I attended the recent SC Virtual Summit, where there was an interesting panel discussion regarding insider threat from employees within the enterprise network. Many IT managers and CISO’s are now fully aware that employees, contractors and business partners, with legitimate accounts on key internal systems, all have the potential to cause significant damage or data loss to corporate information. This damage or data loss could be malicious (fraud, IT sabotage, data theft) or non-malicious (negligence, lack of supervision, poor security policy controls).
One of the key parts in starting to develop a defence and counter-measure approach to such threats, is to understand the catalyst behind such an attack. Not all employees or contractors pose the same level of threat and not all threats can be treated the same.
As the types of incidents can vary, so do the culprits involved. A malicious strategic attack on intellectual property for example, is perhaps more likely from senior personnel with higher levels of access to specific key systems. Basic data theft of customer records may well be more likely from lower level call centre staff which have a high turnover due to poor promotion opportunities. It is important to understand the different threat angles and attack surfaces using the same risk management approach to something like cyber or virus attacks.
Once a clear classification of assets has been done, it is important to map those attack angles in order to understand the ‘who, what, why’ of an attack so effective discovery, remediation and prevention techniques can be deployed.
Effective counter measures can come from understanding the motive or catalyst behind an attack in the first instance. Are attacks more likely from employees with monetary difficulties, poor past appraisals, general morale issues and so on? Inhibitors to attack should be based not only on the fear of capture, but perhaps the colleague and public reaction to being caught (job loss, lack of reference) as well as the increasing technical difficulty of complicated fraud and theft attacks (Separation of Duties, monitoring).
Human behaviour will have a heavy influence on the size, complexity and type of attack being initiated. This behaviour can be monitored not only from a technical perspective (tracking account activity, developing patterns of use) but also at the human interaction level. Is the employee happy, motivated and so on.
Insider threat is truly unique threat within the enterprise security landscape. Employees all have access and opportunity to perform a malicious act. The third important factor, which is fortunately missing from many trusted employees, is the motive. Motive, coupled with access and opportunity is a toxic combination which many organisations now have to deal with as a significant threat to corporate information assets.
The unfortunate reality, is that many organisations that have had to manage a malicious or non-malicious insider threat incident are probably now in a better place to protect themselves from future attacks.
It’s important that organisations that have yet to go through that process, put in place appropriate counter measures and analytic processes in order to prevent an attack from taking place.