We research Information Security incidents every day and we can tell you one thing for certain; your data is worth a lot of money to cyber criminals. A day doesn’t pass where we don’t read about another breach where an organizations employee or customer data has been stolen. This data often includes email addresses and sometimes even passwords. Even a password that has been encrypted before it’s stored can potentially be valuable in the right hands. So, is it possible to know if your email or password has been compromised? Yes!
Finding Compromised Accounts
Information security professionals have been able to utilize similar methods to collect details on data breaches including, in some cases, the data within those breaches. Unlike cyber criminals, security professionals have created ways to safely and securely use that data to help consumers, like you, identify if their accounts have been compromised. In most cases you simply enter your email address or common username(s), and the tool with identify whether or not that email address and/or username has been found in any known data breaches.
We don't recommend that you go around and enter your email address and password into different websites. The below list of lookups have been reviewed by Rogue Security, both in terms of technical controls, and privacy controls.
Account Leak Lookup Services
Here is our trusted list of sites that you can use to search for whether or not your accounts have been compromised. All of the below resources are 100% completely free!
Enter an email address (or even username/phone number) and these services will return a list of data breaches that the email address (or other artifact) was found.
What Do I Do If My Email Comes Back As Being In A Breach?
If you haven’t already, you should change the password on your account on that individual service. Also, if you use that same password elsewhere then you should change the password on those accounts, as well. This is the reason why we don’t recommend the practice of re-using passwords between services. Not only does it put all of your accounts at risk if just one of them is breached, but it also makes it a lot harder for you to remember all of the places that you used that password. In summary:
Reset your password on the account that was breached.
Reset your password on any other accounts that might share the same password as the breached service.
If any important accounts such as government or financial services accounts might be affected, contact each institution advising them so they may monitor your accounts more closely.
Your accounts are almost guaranteed to fall victim to a data breach at some point in your lifetime. Using separate passwords, and being aware of possible leaks is the best way to protect yourself as a consumer.
Email continues to be an excellent vector for cyber criminals to distribute malware, as well as links to unsuspecting victims. Email is a frequently misconfigured, and very misunderstood service that is being used to perform tasks that it was never designed to do. Not securely anyway. Thankfully, the Domain Name Service (DNS) has come up with several mechanisms for reducing the risk of receiving spam, and other potentially malicious messages.
What Is SPF?
The Sender Policy Framework (SPF) is an authentication method that is designed to detect when an email sender has sent an email from a server that isn’t approved to send email for the domain name of the sender email. The Sender Policy Framework provides the receiving email server a way of seeing what servers are approved to email. This occurs every time an email is received, if SPF is available. SPF is configured by adding a TXT record to your domain name’s DNS record with a string value consisting of various details, including approved sending servers.
The SPF Record
An SPF Record is a TXT DNS record that contains a list of IP addresses and domain names that are approved to send email using the domain name that the DNS record exists on. An SPF record may look something like this:
TYPE HOST VALUE TTL
TXT @ "v=spf1 ip4:184.108.40.2062 include:domainname.com include:ses.amazon.com ~all" 1800
The SPF string always starts with the version of SPF, followed by various mechanisms including those that define approved IP addresses and domain names (which can be resolved back to an IP address), and finally the ALL mechanism is included with a qualifier in front of it to determine how the receiving email server should read the record.
The “all” mechanism needs a qualifier, however, qualifiers can be used in front of other mechanisms to setup any number of different configurations.
Four qualifiers exist: question mark (?), tilde (~), dash (-), and plus (+).
DomainKeys Identified Mail (DKIM), like SPF, is an authentication mechanism designed to detect when an email is being sent by a server approved by the domain owner. Unlike SPF, DKIM uses digital signatures that are setup by the mail server, referenced in your domain’s DNS record, and attached to every outbound message. DKIM adds to SPF by using cryptography to sign the message. This means that DKIM isn’t just verifying the sending server, but it also verifies the integrity of the message to ensure that contents of the email, including any possible attachments, hasn’t been altered in transit.
The DKIM Record
DNS TXT records are also used in the implementation of DKIM but look a little different. More specifically they use a different set of key/value pairs that supply a receiving server with information required to verify the authentication and integrity of inbound email. Here is what a DKIM record might look like:
TYPE HOST VALUE TTL
TXT @ "DKIM-Signature: v=1; a=rsa-sha256; d=domainname.com; s=selector; c=relaxed/simple; q=dns/txt; t=1117574938;x=1118006938;h=from:to:subject:date:keywords:keywords;bh=MTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTI=;b=dzdVyOfAKCdLXdJOc9G2q8LoXSlEniSbav+yuU4zGeeruD00lszZVoG4ZHRNiYzR 1800
There are a number of tags available,
signature of headers and body
Since DKIM is a digital signature, it uses public-key encryption. When the receiving server looks up the DKIM DNS record for the domain name, it receives a response that contains the domain name’s public key and other key=value pairs that tell the server how to use it.
Another aspect of DKIM is that is provides non-repudiation. Non-reputability is a situation whereby the authorship of an assertion/statement made by an individual, cannot be disputed. In the case of DKIM, only the sending server should have the private key that was used to encrypt the email message. Thus, if the public key that we received is able to successfully decrypt the message, we can be certain where it came from.
DMARC, or Domain-based Message Authentication Reporting and Conformance, is the third and final email authentication mechanism that we’ll be looking at today. DMARC was created to extend both SPF and DKIM protocols and provide incoming email authentication by providing instructions to a receiving email server on the policies surrounding both DKIM and SPF. The DMARC policy also informs the receiving server how it should handle emails that fail SPF checks, DKIM checks, or both.
The DMARC record is created with a subdomain label of _dmarc (i.e. _dmarc.roguesecurity.ca), and exists as a TXT record. Let’s take a look at what a DMARC record looks like:
TYPE HOST VALUE TTL
TXT _dmarc.domainname.com. "v=DMARC1;p=none;sp=quarantine;pct=100;rua=mailto:firstname.lastname@example.org;" 1800
The only required tags in your DMARC record are the ‘v’ and ‘p’ tags.
Percentage of messages subjected to filtering
Policy for domain
Policy for subdomains of 'p'
Reporting URI for aggregate reports
Reporting URI for forensics reports
Alignment mode for DKIM
Alignment mode for SPF
Failure reporting options (will be ignored if ‘ruf’ is missing)
Format to be used for message-specific failure reports
Interval between aggregate reports
DMARC also adds the capability of reporting in the form of aggregate reports and forensic reports. The reports are XML formatted files that are issued by the recipient servers, and can be quite large if your organization sends a lot of email.
SPF, DKIM, and DMARC are email authentication mechanisms that can help with anti-phishing, non-repudiation, spam prevention, and message integrity. Although the implementation can be very complex when more then one domains are involved, the benefits of SPF, DKIM, and DMARC far out weigh the amount of time that they may require to configure properly.
If you’re a regular visitor to roguesecurity.ca then you’ve probably heard of (ISC)2. (ISC)2 is an international, non-profit organization that provides certifications, networking, and continuing education for security professionals. (ISC)2 is the organisation responsible for some of the most popular certifications in the information security industry including the CISSP (Certified Information Systems Security Professional).
During this 2-hour course, you will learn the major distinctions between ransomware and malware, the key characteristics of ransomware attacks, and the protection strategies and remediation plans for ransomware attacks that should be in place ahead of time.
If you’ve been in a security field that involves incident response/threat hunting, you’ve probably heard of the term “indicator of compromise” (IOC). In computer forensics, an IOC is an artifact that can be observed on a network or a host that indicates, with a relatively high level of confidence, a computer intrusion.
Not all artifacts from a cyber event will be considered an IOC. Artifacts that are left during an attempted, but perhaps not successful, intrusion are known as precursors. While an IOC can help to identify an intrusion that may have already occurred, a precursor can help to identify when an intrusion may be in the process of occurring.
What Do We Consider An Indicator of Compromise?
Indicators of compromise can range from a simple string to a series of actions performed in a certain order. Here is a comprehensive list of examples of different types of IOCs.
Service and Process Names
Registry Key, Path, and Value
“Strings” within a file
DNS txt record abnormalities
Files referencing /etc
System API Call
While those pieces of data can be easily found using a variety of security tools, there are also a number of behaviours that may indicate an instrusion.
Unusual/Unaccounted for outbound traffic
Unusual/Unaccounted for traffic between client networks (subnets)
Privileged account anomalous usage
User account active from anomalous IPs
Excessive failed logins
Activity from unexpected geographic regions
Increased traffic to specific resource
Baseline changes in RDBMS activity
Change in web browsing requests / request habits
Well known port vs. application usage
Encryption should be used over normally encrypted ports
Unexplainable Registry and File system changes
Malformed, overy short, and anomalous DNS requests
Patching that didn’t follow the official Change Management schedule
Changes to mobile platforms
Unexplained file creation
Web Browsing spikes and anomalous traffic patterns during irregular times
There are a number of other behaviours that I’m sure you can think of that may also be an indicator of compromise. One of the best sources for techniques that that can be used to build a larger list of behaviours is the Mitre ATT&CK Enterprise Techniques matrix.
How Is This Information Valuable to a Security Professional?
Security monitoring is not a perfect science and relies on security professionals to create, tune, and update the various security tools that are used to detect information security threats, including a tool known as the Security Information and Event Management (SIEM) system. A SIEM is a key tool for Security Operations teams that ingests, manipulates, and displays logs from various services and provides security professionals a perfect tool for investigating security incidents.
Security professionals in the monitoring and detection role can use an indicator of compromise to build alerts and detection content based on real-world events and detections. This is an essential part within any SOC program, and is a proactive approach to cyber defense. Using IOCs in your environment is also a reactive approach to cyber defense, but can help to identify threats in your environment that may have been missed initially. For example:
A security professional will take a list of IOCs related to a recent data breach performed by Darkside, and investigated by FireEye. FireEye, like many security companies, publish intelligence data for use by others.
The security professional will take that list and not only include those IOCs within existing detection content, but they'll also review historical logs for the aforementioned IOCs which can give the security team a limited amount of certainty that the environment wasn't previously impacted by a newly detectable threat.
IOCs are a type of open source intelligence (OSINT) and are available from many sources in many formats. You may get something as simple as a list of IP Addresses, however, there has been some work over the years to create a standard way of creating, storing, and sharing indicators of compromise.
Essentially, both STIX and TAXI offer the same results; they just do it in different ways. STIX uses relationships between objects to build intelligence, while TAXII utilizes collections within a more standard client-server distribution model. Many SIEM tools can ingest both STIX and TAXII feeds for automated intelligence gathering and for updating IOC block lists.
You don’t need to tell us the power of being neurodivergent. Did you know that Rogue Security’s owner/operator, Justin Robinson, has Attention Deficit Hyperactivity Disorder (ADHD)?
Given a comfortable and supportive environment, as well as a topic that interests us (Cybersecurity); and what happens is that the behaviours that are frequently called “symptoms” of our disorders, are experienced less often, or even completely flip!
“My inattention becomes hyperfocus, my random thoughts become a brainstorm for the ages, and what you think is procrastination is actually extremely well-tuned mental preparation. And oh boy am I passionate!” ~ Justin Robinson
Given an uncomfortable environment, like anyone, we will be frustrated, depressed, anxious, and even bored! Our needs are simply different, and in some cases may seem unnecessary for an adult. Our comforts are different too, and our discomforts occur more often. Give us a break on that last one, we simultaneously hate change in routine, but love experiencing different things and can become bored when doing the same thing over and over again.
“Neurodiverse minds are usually great at finding the needle in the haystack, the small red flags and minute details that are critical for hunting down and analyzing potential threats. Other strengths include pattern recognition, thinking outside the box, attention to detail, a keen sense of focus, methodical thinking and integrity.” ~ Referenced from article
We’re closer and closer to the end of Covid-19 restrictions and we’re heading to point in this pandemic that privacy and security experts have been fearing for quite some time. It was only a matter of time before Covid-19 vaccination became everyone’s answer for getting back to a normal(-ish) life. The challenge was always going to be in creating a process whereby everyone can provide evidence of vaccination, without breaching anyone’s right to privacy.
I was reading this article this morning on CBC, “Cybersecurity expert warns P.E.I. Pass website is ‘hotspot’ for hackers”, and was expecting to read something substantial about the security of the platform, and was honestly pretty disappointed. In my opinion, this article does nothing but erode more trust in our institutions. It lacks the details necessary for an article with such a title, and could stoke a decrease in use and trust of other online government platforms.
What Is The PEI Pass?
The PEI Pass is a document given by the Government of Prince Edward Island that verifies an individual has been either fully or partially vaccinated, plus an additional 21 days. If you have this document then you are not required to self-isolate for 14-days when entering P.E.I. The PEI Pass is available to almost anyone given they meet one of the 4 requirement categories. Each category has a different set of requirements including differing documentation needs. Categories:
Permanent P.E.I. residents
Permanent residents of N.S., N.B., N.L, or Magdalen Islands
Other Individuals who have been in an Atlantic province for a minimum of 14-consecutive days, not including Magdalen Islands.
Non-P.E.I. residents who came to P.E.I. through a Pre-Travel Approval and are currently in PEI
Security Vs Privacy
There are two different concepts being discussed here. Security and privacy are not the same thing. The privacy of the data may depend on factors that include, security.
Although it’s easiest as a Permanent P.E.I. resident, all four requirement categories require you to upload documents or enter information that may not be relevant to the PEI Pass application.
As a Prince Edward Island resident, the government already knows this information about me, which is why they’ve made it easier by being able to lookup my records in the PEI COVID Immunization Registry. For me, I’m not concerned about uploading my driver’s license either, as the government has that too.
Non-permanent residents will be experiencing the most risk to privacy. Especially, with a data breach in P.E.I.’s not too distant past. Any time you give your information and data to an organization or government that didn’t previously have it, you’re increasing the risk of that information being stolen. That’s a risk calculation that you’ll need to make yourself.
I wasn’t able to find any information on how the Government of Prince Edward Island is securing the transmission and the storage of information being supplied.
The PEI Pass application itself is protected by a valid SSL Certificate, which tells us that the data is being transmitted (data in transit) from your browser to the website server securely.
The unknowns don’t come into play until we attempt to identify what security controls are put into place to protect the data in storage (data at rest), nor do we know if the data is stored on the same server as the website. Unfortunately, outside of the privacy commissioner giving her go ahead, I can’t find any reports on it.
The PEI Pass application process asks not just for personal information, but also for personal documentation. This can lead to you releasing much more personal information then you may have wanted to. Photocopy your documents and use a dark marker to eliminate any information on them that isn’t relevant to the request. Then send the modified photocopy. The Government of Prince Edward Island provides a similar note on their website:
Will Applying To The PEI Pass Be a Risk To My Privacy?
Any time that you provide personal information to a third-party that didn’t have information before, you are compromising your privacy. Sometimes it’s good, sometimes it’s bad. That’s where laws like PIPEDA come in.
Will Applying To The PEI Pass Be a Risk To My Data Security?
Without knowing what security controls are in place, there is simply no way of knowing if applying for the PEI Pass will compromise your data security.
Open Source Intelligence (OSINT) is a methodology for collecting, analyzing, and decision-making using publicly available sources of data. According the Wikipedia, OSINT sources can be devided into te following categories:
Media, print newspapers, magazines, radio, television
Internet, online publications, blogs, discussion groups, citizen media
Public government data, public government reports, budgets, hearings, telephone directories, press conferences, websites, speaches
Professional and academic publications, information acquired from journals, conferences, symposia, academic papers, dissertations, theses
Commercial data, commercial imagery, financial and industrial assessments, and databases
Grey literature, technical reports, preprints, patents, working papers, business documents, unpublished works, newsletters
The purpose of OSINT is to create a tailored level of knowledge (or intelligence) for supporting individuals and groups in making decisions.
A vast amount of information is available publicly. OSINT Framework provides a hierarchical view of hundreds of OSINT resources broken down by a variety of indicators.
What Is SpiderFoot?
SpiderFoot is an open source tool, built in Python, that can query a large number of data sources (over 100 according the website) to gather information on a number of different targets including ip addresses, domain names, and even bitcoin addresses.
The power of SpiderFoot comes from Modules. Modules are how SpiderFoot organizes data into containers. Some Modules like those that integrate with Shodan, AlienVault OTX, and HaveIBeenPwned, required an API key from those individual services. API Keys can be imported/exported as needed. Approximately 60 services that require API’s are available via SpiderFoot.
Scanning in SpiderFoot is as simple as giving the scan a title, a target, and then by selecting the Use Case, Required Data, or Modules that you’d like to use. Scans can be as detailed or as broad as you’d like.
Results are available via several dashboards including the Summary visualbelow. You can also browse the data in a table, and exclude duplicates, as well as view the data in a graph showing you the connections between data points.
Spiderfoot Scan Summary Panel
In summary, SpiderFoot is a web-based tool for collecting, analyzing and storing OSINT data, and is completely open source. It has its limits, like only being able to complete one scan at a time. However, it’s so easy to setup and can be virtualized using Python Virtual Environments, that analysts can easily have their own instances.
