Insider threats – what they are and how to defend against them

Full disclosure: this is a paid vendor article

Insider Threats
Insider Threats

Many organisations see external breaches as the biggest threat to their data security and spend millions building walls to guard themselves against hackers. It may come as a surprise to many that insider security threats – both intentional and accidental insider abuse and misuse – were seen to be by far the biggest cause of data leakage in 2015. With this in mind, it is imperative that you take steps to ensure you understand what your employees are doing with sensitive data.

The repercussions of insider threats can be enormous and can often go unnoticed. An insider may already have keys to the door so won’t trigger any security measures and they may already know where sensitive data is stored. Many cases of insider data breaches have been accidental, but the outcome is still the same – potentially large chunks of company profits spent on damages.

How to identify insider threats

In general, there are three types of insider that could be a threat to your organisation:

Malicious Insiders

Malicious insiders could be a current or former employee, a contractor or any other business partner who is authorised to access your organisation’s data. The motives for their attacks could range from revenge against a company they feel has mistreated them to simply personal profit. Theoretically everyone with access to your data could potentially exploit it for personal gain.

People who make mistakes unintentionally

A large proportion of data leakages occur due to honest mistakes on the part of insiders. They may have been caught in phishing scams, given their password out when they shouldn’t or left their account logged on across multiple machines. These threats are easier to detect and preventable by taking the right measures.

Outsiders posing as insiders

These are external attacks using an authorised user account with real credentials. External hackers can gain access through inactive accounts or by guessing passwords. Whichever way they gain access, they use genuine account details so do not show up as external threats.

Regardless of whether an insider leaks data intentionally or accidentally, you still need to make sure you are taking preventative measures to mitigate the risk. Dealing with insider threats is an ongoing, pro-active process that requires time and dedication.

How you can mitigate the risks of insider abuse

Know where your sensitive data is

It’s very important to know which areas of your IT infrastructure are the most likely to be of value to potential insider threats. It is also important to understand who has access to this data and how regularly it is accessed. Knowing these things will enable you to better detect when something out of the ordinary occurs in files and folders with sensitive data.

Evaluate your security strategy

Security breaches should be treated in the same way as a fire – there should be regular evaluations of safety regulations and ideally testing should take place to assess your current reaction to breaches. This kind of testing should enable you to spot anything you have overlooked or any loophole that currently exists.

There are some basic security practices you can enrol that will help firm up security; including patch-management procedures, IDPS configuration, passwords and authentication policies, firewalls and log review procedures.

Be sure to also look at how up to date your current security measures are. Threats evolve very quickly, and new versions of critical IT systems are released fairly regularly, it’s important that you stay up to date.
A regular and pro-active approach to auditing and monitoring critical IT systems needs to established. This will enable you to track activity in files and folders to ensure only the right people are accessing the right data. Being constantly aware of this will help you mitigate the damage should a data breach occur.

Maintain a least privilege policy

Employees often move departments, get promoted or be tasked with something that requires extra levels of permission. In all these cases new permissions may need to be granted and old permissions may need to be revoked. Maintaining a least privilege policy by monitoring these changes can ensure that only the right people have the right levels of access to the right data. Accounts with inappropriate levels of access are more likely to be damaging to your organisation.

Make insider threats a priority

Often the main issue is that certain people within the organisation won’t admit there’s a problem. Unfortunately, with insider threats, it’s only a matter of time before you experience the problem for yourself. Keep insider threats at the forefront of your mind when developing new security plans, assigning new permissions or managing employees.

Monitor your users

If you are able to make use of behavioural analytics tools, like User Behavioural Analytics or Network Analytics, then make sure you take advantage of them. These tools will highlight any behaviour deemed abnormal after establishing a base-line for what normal is. It can also simplify the process of identifying users with high-risk identity profiles.


