is to enhance employee productivity.  So, organizations need to be cautious while providing such kind of access to critical data, processes, or information systems. Most of the case it makes easy to employee to access organization’s assets and use for other purposes such as personal gain, other business advantages because it eliminates the concern that someone could be physically observing the malicious acts. These possible vulnerability emphasizes the need to build multi layers of defense against such attacks while providing remote access to most critical data and functions and only from machines that are administered by the organization. So, access for these assets should be limited to small practicable group and system administrator.

Therefore, while providing remote access to critical data, processes and information system, organization should offset the added risk with closer logging and frequent auditing of remote transactions such as login account, date/time connected and disconnected, and IP address of user should be logged for all remote logins.  Not only the successful remote access, organization needs to monitor failed remote logins, including the reason the login failed. Most of the time organizations overlook to disable the remote access to terminated employee or someone no longer working with organization, so it is critical to retrieve all company-owned equipments, disabling remote access account, disabling firewall access, changing passwords of all shared accounts, and closing all open connections to the terminated employee to avoid risk and control their access to system.

            Most of the time user’s information like remote access logs, Source IP addresses, and phone records usually helps to indentify insiders who intended to attack. It helps to point out the intruder directly, but organization have to cautious when intruder tries to frame other users, diverting attention away from his/her misdeeds by using other user’s account or manipulate the monitoring process.

According to CERT study, they found that some of those insider threats came from user’s home machine, and most of the time attacks happened from other remote machines, which are not under the administrative control of the organization using application like PC Anywhere.  Although, the intention could be for personal benefit or any other business benefit, or other possible opportunity, or business advantage, it ultimately cost organization a big loss and possibly could run out of the business. So it is very important to consider providing extra layer of security, and document all the incidents as well as document and revise it according to the lesson learned from past incidents.

References:

CERT 2009, “Common Sense Guide to Prevention and Detection of Insider Threats”, 3rd Edition- Version 3.1, Published by CERT, Carnegie Mellon. Retrieved From: https://cyberactive.bellevue.edu/bbcswebdav/pid-7538856-dt-content-rid-10132342_2/courses/CIS608-T303_2161_1/cert_common_sense_guide_to_prevention_and_detection_of_insider_threats.pdf