Raise your hand if the company that you work for has a website, or you, yourself, run a website. That’s a lot of hands!
What Is TLS/SSL?
We often talk as if Transport Layer Security (TLS) and Secure Sockets Layer (SSL) are the same thing, however, their more like successor and predecessor. Both are cryptographic protocols that are designed for secure communications. The last version of the SSL protocol was 3.0 and was published by the IETF in 1996. A major vulnerability, given the name POODLE, was disclosed in 2014, which essentially brought an end to SSL.
TLS 1.0 was defined as an upgrade to SSL in a request for comments (RFC) in 1999. The protocols aren’t substantially different, and the name change had more to do with the fact that the IETF wanted to ensure that it was apparent that this was a fork of the protocol.
Regardless of whether we say SSL Certificates or TLS Certificates, we’re almost certainly using the TLS protocol.
Website TLS/SSL Certificates
A TLS/SSL Certificate is a pair of files where one file contains a private key that only the server knows, and a public key that is used to create a trusted relationship. A process known as a “handshake” occurs when you visit a website that uses an SSL certificate. This handshake can be a little confusing, but the below diagram does a pretty good job.
How TLS/SSL Protects Your Website
The purpose of a TLS/SSL Certificate is to create a trusted relationship between your computer’s web browser, and the server hosting the website. Once this relationship is created, any communication between these two points, your browser and the website server, is encrypted using the private key that only the server has knowledge of. This is how TLS/SSL protects a website visitor’s financial information, such as credit card number, when they enter it into a form on your website.
Along with Encryption, the TLS/SSL protocol are ensuring a form of Authentication and Integrity. Once the relationship is established you can be sure that the communications being exchanged aren’t being manipulated and are being sent and received by the same two parties.
Not all TLS/SSL Certificates are the same, and not all website servers implement these certificates in the same way. Implementing TLS/SSL incorrectly, or not configuring the web server with the appropriate settings, can lead to insecurities. Testing your TLS/SSL should be added to your annual checklist and can ensure that your TLS/SSL Certificates are in tip-top shape.
Here are some resources that you can use to easily test your websites.
SSL Labs by Qualys – One of our favourites; allows you to hide the results from their community boards for added privacy.
Mozilla Observatory – Choose to not show up in public results, and even not get scanned by third-party scanners. Observatory not only scans for TLS/SSL issues, but also for HTTP and SSH issues.
Wormly – Wormly gives you a simple TLS/SSL health check report.
CryptCheck – Something a little more technical; CryptCheck also runs tests on SSH, SMTP and XMPP.
SSL Checker – Visualize and verify the certificate chain.
The godfather of data breach reports, HaveIBeenPwned, allows you to search your email addresses and phone numbers to find out if either has appeared in a data breach. As of this writing the site has recorded over 11 billion “pwned” accounts.
Inspired by HaveIBeenPwned, Have I Been Sold allows you to enter an email address and does a check to see if it was seen on any email sell lists. Have I Been Sold also allows you to receive notifications if they find it moving forward, as well as allows you to remove your data from their database.
BreachAlarm is another service that will allow you to check and monitor if any of your account passwords show up online allowing you to change your passwords before damage can be done.
Don’t Use Breached Passwords
“But, how can I know if the password that I’m using was found in a breach?” Great question! Various tools allow you to check whether a password was found in a data breach, without compromising the security of your passwords.
Pwned Passwords stems from Troy Hunt’s tireless work with HaveIBeenPwned. Pwned Passwords is a gigantic database of over 600 million passwords found in real world data breaches. You simply enter a password and Pwned Passwords will tell you if it was exposed during a data breach.
Is that safe? Pwned Passwords uses a concept known as k-anonymity to only send the first 5-characters of an encrypted version of the password that you entered. In other words, the password that you enter isn’t even the same data that gets sent to the server. k-anonymity means that Pwned Passwords is only able to tell you that the password you entered matches any number of passwords it found, and is not a one-to-one lookup. You can read more about how Pwned Passwords uses k-anonymity, here.
Use a Password Management Tool and Never Reuse Passwords
I continue to preach password management as credential theft and password reuse is still far too common. Password management tools integrate with browsers and devices to help you create and store passwords, securely.
BitWarden is the only password manager that we recommend. It’s open source and is available on every platform, for both individuals and enterprises.
