Why Cyber protection should start at home – Insider Threats are opening doors to Ransomware attacks

December 23, 2020
by Johannes Kaupe

There’s hardly a day that goes by without a breaking news story about a cyber-attack, and how some well-known organisation has had its infected file systems offline for hours at a time. Unhappy and untrusting customers, financial loss and compromised data are just some of the ramifications of these attacks.

The rise of malware and the ever-increasing threat of Ransomware is well documented, and many organisations are taking the necessary steps to protect themselves from these outside threats by installing and updating endpoint security, employing VPNs, updating firewalls, and keeping all software and operating systems up to date.

This is all well and good, but what if the threat originates internally and not from the outside? Although it is difficult to separate incidents caused by insiders from general data breaches, there is a definite increase in insider-related breaches – according to a report by Verizon 34% of all breaches in 2018 were caused by insiders, and this is a steady increase over the previous 2 years (25% / 28%) *.

So, what are Insider Threats? Well, as the name implies, they originate from inside the organisation – they have access to the network, data, and computer systems – whether they have the authority to access these is a different story. Let’s take a look at the different types of Insider Threats, which may provide some insights on how to defend against them. They can be broken down into three main types, namely Malicious, Negligent and Compromised.

The malicious attacker comes in several guises such as a disgruntled employee or an opportunist contractor who may be tempted to retrieve and sell information as a one-off. In most cases they are not full-time criminals but can still end up costing the company downtime, lost customers, and money. And as they have legitimate access to the systems, it is easy for them to cover their tracks, which makes detection more difficult.

Negligent and careless employees can become targets for professional cyber-criminals – leaving an unlocked terminal or laptop for only a minute is enough for a professional criminal to login and gain full control of the system. This will be exacerbated if users have been given access to data files and system accounts that they shouldn’t have.

Compromised users are the most common type of Insider Threats that organisations face and are the most dangerous. This is because neither the user or the company knows they have been compromised, and continue to do their job, and access systems as usual. This kind of attack happens when a user clicks on a link in a phishing email or downloads malicious code, or even by using an unknown USB storage to transfer data.

So how do organisations defend against these threats, given that many of them are not obvious until too late, if at all?

There are several actions that can be taken: some are as simple as educating users and applying common sense. Education is key, and this might seem obvious to most people: – don’t give your password to anyone, don’t leave your computer without locking it, don’t leave your laptop or tablet unattended in public places, don’t click on links in emails – in fact be cautious about opening any emails from outside your organisation, don’t download freeware or apps from the internet… the list goes on.

The IT department has a key role to play in prevention – such as setting the correct policies and installing necessary anti-virus and anti-phishing software across the organisation. Having structured access rights to applications and data files is just as important – sensitive data such as customer details should be not be available to all users. This policy should be further extended to cover which users can amend these details such as adding, deleting, or copying records.

Lastly, IT can install software which allows them to monitor these policies and take corrective steps should a breach be suspected. Software such as ProLion’s CryptoSpike provides IT data transparency, which monitors and logs all user file access (reads, writes, opens) and can identify when changes were made and from which IP address. Should an infection be suspected, or abnormal behaviour, the user’s access is blocked, and no further damage can be done.

CryptoSpike has 3 levels of protection, these being a passlist, a blocklist and an analyser. The passlist has been told which files are acceptable and will not allow other file types to be saved. In tandem, the blocklist blocks known Ransomware signatures and file types. The analyser detects unusual user behaviour patterns such as a user making too many changes to files in a set timeframe – and can cut off user access as needed.

In summary, protection against Insider Threats is not simple and is not down to any one solution. Data Transparency Software is critical, but it needs to be part of an overall security strategy. As Cyber Criminals become more sophisticated, organisations need to be remain vigilant, continue with employee education, review and update policies regularly, and ensure applications, OS and hardware are up-to-date. There is no guarantee that persistent Ransomware attacks won’t be successful, but criminals will usually take the path of least resistance and focus on the softer targets.