While government agencies and private sector companies continue to toughen their computer networks against the risk of a cyber attack, the biggest threat may be an employee who walks through the front door. Edward Joseph Snowden, the American “whistleblower” who copied and leaked highly classified information from the NSA in 2013 when he was a CIA employee and subcontractor, remains a prime example that the weakest link is often an employee.
Insider Threat Awareness Does Not Create Solutions
A recent Wall Street Journal study, confirms that employees remain the biggest cybersecurity threat today. As the report noted, “Those looking to steal organizations’ data may be proxies of a hostile foreign government, career cybercriminals, or enraged activists. But they’re just as likely to be members of an organization’s own staff.”
The good news is that many companies are actually aware of the risk from insiders, but unlike in other areas of cybercrime, the companies and agencies are also struggling for solutions. Despite technological advances, it remains hard to spot an employee who is likely to steal or leak data.
Big Damage From the Threat Within
For years, cybersecurity experts have warned companies that it isn’t a matter of “if” there will be a cybersecurity breach but rather a “when” such attack could occur. And while employees pose a very real and serious risk, in some cases it may not be intentional. It’s easy to think about cybersecurity as a hypothetical issue, but it’s helpful to chat with those actually dealing with it.
ClearanceJobs received feedback from leaders in the cybersecurity field: Mounir Hahad, head of Juniper Threat Labs at Juniper Networks, Saryu Nayyar, CEO of unified security and risk analytics firm Gurucul, and Chris Clements, vice president of solutions architecture Cerberus Sentinel.
“Retrospectively, internal actors are only responsible for 21-25% of data breaches, according to the Verizon DBIR (Data Breach Investigations Report) ,” explained Mounir Hahad. “But most of those are the result of ‘misconfiguration’ errors or mis-delivery of sensitive or intellectual property data. Malicious activity is rare amongst internal actors. CISOs (chief information security officers) are more concerned about internal actors because it is harder to spot a malicious activity by an employee or a contractor entrusted with privileged access.”
One factor in the increased concern for insider threats could also be that organizations may have better monitoring and even forensics tools to ascertain insiders as the source of data and IP exfiltration.
“Whether insider threats are increasing or just more readily detectable, the fact remains that malicious employees are a massive threat,” warned Saryu Nayyar. “Insiders already know what to take and where to find it.”
“While insider threats are vastly more rare in occurrence as compared to the volume of attacks that organizations face being bombarded from the Internet and phishing campaigns, they can be among the most devastating as they leverage personnel’s legitimate access to sensitive computer systems or data,” added Chris Clements. “To effectively detect potential insider attacks, organizations should implement auditing and monitoring controls and processes for regular review for suspicious activity. This can include technical controls that record every time a file on a server is accessed and by whom, or file ‘honeypots’ that are specifically planted as to be attractive to potential attackers.”
Do your Own Phishing And Watching
Clements said to think of fake files named “passwords.xlsx” or “Secret_Intellectual_Property.docx” that are never used by legitimate users and set to trigger immediate alerts should anyone attempt to access them.
“Of course, for this to be effective, logs and alerts must be regularly monitored and reviewed for suspicious activity. This can also extend to physical controls like building access systems,” Clements explained. “If an employee’s normal working hours are typically 8am to 5pm and a regular review shows them badging in at 2am every Saturday, that should be cause enough to investigate why that is happening.”
Watching for MICE
In many ways, cyber is as vulnerable as any other data and perhaps even more so. This is where the old moniker MICE comes into play as in Money, Ideology, Compromise, and Ego. It is generally for those reasons that an employee will steal and/or share sensitive data.
“Personnel are frequently victims of social engineering campaigns like phishing that give attackers access to sensitive internal data; however, they can be motivated by third parties to purposefully engage in malicious activity or espionage,” said Clements. “Sometimes this motivation can be for what seems like a shockingly small sum of money, or with threats of personal or professional extortion. Because it can be very difficult to proactively identify and prevent either inadvertent or purposeful insider threats, organizations should focus on awareness training of the threats as well as technical controls and check-and-balance systems to ensure that any suspicious behaviors are quickly caught and addressed.”
However, cybersecurity experts warn that this is still just a tip of a bigger issue.
Behavior Analysis is Key
“And, it doesn’t matter the motive. Retribution, money, jealousy, anger, spite – companies cannot decode people’s personal agendas,” said Nayyar. “They can, however, lean on behavioral analysis to give them an inkling of what’s happening with their employees that’s different and potentially harmful based on historical behavior patterns.”
From those patterns a bigger picture of a potential problem could be spotted and even stopped.
“Linking and aggregating data across multiple sources provides rich context for analyzing individual behaviors,” added Nayyavr. “For example, if an employee gets a poor performance review and then starts searching Indeed for jobs, this behavior indicates discontent. This person is a flight risk. At this point, the organization should put him on a watch list and carefully vet his activity going forward to ensure no ‘malintent’ is enacted. Without linking this person’s HR data with his website visits, this unusual and troubling behavior pattern would not have been detected. Machine learning powered behavior analytics shines a bright light on the darkest intentions of your troubled employees.”
Know When to Bring in the Authorities
If an employee is suspected of stealing data, alerting the authorities is the best course of action – regardless of the motivations.
“Trying to use the MICE detection by internal security staff is not recommended in my opinion, as it will only lead to potentially discriminating behavior,” suggested Hahad. “We should leave that to the authorities when investigating an actual incident. The real concern with employees is errors and unintentional mishandling of sensitive data or even falling victim to phishing. This is much more likely to happen and will cause just as much damage to the organization.”
Reduce Access When Suspicious
And if an employee is suspected – but proof is lacking, a reasonable limiting of access to information may need to be placed on the individual.
“Reduce access and privilege to what is truly needed to accomplish one’s job duties,” said Hahad. “This includes segmenting networks, ensuring no shared credentials are used and regularly auditing access to sensitive data. Train staff to new technologies like cloud environments to avoid costly configuration mistakes, and educate all employees about internal threats and how they can report suspicious activity anonymously.”
While some of these tactics may seem draconian, if handled correctly, it could be the best course of action to stop a leak of information or worse.
