Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Cyber Security Awareness Tip #29: Insider Threats - SANS Internet Storm Center SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Cyber Security Awareness Tip #29: Insider Threats

I find this to be one of the hardest to mitigate threats in information security. Frequently, fighting insider threats prevents people from doing work. Another problem is that too much restrictions and surveillance leads to distrust between employer and employee. So what's the right balance? What worked for you? In my opinion, the following idea usually work:

  • keep good logs. Logs should show who is doing what to your data. In particular, if insiders use admin level access to change data or review users data.
  • avoid "loaners". Have people work in teams. Not only is this good for cross training in case an employee is out on vacation, but it also provides a second set of eyes to catch intentional or unintentional mistakes.
  • keep good backups. If things go bad, its good to be able to recover. Of course, backups are made by insiders as well.
  • stay in touch with your employees and care about them. Make sure they are paid well and don't have a reason to be mad at you. If they are: make sure you are able to discover issues early. But treating your employees well goes a long way to mitigating insider threats.

An even worse problem I don't even dare to cover: Insiders who get blackmailed. Again, if they trust you maybe they will come forward first. But that's a lot of trust.

So any good ideas you have to implement insider protections like that? Trust me... I will publish them. After all, I am an insider here ;-) (Thanks to Bill for pointing this out).

Johannes B. Ullrich Ph.D., SANS Institute.



I will be teaching next: Application Security: Securing Web Apps, APIs, and Microservices - SANS London June 2022


4479 Posts
ISC Handler
Oct 29th 2007

Sign Up for Free or Log In to start participating in the conversation!