We at Forcepoint are as eager as any for the upcoming season 7 premiere of The Walking Dead this October. What’s not to like about watching everyday heroes battle the zombie “walkers” among us?
In fact, with National Cyber Security Awareness Month also taking place this month, I often view the ever-evolving phenomenon of the insider threat much like AMC’s zombie universe. It’s not easy to tell who will become a walker and when. So it’s best to assume that anyone and everything is an insider and, therefore, a potential insider threat – and everyone is a potential victim. This mirrors The Walking Dead since we know (spoiler alert) everyone is already infected with the zombie virus. What does this mean? Everyone and everything is a potential walker.
This state of vigilance would serve modern enterprises far better than broken cyber defense models centered on “keeping bad stuff out.” These outdated models depend on coupling disparate point solutions for perimeter defense – force fitting a new, separate solution every time attackers alter their methods. In today’s digital-first world, relying upon such a disjointed approach to prevent breaches is about as effective as attempting to avoid a herd of walkers by covering yourself with leaves: good luck.
After all, the perimeter we once knew no longer exists. Not that it’s as bleak as a post-apocalyptic Walking Dead world, but with the cloud, roaming users, mobility/BYOD and other innovations, the perimeter today is dictated by the location of data, user accounts and endpoints. Regardless of where these users and endpoints are located – on premise or off – they are insiders. And, by extension, we must consider every program and app running within user account and endpoint systems as insiders too.
To be clear, I’m not saying that security managers should no longer worry about external threats targeting their networks, but they cannot focus exclusively upon them either. We need to constantly watch for anomalous activity by users and devices as well as the use, storage, and movement of data, as potential indicators of insider-linked threats. One way to do this is to understand three common insider threat profiles. In a sense, they mirror certain qualities of characters from my favorite zombie show:
Accidental Insiders. These are employees who inadvertently cause harm. For example, if they’re participating in an industry-related social media chat, a hacker may pose as a helpful resource of information sending a URL which appears to relate to the discussion, but actually leads to malware. In The Walking Dead, these insiders call to mind Dale, a good-hearted victim who met his end while surveying the groups’ land for walkers and coming across an injured animal. Another example of accidental insiders are reckless insiders. These are employees who consider themselves “above the rules,” ignoring best practices from IT and even bypassing clearly articulated policies. While they are not acting maliciously, they invite risk. Though one could argue he is malicious, this type of insider reminds me of Merle Dixon. Merle foolishly (and fatally) put himself in harm’s way by taking unnecessary chances in addition to trusting the wrong person (the Governor).
Compromised Insiders. This insider has unknowingly had their machine or system compromised. After the compromise, their system is being controlled remotely and can be utilized to steal and/or leak data. Compromised insiders or hacked machines bring to mind most of the walkers in The Walking Dead. These individuals do not know that they are infected or compromised, and can be used by the living to protect or attack others. Walkers can be controlled to perpetuate attacks and, ultimately, more walkers.
Malicious Insiders. These users are clearly, purposefully up to no good. They are disgruntled, greedy and/or otherwise ill-intended individuals who misuse access to confidential intellectual property or systems. They often scheme to commit theft, sabotage and fraud within an organization. For example, an employee who has been hired by a competitor copies product schematics before resigning. In seasons one and two, Shane would make for the perfect malicious insider – especially when he intentionally injures and endangers others, with fatal consequences, for his personal vendetta.
Understanding common insider threat profiles remains an essential step in helping organizations eliminate damage – before it happens. So how can you mitigate this potential risk? From the human perspective, put all users through detailed training which educates them on best practices and how to recognize an adversary’s stealth techniques. At the same time, teach them how to spot possible malicious insiders through the classic “trouble signs” they project. On the tech side, organizations can complement their firewall and anti-virus tools with insider threat-centric ones related to authentication/access control, data loss prevention (DLP) and user behavior analysis.
Our whitepaper, “Unlocking Business Success: The Five Pillars of User Risk Mitigation,” details these – and other – steps to significantly increase your chances of monitoring, detecting and mitigating insider threats, ultimately helping you emerge unscathed. And that certainly beats being a walker.
Check out our fun take on this serious subject with The Walking Threat video below: