Insider Threat. How to prevent Insider Threat in VCS

Who is an insider?

Insider is a person who has or had authorized access to organization’s assets, including personnel, facilities, data, equipment, networks, and any other computer systems. 

An insider may be:

  • Employee
  • Contractor
  • Vendor
  • Intern
  • Supplier

What is an Insider Threat?

Insider Threat is is a malicious threat to an organization that comes inside the organization, from an insider described above, who have an access to information concerning the organization (technologies, finances, security, etc.)

Types of Insider Threats

The insider threat could be classified as unintentional or intentional.

Intentional Insider Threats – threats of actions taken to abuse a company for personal benefit (money, positions, reward, recognition, or even increasing self-esteem). The intentional insider is often referenced as a “malicious insider”

Example of Intentional Insider Threat:

A company hired a network engineer, but he wasn’t good enough to pass probation. After notification he decided to put small script which must delete production database after one month to absolve themselves from suspicion.

Unintentional Insider Threats – threats of actions taken to abuse a company without any intention to harm a company.

These threats could be a result of Negligence or Accident.

In case of negligence an employee could ignore security policies and instructions to achieve some benefit in short-term. For example a developer turn on debug mode on production server to easily debug an application and all users potentially get access to logs and stack traces, which could contain a sensitive information.

Accidental Insider Threat is an unintentional event, which caused sensitive data leakage. For example: a developer accidentally opened a GitHub repository and now application source code is publicly available on GitHub and was crawled by search engines.

Real-world examples

2014 – Uber – Secrets in the code

2022 – Adafruit – Publicly accessible repository

2022 – GitHub Takeover

How to prevent Insider Threat

Preventing Insider Threats requires holistic approach and detailed work on each level of a company security model. As bspeka works in source control domain we’ve prepared some recommendations for this area:

  • Implement least privilege principle across an organization in GitHub (or another VCS)
  • Review members of an organization on a regular basis
  • Delete leavers from an organization and make it a process
  • Protect your master branch from unreviewed changes
  • Use secure vault to properly manage code secrets and rotate them
  • Set up continuous monitoring for repositories that shouldn’t be publicly accessible