search menu icon-carat-right cmu-wordmark

Common Sense Guide to Mitigating Insider Threats - Best Practice 13 (of 19)

CERT Insider Threat Center
• Insider Threat Blog
CERT Insider Threat Center

Hello, this is Ying Han, Graduate Research Assistant of the CERT Enterprise Threat and Vulnerability Management team, with the thirteenth of 19 blog posts that describe the best practices fully documented in the fourth edition of the Common Sense Guide to Mitigating Insider Threats.

The CERT Program announced the public release of the fourth edition of the Common Sense Guide to Mitigating Insider Threats on December 12, 2012. The guide describes 19 practices that organizations should implement across the enterprise to mitigate (prevent, detect, and respond to) insider threats, as well as case studies of organizations that failed to do so. The thirteenth of the 19 best practices follows.

Practice 13: Monitor and control remote access from all end points, including mobile devices.

As information plays an essential role in our daily business, there is an increasing need for employees to be connected to their company network from anywhere to accomplish business tasks from home or in the field. When companies cannot move quickly enough to set up remote access to their company network, they frequently do not adequately address the security of this access.

An inherent vulnerability unique to employees accessing a company network remotely is the absence of the environmental constraints that may be a deterrent against IT crimes. Without being physically present at the workplace, a disgruntled employee may be more emboldened to sabotage the company network infrastructure or exfiltrate critical data in an environment because there are no coworkers available to observe any suspicious activity.

From a remote location, an insider may be able to exfiltrate data without fear of detection and without fear of having to physically escape from the crime scene. By using a public network IP address, a device that is not owned by the insider, and only remote access credentials, it may be difficult to prove whether the crime was committed by the owner of the credential without an in-depth forensic investigation. These confounding variables may give the malicious insider the illusion that his or her identity is hidden.

A type of remote access that has recently emerged is having employees bring their own devices to work, a practice that increases the vulnerability of the organization. As a result, multiple types of devices now provide avenues to remote access through unprotected network connections. For example, smart phones connected to cellular networks can access a company network by bypassing a company's IT security control procedures, such as intrusion detection systems, intrusion prevention systems, network logs, and firewalls. Not only is there a risk of connecting through an untrusted cellular network, there is the risk that the access can allow the insider to exfiltrate data from anywhere.

Since business operations will require employees to have remote access to the company network, it is important for companies to recognize the different vulnerabilities that accompany that access. Companies should investigate the technical controls that can be implemented to reduce the risk of an incident and to provide valuable evidence for forensic analysis when a crime is committed.

The following is a list of best practices an organization should consider:

  • Implement end-point logging.
  • Audit remote transactions regularly.
  • Allow remote access only via company-managed devices.
  • Record all remote login information, including for successful and failed login attempts.
  • Require authorization for remote access of critical data.
  • Immediately disable remote access credentials of terminating employees.
  • Allow remote access permission via non-organization owned devices with caution.

From a security viewpoint, organizations should use the following procedures as part of the termination of an employee with remote access:

  • Close all open connections.
  • Require the return of all company-owned devices.
  • Disable all network access credentials, including remote and local access to the firewall.
  • Change the passwords for all shared accounts, such as system or database administrator accounts.

Refer to the complete fourth edition of the Common Sense Guide to Mitigating Insider Threats for a comprehensive understanding of the issues and recommendations mentioned.

Check back in a few days to read about best practice 14, Develop a comprehensive employee termination procedure, or subscribe to a feed of CERT Program blogs to be alerted when a new post is available.

If you have questions or want to share experiences you've had with insider threats, send email to

About the Author