Study: How can you detect and prevent insider threats?

Retailers face potential internal security challenges, but can take steps to identify and impede them.

According to the new Verizon Insider Threat Report, most insider threat actors, who can include contractors and third-party contractors as well as employees, can be characterized into five broad groups:

1. Careless Worker (misusing assets). Employees or partners who misappropriate resources, break acceptable use policies, mishandle data, install unauthorized applications and use unapproved workarounds; their actions are inappropriate as opposed to malicious, many of which fall within the world of “shadow IT” (i.e., outside of IT knowledge and management).

2. Inside Agent (stealing information on behalf of outsiders). Insiders recruited, solicited or bribed by external parties to collect and extract data.

3. Disgruntled Employee (destroying property). Insiders who seek to harm their organization via destruction of data or disruption of business activity.

4. Malicious Insider (stealing information for personal gain.) Actors with access to corporate assets who use existing privileges to access information for personal gain.

5. Feckless Third Party (compromising security). Business partners who compromise security through negligence, misuse, or malicious access to or use of an asset.

In addition, while investigating various cybersecurity incidents over the years, Verizon has observed various indicators of potential insider threat activity. Some of these include:

• Attempts or successful access to systems and data without a valid "need-to-know."
• Requesting access to information outside of normal job duties.
• Unusual or erratic behavior.
• Highly disgruntled attitude.
• Working odd or late hours without reason.
• Apparent, unexplained affluence or excessive indebtedness.
• Efforts to conceal foreign contacts, travel, interests, or suspicious activity.
• Unreported offers of financial assistance, gifts or favors by a foreign national.
• Exploitable behavior, such as criminal activity, sexual misconduct, excessive gambling, alcohol or drug abuse, or problems at work.

Verizon cautions that it denotes these as possible indicators, because taken individually or even in twos and threes, they don't necessarily imply an insider in conducting malicious activity. But taken as a whole they may be concerning, and Verizon advises that attention should be paid.

Verizon advises that retailers take the following steps to minimize their exposure to insider security threats:
• Control and restrict access to trade secrets, customer data and other proprietary information on a need to know basis.
• Increase monitoring and logging of sensitive areas, systems and data.
• Monitor behavior, including use of external storage devices and cameras and smartphones in sensitive areas.
• Disable access for activities deemed inappropriate, malicious or otherwise posing organizational risk.

In addition to minimizing risk, Verizon recommends retailers use the following tools to detect and respond to breaches when they occur:
• Monitor suspicious network traffic such as unusual off-hours activity, volumes of outbound activity, and remote connections.
• Keep baseline system images and trusted process lists; compare these standards with compromised systems.
• Temporarily block outbound Internet traffic, change user account passwords, and search for indicators of compromise.
• Disable compromised user accounts, remove malicious files and rebuild affected systems.

The Verizon Insider Threat Report leverages data from hundreds of data breach investigations by Verizon’s digital forensics team, as well as data from industry groups and partners, and the 2018 Verizon Data Breach Investigations Report (DBIR).