Insider threats should be the number one cause for concern for any organization when it comes to protecting their sensitive data. Organisations that store personal information about their employees, clients, partners or customers have a duty to protect that information. A simple way of ensuring that you are able to pro-actively audit and monitor your critical IT systems is to deploy an automated solution like LepideAuditor Suite. This solution can clearly show who accesses what information as well as when and from where it was accessed. It actively audits, monitors and alerts on changes made to critical IT systems, tracks current permissions and permission changes and monitors all aspects of file/folder activity – all from a centralised console. Be sure to consider using an automated solution, like LepideAuditor Suite, when you address insider security threats in your organization.


2014 on this blog

I recently got my annual report for this blog and it revealed some really interesting stats from 2014

I had over 300000 visitors and my most popular article was about a change Microsoft did to managing Internet Explorer settings but forgot to update their manual!

The busiest day of the year was November 5th with 1,650 views. The most popular post that day was The new way to configure Internet Explorer proxy settings with Group Policy.

See the complete report here.

Now I’m working for Whitbread, in their IT Lifecycle and Delivery team, I’m getting a whole new set of challenges. My blog will probably drift from operational/sysadmin articles to ones on my general musings on where IT is headed. I guess I’ll have to wait and see what inspires me!

Happy 2015 everyone!

Customizing the Text ScreenSaver with Group Policy

“Customizing screensavers?” I hear you cry, “That’s a bit retro isn’t it?”

Nowadays screensavers have more or less disappeared. It makes much more sense to just turn off the screen after 10 minutes of inactivity. However, there are some instances where a screensaver can be useful, for example, an always-on kiosk or even digital signage.

One of the more useful standard screensavers in the Windows operating system is called “3D Text”. Useful because by default it will display the time but can be customized to display some text instead

Continue reading Customizing the Text ScreenSaver with Group Policy

Use Group Policy Preferences with WMI Targeting to Copy Files

Here’s a quick and simple guide on how to update a file based on it’s “last modified” date (but it can also be tweaked to use any file attribute). It uses the Item-Level Targeting feature of Group Policy Preferences. The problem is, the Targeting Editor only has a “File Match” option that can check whether a file exists or is of a certain version. Luckily, we can implement a custom WMI query to check any of the files attributes using the CIM_DataFile.

Continue reading Use Group Policy Preferences with WMI Targeting to Copy Files

Excel Tip: Apply Conditional Formatting to the whole row

Conditional Formatting Menu in Excel 2013

One of the Microsoft Excel features I use quite a bit is Conditional Formatting. This is the feature (introduced in Excel 2007) that lets you re-colour a cell in your worksheet depending on the criteria you specify, e.g. highlight any cells containing the word “Server 2003” in red.

The problem I was having was that I wanted the whole row to be highlighted, not just the particular record. It turns out this is fairly easy to do, even though it looks a bit difficult.

Step 1 – Create a new rule

  • The easiest way to start is to select one cell containing the text you want to highlight
  • Click the conditional formatting button on the toolbar and go to Highlight Cell Rules > Text that contains…
  • Format the text how you like, e.g. Light Red Fill with Dark Red Text
  • Click OK

You should now have one cell in your spreadsheet that is formatted how you want

Step 2 – Apply rule to the whole table

  • Click the conditional formatting button on the toolbar and go to Manage Rules…
  • You will see your new rule listed but the Applies to box will only reference one cell e.g. ‘ =$B$2
  • Change the text in the Applies to box to refer to the whole table e.g. ‘ =$A$1:$H$100 ‘
  • Click the Apply button

Now that rule will highlight any matching text in the entire table, not just one cell

Continue reading Excel Tip: Apply Conditional Formatting to the whole row

The MDT and Office 2013 Click-to-Run Jigsaw Puzzle

office 2013 iconsIf you are trying to deploy a click-to-run (C2R) version of Office 2013/365 then it’s time to forget everything you knew about deploying office and start from a clean slate!

Due to Office 2013’s Cloud-based nature it is set up a bit differently to the traditional CD/MSI approach. This is fine if it’s your personal copy but what about deploying it to an whole office of PCs?

