Ted is an application developer who lost his job in the IT sector due to company downsizing.
Ted was displeased at being laid off just before Christmas, and expressed his displeasure by launching a systematic attack on his former company’s network.
Three weeks following his termination, the insider used the username and password of his colleague to gain remote access to the network and modify several of the company’s files, web pages, and customer information.
He also sent an email to customers asking for their personal details and inserted malicious links in the body of the email message.
Ted’s actions are classified as ‘insider threat’ – incidents of sabotage committed by individuals who are authorized to use the information systems of companies they are of were employed by to penetrate harm.
Senior security researcher at Florida-based Immunity Alex McGeorge explains that the attacks surfacing inside of a network pose a greater threat than outside threats: when you expose that kind of surface to anyone, the potential for damage is greater.
A survey named ‘Boardroom Cyber Watch 2013‘ revealed that the outside threat-centric focus of organizations doesn’t provide a holistic security posturing, specifically from threats within, indicating the growing need for insider threat analysis. More than 50 percent of the respondents said that the greatest threat to their company’s computer systems and data, in fact, comes from their own staff members.
Categories of threat actors
It is important to understand that there are several different categories of insider threat actors, and each of them represents significant challenges to organizations. Here are some distinct categories of these insiders:
- Compromised actors: Insiders with access credentials or computing devices that have been compromised by an outside threat actor. These insiders are more challenging to address since the real attack is coming from outside, posing a much lower risk of being identified.
- Negligent actors: Insiders who expose data accidentally – such as an employee who accesses company data through public WiFi without the knowledge that it’s unsecured. A large number of data breach incidents result from employee negligence towards security measures, policies and practices.
- Malicious insiders: Insiders who steal data or destroy company networks intentionally – such as a former employee who injects malware in corporate computers on his last day at work. Malicious insiders usually turn against their organizations because of the following reasons:
- Espionage: Competitors planting insiders within companies for the purpose of stealing intellectual property or trade secrets.
- Monetary gain: Employees with the desire to make money on the black market by selling valuable company data.
- Job dissatisfaction: When someone is dissatisfied with their work situation, and shows their dissatisfaction by harming their company or stealing confidential information.
- 4. Tech savvy actors: Insiders who react to challenges. They use their knowledge of weaknesses and vulnerabilities to breach clearance and access sensitive information. Tech savvy actors can pose some of the most dangerous insider threats and are likely to sell confidential information to external parties or black market bidders.
Incidents of insider threats and outcomes
Insider threat actors have caused financial and reputation damage to a plethora of companies over the years, after which many firms are giving serious consideration to insider threat analysis. The following are some of the recent instances of threat actor activities within organizations and the outcome:
- UMass Medical Center – In May, UMass Memorial’s Worcester-based flagship center said it learned a former employee may have accessed patient credentials such as date of birth, social security number, name and address outside normal job duties. The accessed information may have been used to open commercial accounts, such as cell phone and credit card accounts. UMass Memorial also determined that the information for four patients may have been misused by the ex-employee.
- The particular insider went undetected for 12 years. Upon discovering the incident, the medical center mailed notifications to approximately 2,400 patients whose information was inappropriately accessed. The incident has grabbed the attention of security advocates and negatively affected the reputation of the healthcare industry. While there is no silver bullet to protect against internal data misuse, healthcare organizations can take advantage of insider threat analysis and SIEM (security incident and event management) to look at what’s going on within the company and detect suspicious behaviors.
- Morrisons – In March, supermarket retailer Morrisons confirmed a large security breach, in which personal details of 100,000 employees were stolen from its payroll system. Morrisons said that it had been a victim of an insider breach and the stolen data, containing bank details and employee salaries, was sent to a local Bradford newspaper, affecting nearly all the supermarket chain’s employees. The tactics pointed toward the act of hacktivism or revenge because the adversaries wanted to publicize the stolen data.
