Module 7: Handling Insider Threats

Question 1

What makes an insider threat so dangerous

Answer 1

They misuse their authorized privileges on resources that directly affect the CIA of the information system

Question 2

What are some examples of potential impacts that insider threats have on an organization

Answer 2

• Bad reputation
• Stealing PII or other private information
• Website defacement
• Posting confidential information on any public website

Question 3

According to EC Council what is the structure of how an insider threat occurs

Answer 3

• Understand business process
• Gain credentials and trust
• Install logic bombs and rootkits
• Activate those logic bombs and rootkits
• Damage the company for financial gain or revenge

Question 4

What is the the greatest risk according to the insider risk matrix

Answer 4

If the insiders’ technical literacy and process knowledge is high

See page 415 for the graph of the matrix

Question 5

What are some different ways to detect an insider threat

Answer 5

• Checking the logs (event, email, database, app, file access, and remote access)
• Alerts from various network security devices and applications
• Implementing control measures
• Identifying the behavior of users

Question 6

What are 3 different techniques to detect an insider threat

Answer 6

• Correlation
• Detecting Anomaly (anything out of the norm?)
• Discovering Pattern

Question 7

TRUE or FALSE: Placing suspected users in a quarantined network is a good way to response to an insider threat

Answer 7

TRUE

This is done so that the damage is minimized

Question 8

TRUE or FALSE: The user doesn’t need to have their accounts blocked because it might tip them off they IT security is looking at them

Answer 8

FALSE

It is a good idea to block malicious users from their accounts as soon as possible before they do even more damage

Question 9

TRUE or FALSE: The organization should not share or provide the details of the insider’s incident response plan with all employees

Answer 9

TRUE

The organization should share the response plan with those who have the capability to understand and perform the plan

Question 10

Why is an incident response plan necessary for an insider threat situation

Answer 10

It helps the organization to minimize or limit the damage cause due to malicious insiders

Question 11

While it may not seem important to IT Security, what are some ways HR can help to mitigate the threat of insider threat

Answer 11

• Background checks
• Manage negative workplace issues
• Prepare an information security policy document and have employees sign the doc
• Respond to suspicious behavior of employees

Question 12

Network security is an important aspect to help mitigate insider threats by

Answer 12

• Configured firewalls
• Strict passwords
• DLP
• Prevent file sharing

The good news is that we have this implemented in our environment…Woot GO Team

Question 13

How are users able to get access privileges

Answer 13

It is based on their routine performance of their job

Question 14

Who should vet a user’s access requests

Answer 14

Their supervisor

Question 15

Who should employees ask before accessing sensitive systems

Answer 15

Data owners

Question 16

TRUE or FALSE: When an employee is terminated from his job the employers should disable all their access rights

Answer 16

TRUE

Question 17

What should be enforced that is used to limit the misuse of resources

Answer 17

Separation-of-duties

Question 18

TRUE or FALSE: Employees shouldn’t be made aware of an organization’s security policies and controls

Answer 18

FALSE

Question 19

What should be disabled to ensure accountability

Answer 19

Default administrative accounts

Question 20

What technique is implemented to view all the actions performed by admins

Answer 20

Non-repudiation

Question 21

TRUE or FALSE: IT security needs to monitor the activities of system admins who have permissions to access sensitive info

Answer 21

TRUE

Question 22

What kind of methods need to be enforced to prevent admins from accessing backup tapes

Answer 22

Encryption

Question 23

How can a business continue operations after the incident

Answer 23

Implement secure backup and recovery processes

Question 24

What part of the CIA needs to be checked when backups are done

Answer 24

Integrity and Availability

Question 25

TRUE or FALSE: The BCP is the document that shows who accessed and handling of the backup media

Answer 25

FALSE

Chain-of-Custody

Question 26

Insider threats can be detected by observing concerning behaviors exhibited by insiders, such as conflicts with supervisors and coworkers, decline in performance, tardiness, or unexplained absenteeism. What technique helps in detecting insider threats

Answer 26

Correlating known patterns of suspicious and malicious behavior

Question 27

When an employee is terminated from his/her job, what should be the next immediate step taken by an organization

Answer 27

All access rights of the employee should be disabled