The security industry for years has been discussing the “insider threat.” This is nothing new; it is an old-school attack that has been made public due to the nature, quantity, and sensitivity of the data being stolen electronically.
Years ago, these attacks occurred on a regular basis, but did not have the same labels or stigma they have today. I am not saying they were acceptable back then. We just need to be realistic about what an Insider Threat is and acknowledge that it has been going on in various forms for hundreds of years.
By definition, an Insider Threat is an internal persona behaving as a threat actor. Regardless of the techniques they are using, they are not behaving in the best interest of the company, potentially breaking the law, and exfiltrating information they do not have permission to possess.
A classic example of this type of threat is client lists—an Insider Threat that’s still relevant today, by the way. A sales person or executive that is planning to leave an organization may photocopy or print client lists and orders before leaving the organization in order to have a competitive edge when they start with a new employer. The volume of paper potentially would have to be substantial in order to make an impact, but leaving with confidential information on printed paper is still an Insider Threat.
Obviously, they were not leaving with file cabinets of material, but today with electronic media and the internet, that volume of data could easily be egressed without anyone noticing. And, as a reminder, that file cabinet of sensitive information can easily fit on a USB thumb drive in a person’s pocket. Therefore, we now have a label for this type of threat, and Insider Threats are becoming more relevant. It still makes security professionals sick to their stomachs because the crime is old, but the methods and volume are now something to consider and require a new strategy to protect against.
Insider Threats occur for a variety of reasons. This includes aspects of a human persona looking to hurt or gain an advantage against an organization. Regardless of one's intent, it’s the digital aspect of an Insider Threat that warrants the most attention. Human beings will do the most unusual things in the most dire of situations, but if they are not permitted to, many of the risks of Insider Threats can be mitigated. Consider the following for your business:
In fairness, answering these questions honestly could be opening a Pandora’s box. You should, however, answer them if you care about Insider Threats. Here is why:
If you think that if you follow all of these steps to protect against Insider Threats you will be safe, you are wrong. This assumes the threat actor is coming in from the front door to steal information or conduct malicious activity.
Insider Threats can also evolve from traditional vulnerabilities, poor configurations, malware, and exploits. A threat actor could install malicious data-capturing software, leverage a system missing security patches, or access resources using backdoors to conduct similar types of data gathering activity.
Insider Threats are about stealing information and disrupting the business, but depending on the sophistication of the threat actor, they can use tools that traditionally are associated with an external threat. We have seen this with recent breaches at the CIA, NSA, Yahoo, and even the Swift Network Banking Systems.
Therefore, we need to realize Insider Threats come from essentially two categories: excessive privileges (covered above) and poor security hygiene (vulnerability management). To that end, all organizations should also regularly perform these tasks to keep their systems protected:
While these seem very basic, in reality, most businesses do not do a good job at even security basics. If they do, the risk of Insider Threats can be minimized by limiting administrative access and keeping information technology resources up-to-date with the latest defensives and security patches.
Insider Threats are not going to go away. They have been around for hundreds of years, however, the medium and techniques for stealing information have evolved with modern technology. The goal is the same; stop the data leakage and be aware that an insider has multiple attack vectors to achieve their goals.
As security professionals, we need to mitigate the risks at source. A briefcase of paper is still an Insider Threat, but not as relevant as a USB stick with your entire database of client information.