How to identify an insider threat
Digital age has created three dimensions to insider threat
By Jeffrey R. Jones and Ryan Averbeck | CSO | Published: 15:58, 13 May 2011
Why does your competitor have your latest research or financial figures? It must be an insider - or is it?
Before the digital revolution, security professionals were kept awake at night worrying about the potential threat posed by an untrustworthy member of their organisation. Commonly referred to as the insider threat, this person possibly had privileged access to classified, sensitive or propriety data; providing the insider with a unique opportunity, given his or her capabilities, to remove information, predominately in paper form, from the facility and transfer it to whomever they desired.
Over the years, extensive knowledge has been accumulated on ways to identify and counter the insider. Centuries of experience indicates that insiders are mainly motivated to steal information for money, ideology, ego or due to coercion. Through understanding these motivations, personnel security programs were established to help identify employees who may be potential insider threats. For instance, if an employee in serious financial debt is thought to be vulnerable to one of these motivations, then the security professional may deem it best, with the Commander's approval, to temporarily suspend their access to sensitive information.
Related Articles on Techworld
The insider in previous days could do great harm to an organisation. However, research and tools were developed to help mitigate the threat. Primary controls revolved around the previously mentioned personnel security measures, physical security measures such as storing the information in a safe, and procedural mechanisms such as establishing access to information based upon a "need-to-know" basis. These safeguards helped make it more difficult for an insider to steal documents.
While protecting sensitive information in paper form is still a daunting task for security professionals, today is different as the previously one-dimensional insider threat now has three dimensions. Though there are many areas to consider when discussing the insider threat (ie mergers, acquisitions, supply chain interaction, globalisation), there are three classes of insiders: trusted unwitting insider, trusted witting insider and the untrusted insider.
We now live in the digital world, where the binary 1s and 0s of information travel at the speed of light. As such, the insider has a greater ability to pass the information we protect to outsiders with a lesser chance of being detected. The trusted unwitting insider threat is predominately a person with legitimate access to a computer system or network, but who errs in judgement. For instance, this insider may find a USB thumb drive in the company's restroom and, in an effort to be a good employee, plugs it into his or her company computer to determine the owner. Unbeknownst to this user, the drive was strategically placed in the restroom by an outsider with the hope that an employee would find it and use it on a company computer system. Once the drive is accessed it installs malicious software, which leads to that computer and overall network being potentially vulnerable to being compromised. An innocent effort to help a fellow employee, who may have misplaced a USB drive, turns out to be a classic case of the trusted unwitting insider.
Like the previous case, the trusted witting insider threat is a person with legitimate access to a computer system or network. This person, however, makes a conscious decision to provide privileged information to an unauthorised party for either personal gain or malicious intent. An increasingly familiar scenario is the disgruntled employee surreptitiously downloading sensitive files to a thumb drive and selling it to a competitor. Whatever the motivation, the end result is a witting violation of security protocols for nefarious reasons, justifying the designation as the trusted witting insider.
The untrusted insider, which was unprecedented before the digital age, is a direct result of the global interconnection of disparate elements on the Internet. This person is not authorised access to the computer system or network in question. However, he or she has taken advantage of compromised user credentials or a backdoor in the system to assume the role of a trusted employee.
In the context of the first scenario, the outsider who planted the USB thumb drive in the restroom became the untrusted insider when the malicious files were installed on the company computer giving them access. Essentially he was a wolf in sheep's clothing inside the network. Once this role is assumed, the outsider is now an insider and has unprecedented access to internal information. This is no longer a simple intrusion, as this untrusted insider can now perform actions reserved for your trusted employees.
Insider threats are hard enough to detect. Network perimeter security is rendered useless once the untrusted insider has used valid credentials to gain access to the computer or network. Most of the components of layered defense strategies, such as policies, procedures and technical controls, can be rendered useless during this type of compromise. Technical controls stand the best chance of stopping the wolf, but differentiating the wolf from the sheep is an extremely difficult problem to solve.
The new breed of insider threats begs the question: Are you looking inward on your networks to protect against the insider threats, including those that look like your own employees? User credentials, or usernames and passwords, are compromised on a seemingly regular basis. Hotmail and other web-based email systems were recently the victims of large-scale credential theft, with a vast amount of the stolen information posted on various hacker websites. What if your users use the same password for their personal email that they use for their work computer?
In an effort to memorise the least amount of information, it is only human nature to try to use the same password for multiple systems. This situation occurs more frequently than administrators, CSOs, and CEOs like to admit. With the range of actions that can be taken by intruders with usernames and possible passwords in hand, a whole new class of insider threat is emerging.
Aside from having unrestricted access to your sensitive data, the untrusted insider may now have the capability to use your systems against you. Changing a purchase order quantity from 10 to a 1000, or placing new unwanted orders from vendors are only a very mild form of havoc a creative untrusted insider can create for your enterprise. What if they have access to your systems and create safety issues that can cause physical damage and loss of life?
Does your risk management strategy take the untrusted insider into account? As you audit your computer systems and networks, who do you see & a wolf or a sheep? Chances are you see both.