“What Antivirus should I use?”, “Which firewall do I need to download?”, “Do I need a hardware firewall?” Look, leave the tough stuff for the engineers. Both MacOS and Windows 10 have Antivirus protection and firewall software out-of-the-box. Instead of loading your devices with additional security software, you should educate yourself on how to be cybersafe.
Educate Yourself on Cyber Safety
Cybersecurity awareness and education isn’t always fun, but it doesn’t have to be boring. Here are some personal cybersecurity awareness links that will help you with better identifying threats, reminding you to perform regular security checks, and keep you in the know on the latest cybersecurity trends.
Some of the biggest data breaches of our time have been due to unpatched software. When you your update software, computers, devices, and even apps you aren’t just getting cool new features and visuals, but you’re also usually getting security updates.
This website is hosted on WordPress, a commonly used Content Management System (CMS). According to the Sucuri 2019 Website Threat Research Report , just under half of WordPress websites were outdated at the time that the infection occurred.
Use a VPN When On Public Wi-Fi
It’s impossible to be certain whether the operators of a public Wi-Fi Hotspot are taking the necessary steps to protect your data from being stolen when using their services. You can, however, encrypt your communications using a Virtual Private Network (VPN) whenever you do connect to public Wi-Fi.
There are a lot of VPN providers available and we really can’t recommend one. However, here is a pretty regularly updated VPN Provider comparison Google Sheet that gives you information on 96 VPN providers including whether they log, limit traffic, what VPN technology they use, and even if they provide protections against a number of VPN attacks.
Review Your Accounts Regularly
Put it in your calendar right now. I’ll wait. All that you need to do is login to your accounts, verify your security settings, make sure MFA is enabled, and do a check of any third-party connections that exist when you use services like Google and Facebook to login to websites that are note Google or Facebook. Disconnect any services that you no longer use and bask in your account security.
According to the 2020 Cost Of Insider Threats Global Report study presented by Ponemon Institute and sponsored by ObserveIT and Proofpoint, insider threat related incidents are averaging a 12-month cost of $11.45M for those organisations polled. You might be thinking that you’re just a small business and you know that known of your employees would be party to a cyber attack, you may want to reconsider.
What is an Insider Threat?
An insider threat isn’t just an employee who wishes to do damage to their company. An insider threat can also be defined as a careless employee, or contractor, as well as any form of credential theft. More generally, an insider threat is any threat that is performed by anyone associated with your organizations who may have inside information (non-public information) regarding your organization’s policies, security practices, data, systems, and even people.
Types Of Insider Threats’ 1
An insider threat goes beyond intentionally taking advantage of access that was legitimately given. Insider threats are broken down into the following three categories:
Current or former employees, contractors, or business partners who unknowinglyor carelessly make errors, and disregard policies.
Current or former employees, contractors or business partners who knowinglydisregard policies. and attempt to inflict harm to an organization using the information and access they have available to them.
External threat actors who obtain legitimate access to an organization.
Negligent and malicious insiders are more common than infiltrators, however, infiltrators are apt to do much more damage.
Reducing The Risk Of Insider Threats
Insider threats are a risk that your organization can reduce without necessarily spending additional money on security controls. The one commonality between the different categories of insider threats, is people. There are a number of administrative and technical security controls that you can implement today.
Employee Hiring/Termination and Awareness Procedures
Have appropriate employee screening during the hiring process for persons who handle sensitive or proprietary data, such as background and credit checks.
Processes and procedures for employee termination and offboarding including roles and responsibilities for those involved.
Raise awareness to the various types of insider threats to both new and tenured employees.
Having an appropriate access control strategy documented and reviewed annually, is essential for any information security program, but can also reduce the risk of experiencing an insider threat.
Principle of Least Privilege states that each user should only have access to the accounts and services that they need to do their jobs, day-to-day.
Separation of Duties is an important concept that encourages the act of access separations based on duties. An example of this is a Desktop Support Analyst having two corporate accounts (joe.analyst & joe.analyst-admin), one account for standard use and the other for elevated/administrator needs.
Policies and procedures for the appropriate use of company devices and BYOD devices.
Ensure that employee devices are keeping logs if audits are needed.
Endpoint monitoring or data loss prevention (DLP) technical controls can detect and prevent various insider threat actions.
Third-Party Risk Management
Third-party vendors, consultants and clients must not only follow any outlined security policies within your organization, but should also have policies and procedures of their own surrounding insider threats.