Insider threats to endpoints

Insider threats take several forms. In the classic scenario, highly privileged contractors install spyware that transmits sensitive data to them long after their project is completed. In another, an employee actively sabotages your systems and then quits. Even people without privileged network access can create insider threats, whether intentionally (by gathering trade secrets for later use) or unintentionally (by falling for a phishing email).

An endpoint is a device or program that receives or sends data over a network. The endpoints can be different, for example:

– Computers, servers, smartphones and tablets
– Network equipment such as routers and switches
– Software that communicates with other devices via a network
Endpoints can be used for a variety of purposes, such as transferring data between devices on a network or accessing remote services.

However insider threats occur, they impact endpoint security because they violate the trust between the endpoint (computer, tablet, smartphone, IoT device) and the rest of the network. By studying the different types of insider threats described below, you can identify common characteristics and protect your network from them.

What measures should you take to prevent internal threats?

Installing and regularly updating antivirus software on all devices is one of the most important steps to prevent insider threats. Antivirus software helps detect and remove viruses, Trojans, and other malware that may infiltrate devices. Regularly updating antivirus databases helps protect devices from new threats.

Checking your computers for viruses is another important step to preventing insider threats. Regular virus scanning helps detect and remove malware before it can cause damage to your system.

Using a firewall is a measure that helps protect the network from external threats and also limits access to the system for internal users. A firewall can block unwanted connections and restrict access to certain resources.

Educating employees about security is an important step to preventing insider threats. Employees should be trained on security rules, such as not opening suspicious links, clicking on links from unfamiliar senders, and not downloading unknown files.

Two-factor authentication is an additional security measure that allows you to verify a user's identity before granting access to a system or resource. Two-factor authentication can be implemented using various methods, such as SMS messages, on-screen verification codes, or hardware tokens.

Monitoring changes in security policies is also an important step to prevent insider threats. The company must monitor changes in legislation and security trends to ensure that its rules and security measures are updated in a timely manner.

Main directions of control

1. Internet use by employees

As more of your employees work remotely and from home offices, is the insider threat increasing or decreasing?

It is generally accepted that being inside a corporate firewall means greater security. This is true, of course, until a threat enters your network; then your security is compromised. It is a fact of digital life that giving your employees access to the Internet risks bringing strangers onto your network, where they can do whatever they want. At the same time, the security model of building a wall as high as possible to keep everyone out simply doesn't make sense.

2. Unintentional Insider Threats/User Behavior

In addition to everything you deploy to limit your vulnerability to insider threats, be mindful of everything you don't deploy to limit it.

When it comes to entitlement, IT faces a delicate balancing act. The more you lower the bar, the easier it becomes to penetrate your network defenses. But if you raise it too high and don't give users enough access, they will find alternative ways to share files and get their work done. This is a kind of unintentional insider threat caused by user behavior.

If you make it too difficult for people to do their jobs, they will find another (usually less secure) way to do the same thing. Then, when you apply for cybersecurity insurance and the carrier finds your files in Dropbox or GitHub, it's embarrassing.

The only way to truly stay ahead of shadow IT is to make sure your users have no reason to choose this path. It's hard to find a balance, especially when you have to consider safety.

3. Unpatched endpoints/software

By understanding access, connectivity, and sharing, you can ensure that all your endpoints are patched and secure. A big part of this is knowing what works for them. When a zero-day threat arises, the first thing you need to know is whether it will affect you.

That's when a unified endpoint management tool can save you. It contains a list of all endpoints (computers, tablets, smartphones) connected to your network. You can immediately see where they are, what software runs on them and how old it is. If you find that the threat has been contained, you can report it to the network operations team and let them decide whether to quarantine it. They may want to prevent access to the internal systems of people in that region.

4. Outdated software

Just like unpatched software, there is outdated software. You're asking for trouble if your organization (and your security) depends on software that is no longer updated.

Operating systems are of course the most notorious targets because there aren't very many of them, making them an attractive target for attackers. For example, if you are still running Windows Server 2008 somewhere on your network, you are vulnerable. Your only hope is to strengthen the firewall, but you should do it anyway.

