Who is attacking your network?
There is growing awareness of the security risk of insider threats, but there is no one type of insider. Tom Cross of Lancope looks at the faces and motivations behind insider threats
Long overshadowed by APTs, zero-day malware and other external threats, the insider threat is finally beginning to gain some awareness. In a recent survey conducted by Lancope, the insider threat was a major concern to respondents, with 40% citing it as a top risk to their organisation. Out of those surveyed who cited just one main risk to their organisation, the insider threat was their top pick. Recent news events such as the WikiLeaks disclosures have also brought the insider threat into focus.
It is important to understand what people really mean when they say ‘insider threat’. There are several types of insider threat, and each type requires different approaches from an information security program.
Who Is the Insider Threat?
At Lancope, we view the insider threat as three distinct categories of threat actor:
- Negligent Insiders — Insiders who accidentally expose data – such as an employee who forgets their laptop on an airplane.
- Malicious Insiders — Insiders who intentionally steal data or destroy systems — such as a disgruntled employee who deletes some records on his last day of work.
- Compromised Insiders — Insiders whose access credentials or computers have been compromised by an outside attacker.
When people talk about the insider threat, they are often referring to negligent insiders who accidentally harm systems or leak data due to carelessness. However, the other categories of insider threat also represent significant challenges for organisations. It is important to understand what impact each category of insider threat has for your organisation.
Negligent insiders don’t mean to do anything wrong — they are just employees who have access to sensitive data and inadvertently lose control of it. A large number of security incidents and data breaches fit this description.
Various measures can be used to deter negligent activity and ‘keep honest people honest’. Access controls can prevent people from obtaining sensitive data that they do not need in order to do their jobs. Encryption of data at rest can also help prevent data loss by negligent insiders in the event that they lose their laptops or other equipment. User education also matters here. Anything you can do to get employees to be more conscientious with company data can have a positive impact – for example, providing dummy datasets to developers so that they don’t work with real PII information on development systems. You want the path of least resistance for people to get their jobs done to also be a path that protects sensitive data.
Malicious insiders are employees who intentionally set out to harm the organisation either by stealing data or damaging systems. In most cases, malicious insiders were once happy employees — cases of malicious attacks on computer systems by employees often result from a breakdown in the relationship between the employee and the company, which can happen for a variety of reasons.
Research by the CERT Insider Threat Center at Carnegie Mellon University surrounding hundreds of real-world cases of attack by malicious insiders has shown that most incidents fit into one of three categories:
- IT Sabotage — Someone destroys data or systems on the network.
- Fraud — Someone is stealing confidential data from the network for financial gain.
- Theft of Intellectual Property — Someone is stealing intellectual property for competitive advantage or business gain.
The motivations that turn insiders against their organisations are diverse, and can include job or career dissatisfaction, when someone is extremely dissatisfied with their current work or career situation, they may attempt to harm their employer by destroying or stealing data; monetary gain, when exposed to valuable data that could make them money on the black market, some employees will be unable to resist the temptation to steal and sell it; and espionage, both nations and corporations have been known to plant insiders within organisations for the sole purpose of stealing trade secrets and intellectual property for espionage. Another motivation is activism - activists are associated with a particular ideological movement, and can use the theft and exposure of confidential data to bring attention to their cause.