Attacks on your network are often meticulously planned operations launched by sophisticated threats. Sometimes your technical fortifications provide a formidable challenge, and the attack requires assistance from the inside to succeed. For example, in 2022, the FBI issued a warning1 that SIM swap attacks are growing: gain control of the phone and earn a gateway to email, bank accounts, stocks, bitcoins, identity credentials, and passwords. This past spring, current and former T-Mobile and Verizon employees reported receiving unsolicited text messages asking if they would be interested in some side cash2 in exchange for intentionally enabling the “SIM jacking.”
These headline-grabbing stories about the malicious insider are certainly real, but many external attacks stem from a much less conspicuous source: the accidental insider. These are career employees, contractors, partners, or even temporary seasonal workers who, through negligence or lack of awareness, enable the exploitation of internal weaknesses.
Accidental insiders unintentionally compromise security due to:
- Lack of Awareness: Employees unfamiliar with cybersecurity best practices may fall victim to phishing campaigns, open malware-infected attachments, or click links to malicious sites. Awareness is tied to company culture and reflects the effectiveness of nontechnical controls, especially leadership.
- Pressure to Perform: Your employees learn how and when to “bend” the rules or circumvent technical controls to get the job done or to meet a demanding deadline.
- Poor Credential Handling: Weak passwords, password sharing, and password reuse across personal and business accounts make it easier for attackers to gain unauthorized access.
- Sneakernets: Unauthorized and uncontrolled movement of data across security domains and to personal removable media or public cloud services.
By unwittingly compromising security best practices, accidental insiders pave the way for external attacks in several ways:
- Initial Attack: Phishing emails can trick unwitting insiders into revealing network or application credentials, allowing attackers to gain access to internal systems. This initial attack vector becomes the foundation for future attacks.
- Elevated Privileges: Accidental download of malware by an insider can grant attackers elevated privileges, allowing them to tamper with critical systems or steal large amounts of data.
- Lateral Movement: Once inside, attackers will leverage the insider’s access privileges to move laterally across the network, accessing sensitive data and applications or deploying malware to other systems.
- Social Engineering: Social engineering tactics exploit human trust. Attackers can impersonate managers and colleagues to manipulate insiders into divulging sensitive information or exercising their privileges to the benefit of the external threat.
The consequences of an accidental insider-facilitated attacks can be significant:
- Financial Losses: Data losses resulting from insider negligence and ambivalence leads to hefty fines, legal repercussions, and the cost of remediation.
- Reputational Damage: Public disclosure of an insider event can severely damage the organization’s reputation, leading to lost business and erosion of customer trust.
- Operational Disruption: Attacks can disrupt business operations, leading to downtime, lost productivity, and hindered revenue generation.
- Intellectual Property Theft: Foreign states and competitors may use stolen intellectual property to gain an unfair market advantage.
The good news is that the risk posed by accidental insiders can be significantly reduced through proactive measures:
- Security Awareness Training: Regularly educate employees on cybersecurity best practices, including phishing awareness, password hygiene, and secure data handling techniques.
- Culture of Security: Foster a culture of security within the organization where employees feel comfortable reporting suspicious activity and where managers are educated and empowered to leverage internal resources to address security concerns.
- User Activity Monitoring (UAM): Monitor for compliance with acceptable use policies and increase the observation of privileged users with elevated access and the ability to manipulate security controls. Add behavioral analytics to examine UAM and other enterprise data to help analysts identify the riskiest users and organizational issues, such as hostile work environments revealed through sentiment analysis. Hostile work environments reduce employee engagement and increase disgruntlement, a dangerous recipe for insider risk.
- Content Disarm and Reconstruction (CDR): Proactively defend against known and unknown threats contained in files and documents by extracting legitimate business content and discarding untrusted content, including malware and untrusted executable content.
- Cross Domain Solutions: Eliminate sneaker nets and unauthorized cloud service usage and replace these practices with automated policy-driven deep inspection of content in an unencumbered user experience. Enable your employees to safely, securely, and quickly move data across security domains that enable business processes while protecting data and information systems.
- Institutionalize Accepted Best Practices: Carnegie Mellon SEI CERT, MITRE, the NITTF, and CISA are examples of some of the organizations that have published best practices that incorporate organizational controls across leadership, human resources, and other elements affecting the employee lifecycle and coherent technical controls that act as guardrails protecting against accidental and malicious insiders.
Accidental insiders pose a significant threat that can leave organizations vulnerable to external attacks. However, by implementing proper training, technical and organizational controls, and fostering a security-conscious culture, organizations can significantly reduce the risk.
Defend against risks posed by trusted insiders with Everfox Insider Risk Solutions.
Note: This article is written by Dan Velez, Sr. Manager of Insider Risk Services at Everfox, with over 16 years of experience in insider risk and threat at Raytheon, Amazon, Forcepoint, and Everfox.
- https://www.ic3.gov/Media/Y2022/PSA220208
- https://www.bloomberg.com/news/newsletters/2024-04-19/t-mobile-verizon-find-cracking-down-on-sim-card-scams-is-hard-to-do
https://thehackernews.com/2024/07/navigating-insider-risks-are-your.html