Keeping outdated apps is also a bad idea. What's the point of protecting your operating systems if your enterprise resource planning (ERP) system with all your financial data is 15 years old and vulnerable? You shouldn't own an app if you can't spend the time maintaining it. You must factor maintenance into the total cost.

If you can't keep track of everything everyone in your company is doing and control it, you'll probably find yourself at fault at some point.

5. Uncontrolled software installation

There are two types of behavior monitoring in a modern security system. First, your identity and single sign-on (SSO) providers track login patterns; Second, endpoint detection and response (EDR) systems monitor attempts to install malicious or unauthorized software. Microsoft, for example, offers Defender. You can think of this in the context of ransomware, which is designed to start encrypting all the files on a computer. EDR software is monitoring everything in the system when it suddenly notices a process it has never seen before. Encryption APIs are then activated, suggesting a ransomware attack. EDR uses complex heuristics and indicators of compromise (IoC), but is mainly about observing the behavior of the system, network, processes and APIs. Every time a new attack occurs, its models are retrained according to the behavior of that specific endpoint.

If the EDR system sees that you are editing a document on your computer, then you switch to file encryption, then start loading another DLL, it knows there is a problem. Or, if you work in accounting and only have a history of accessing certain systems, EDR considers it an anomaly if you try to access systems unrelated to your work.

6. Firewall disabled on servers

The single best thing you can do to protect your local presence is to enable a firewall—even Windows Firewall—on your servers and only open the ports you need. Many IT professionals ignore this step and run servers with the firewall disabled.

For example, the first thing most techies do when setting up a server is disable the firewall. But you should adopt a model of documenting every server you deploy in production, including documenting the service ports required for your operations. Then you should activate the firewall and exclude these ports. Try to make each server its own island wherever possible.

If you run Internet Information Services (IIS), expose them only through proxy servers, such as Microsoft Azure AD Proxy. Proxy servers offer two benefits. First, they bypass your firewalls, which your VPN users will appreciate. Second, they also put MFA in front of your web applications - even applications that didn't have MFA before. Then, enabling the firewall is a way to specify that only proxy servers can access the web server.

7. Password Policy

Passwords are like email: almost every organization agrees that they are a headache, but no one is ready to get rid of them yet.

In fact, even Microsoft has stated that there is no reason to change a perfectly good password. The friction associated with changing it puts the network at greater risk than maintaining a reliable network. This is why different ideas about passwords evolve and take hold in the enterprise:

• Passwords with unlimited validity period. Permanent passwords are attractive because users do not have to constantly remember new ones. This means fewer password resets and rotation issues. The password must only be a certain length—say, 14 characters—and it must not contain capital letters, special characters, or numbers.
• Passphrases. They are longer than regular passwords and are generally easier to remember. A password like “I live at your address” or “cute banana shoe” is more effective from a user perspective.
• Password verification. IT professionals understand that to ensure strong and viable password protection, they need to think in the lasagna context described above. So IT implements real-time password checking—like in Azure—that takes every password users submit and checks it against the entire darknet list. The verification procedure looks at all the possible parts that a hacker could use to try to guess the proposed password using brute force. If any of its components are part of a darknet list, the routine significantly reduces the score—say, to weak or very weak—and prompts the user to try again. This method rejects easily guessed passwords before they can be used.
• Password vaults. Products like Bitwarden or LastPass give your users a place to store things that is more secure than notes taped to a monitor or tucked away in a desk drawer. It's also more secure than tracking passwords in a spreadsheet (which a network security audit would likely find).

Conclusion

The most effective way to limit insider threats is to limit each user's permissions to what they need to do their job. This simple (but not easy) step minimizes the possibility of damage to any user account. This applies whether the account is in the hands of a careless or disgruntled user or a malicious outsider who has stolen credentials. You can trust your organization's cyber security to Fanetech. We operate an IT cybersecurity center. We monitor security and investigate incidents 24/7/365 in accordance with predefined scenarios, eliminate false positives, classify and sort incidents by priority.