IT pros have been using the Microsoft Installer (MSI) technology for years to silently install Office programs. You can use a mix of existing switches to update and patch Office installations using Group Policy, scripts, Office Customization Tool (OCT) or the Microsoft Deployment Toolkit (MDT).  However, Microsoft, in their wisdom, decided to offer a brand new deployment methodology for Office 2013, Click-To-Run. There is still an MSI version out there but it is only available for the Volume Licensed customers, which means, if your business was used to buying the much cheaper Product Key Card (PKC) licenses, you are stuck with C2R. Oh, and by the way, WSUS can’t be used to update it either.

We came across this issue when we purchased and job lot of PKCs for Office Home and Business 2013. This includes Outlook, Word, Excel, PowerPoint and OneNote. This seems like an ideal buy for most small businesses as it includes all of the core Office apps that your average user would need. However, when it comes to deploying, customising and activating it is about as far from business-ready as you can get! I struggled for weeks trying to get things working correctly to allow a smooth integration with our Windows 7 deployment, I did finally get there, but I hit so many brick walls I almost gave up trying. The worst part is when you get a stock “You should buy Volume Licenses” response… erm yeh, I wish I knew that 3 months ago before the money was spent.

So here is my ultimate guide to installing, customising and activating Office 2013 C2R editions. It’s not going to be pretty but it will get you someway to a mostly automated and controlled deployment. It is specifically tailored towards Office 2013 Home and Business but should work for any Office 2013 C2R version that needs to be deployed in a Windows Domain

Continue reading The MDT and Office 2013 Click-to-Run Jigsaw Puzzle

Legacy: Silently Install Crystal Reports Viewer 2

File this one under PITA.

As part of our #XPMustDie campaign we sometimes come across old software that simply cannot be updated in time. It’s usually some bespoke system that will take a lot of time and money to re-write or upgrade. In my opinion, it is better to get the OS secure and let an old legacy app run, than to keep a dusty Windows XP PC just for the use of one program. Of course, the ideal solution may be to virtualise the app but if you don’t have the infrastructure in place already then that may be cost-prohibitive or time consuming as well.

One such app we need to use is  Crystal Reports Viewer 2.0. This is completely unsupported by the publisher (SAP) and means it is very difficult to track down files or documentation.

Continue reading Legacy: Silently Install Crystal Reports Viewer 2

Importing Trusted Certificates onto Legacy Wyse WinTerms


Root Certificates are used by web browsers to identify a trust with web sites. When root certificates expire, Windows usually auto-updates them (Vista and above) or deploys them through Microsoft Update (Windows XP). The Windows CE 5 operating system on the Wyse 3150 WinTerm (windows terminal) has no automatic way of updating them so they must be imported manually.

We had this situation arise when our remote users complained that they were unable to log on to one of our Citrix Servers. All they would get was an SSL Error 70 message when they tried to load the virtual desktop. Luckily, one of the more up to date terminals gave a more specific error, stating that one of the certificates, from GlobalSign, had expired. So my challenge became to get the latest one imported manually.

Continue reading Importing Trusted Certificates onto Legacy Wyse WinTerms

2013 Blog Stats in review

The stats helper monkeys prepared a 2013 annual report for this blog. Despite only having 8 new posts I feel like I’ve reconnected with my blog a bit and hopefully will be adding more useful articles on it soon. Thanks for reading 🙂

Here’s an excerpt:

The Louvre Museum has 8.5 million visitors per year. This blog was viewed about 130,000 times in 2013. If it were an exhibit at the Louvre Museum, it would take about 6 days for that many people to see it.

Click here to see the complete report.

Using Group Policy Preferences to deploy Favorites to Internet Explorer

My previous article, The new way to configure Internet Explorer proxy settings with Group Policy, spoke about how the Internet Explorer Maintenance section of Group Policy has been killed off in favour of ADMX templates and Group Policy Preferences. One benefit of this is that you get rid of the time-consuming “Branding Internet Explorer” section when a user logs on to a PC.

Thanks to the lack of communication from Microsoft, we now need to scramble around to get all of our Internet Explorer Favorites re-deployed for any PC with IE10 or above. Thankfully it is a relatively simple, if tedious task. I used the GPMC on a 2008 R2 member server

Continue reading Using Group Policy Preferences to deploy Favorites to Internet Explorer