- Graham Cluley reported that a Morrison employee was arrested later in connection with the theft. But whether the arrested man was responsible for the breach isn’t the big concern; what is questionable is whether Morrisons was doing enough to protect sensitive banking information of its staff. In a world of cyber espionage, external DDoS attacks, and state-sponsored attacks, it looks like Morrisons forgot the very real threat to its reputation and employee trust posed by the insider threat.
- Home Depot – Home Depot has faced a series of attacks this year involving rogue employees. It notified a group of individuals that one of its staff with authorized access to computer systems used that access to obtain credit card details of certain transactions conducted in the tool rental area of its stores. It said the employee shared less than 500 credit cards’ account information with a third party but had access to 30,000 individual accounts.
- The accessed data included addresses, names, date of births, and phone numbers, as well as the credit card expiration dates and numbers. Social security numbers and driver’s license numbers were not involved. The employee was terminated immediately after the breach discovery but indicated that Home Depot was lacking insider threat analysis and protocols to detect malicious activity within the company. The retailer also terminated three workers from its HR department in February for stealing data of thousands of employees and using the information to apply for credit cards.
The case for insider threat analysis
It is important to recognize that common cybersecurity implementations such as security incident and event management, logging and actionable intelligence alone can’t prevent insider threats. In a survey conducted by The Ponemon Institute, 54 percent respondents said that they didn’t have a multi-disciplinary program in their organization to combat insider threats, and 17 percent said that they had a defined program, but the participants were limited to the IT department.
Instead of monitoring an employee’s every activity via surveillance cameras, companies can conduct insider threat analysis to reduce the risk. Analysis is essential for all activities, as it determines whether employees understand that the employer expects them to comply with the security policies and that their behavior to violate a business process or circumvent security implementation is likely not to go undetected. Behavior analysis should include files accessed, data transfer completed, accounts created, and any activity associated with moving data out of the company’s network.
Also, some industries and governments prefer to keep their current information security conditions disclosed, which makes data collection the most critical aspect in the reporting of insider threat analysis. In such industries, IT departments can only rely on appropriate open policy and cooperate with the R&D department to bring down the risk of insider threat.
Corresponding relationships between a solid structure and an organization with correct employee behavior can be established by constructing and analyzing activity in the company’s database, which will enable the security department of a company to investigate and detect illegal activity certainly and rapidly and then to take actions in the early stages to prevent illegal behaviors.
Company management should not allow the insider’s sense of achievement to increase beyond the permitted limit by implementing policies based on current analysis. When insiders start to behave in a way that is slightly more than permitted, their expectations rise, and this freedom creates a condition where increased expectations may lead to breach of access levels and unauthorized use of sensitive information.
Insider threat analysis depict the key reasons why security policies exist within organizations and the reasons which lead to malicious behavior. Providing instances of where insider activity occurred and where the IT security department failed to detect the activity, the information could serve as a deterrent in the future to prevent such activity.
Effective separation of incidents should be conducted after the analysis to ensure that access to critical functions are not associated to the same individual. Later, checks and balances should be implemented through approval and review processes so ‘malicious gaps’ are appropriately identified and controlled.
Don’t miss a post! Subscribe to The Insider Threat Security Blog here:
Jonathan Sander is STEALTHbits’ Chief Technology Officer (CTO). As CTO, he is responsible for driving technical innovation, ensuring that STEALTHbits is well positioned in their current and emerging markets, and he will also lead corporate development efforts. Jonathan also plays the role of evangelist at STEALTHbits venues large and small. Prior to STEALTHbits, Jonathan was VP of Product Strategy for Lieberman Software.
As part of Quest Software from 1999 through 2013, he worked with the security and ITSM portfolios. He helped launch Quest’s IAM solutions, directing all business development and product strategy efforts. Previous to that, Mr. Sander was a consultant at Platinum Technology focusing on the security, access control and SSO solutions. He graduated from Fordham University with a degree in Philosophy.