Insider threat management

From HandWiki

Insider threat management is the process of preventing, combating, detecting, and monitoring employees, remote vendors and contractors, to fortify an organization's data from insider threats such as theft, fraud and damage.[1]

Background

An insider is an individual who is employed by an agency and has access to facilities, sensitive information, organizational data, information systems, and other equipment.[2] They may have accounts giving them legitimate access to computer systems, with this access originally having been given to them to serve in the performance of their duties; these permissions could be abused to harm the organization. Insiders are often familiar with the organization's data and intellectual property as well as the methods that are in place to protect them. This makes it easier for the insider to circumvent any security controls of which they are aware. Physical proximity to data means that the insider does not need to hack into the organizational network through the outer perimeter by traversing firewalls; rather they are in the building already, often with direct access to the organization's internal network. Insider threats are harder to defend against than attacks from outsiders since the insider already has legitimate access to the organization's information and assets.[3]

Insiders may comprise permanent and temporary employees, vendors, contractors, suppliers, or ex-employees.[4] Most common insiders are those that have elevated access where they can utilize sensitive information without drawing suspicion. However, anyone can be an insider threat to an organization if they do not dispose, secure, utilize sensitive information described in an agency's regulations. There have been cases where individuals are compromised by an opposing agency and exploited by the individual's financial status, threats on their life, or other factors in order to force the individual to comply with the opposing agencies demands.

Criminal activity

An insider may attempt to steal property or information for personal gain, or to benefit another organization or country.[3] These attacks may range from information data being stolen to the destruction of business property. Insiders may perform the following threats against their organization:

  • Espionage, criminal enterprise, fraud, theft and unauthorized disclosure of information (Classified information, sensitive information, intellectual property, trade secrets, Personally Identifiable Information (PII) )
  • Information technology sabotage
  • Any action that results in the loss or degradation of organization resources or capabilities and its ability to accomplish its mission or business function.
  • Acts of terrorism[2]

Common insider identifiers

Insiders have similar characteristics that can be compiled to in order to help determine possible threats. Most researchers have identified that insiders mainly show antisocial behavior that may include but not limited to: Machiavellianism, narcissism, and psychopathy.[4]

On the information system side, there is the list of common behavioral indicators of known insiders:[5]

  • Downloading substantial amounts of data to external drives
  • Accessing confidential data that is not relevant to a user's role
  • Emailing sensitive information to a personal account
  • Attempts to bypass security controls
  • Requests for clearance or higher-level access without need;
  • Frequently accessing the workspace outside of normal working hours;
  • Irresponsible social media behaviors;
  • Maintaining access to sensitive data after termination;
  • Using unauthorized external storage devices;
  • Visible disgruntlement toward employers or co-workers;
  • Chronic violation of organization policies;
  • Decline in work performance;
  • Use of mobile devices to photograph or otherwise record computer screens, common work areas or data centers;
  • Excessive use of printers and scanners;
  • Electronic communications containing excessive use of negative language;
  • Installing unapproved software;
  • Communication with high-risk current or former employees;
  • Traveling to countries known for intellectual property (IP) theft or hosting competitors;
  • Violation of corporate policies;
  • Network crawling, data hoarding or copying from internal repositories;
  • Anomalies in work hours;
  • Attempts to access restricted areas;
  • Indications of living beyond one's means
  • Discussions of resigning or new business ventures; and
  • Complaints of hostile, abnormal, unethical or illegal behaviors

Examples of insider threats

The impacts from insider threat incidents can be very severe, costly and damaging. Not all incidents by insiders are malicious. Non-Malicious insider incidents can be just as damaging as malicious incidents.

Listed on the link below are numerous insider threat incidents that have had severe impacts on organizations.[6]

Cyber security

  • NSA data breach, Edward Snowden, June 2013[7]
  • US military data leaked to WikiLeaks, U.S. soldier Chelsea Manning, January 2010[8]
  • NSA contractor stole 50 terabytes of data over 20 years, Harold T. Martin III, 20 October 2016[9]

Terrorism

  • Orlando nightclub shooting killed 50 people, Omar Mateen, 13 June 2016[10]
  • DC Metro Transit cop trying to assist ISIS, Nicholas Young, 3 August 2016[11][12]

References

[13]

  1. https://www.us-cert.gov/sites/default/files/publications/Combating%20the%20Insider%20Threat_0.pdf[bare URL PDF]
  2. 2.0 2.1 "Insider Threats Incidents, Data Breaches, News, Examples - Could They Happen To Your Organization". http://www.nationalinsiderthreatsig.org/pdfs/Insider%20Threats%20Incidents-Could%20They%20Happen%20To%20Your%20Organization.pdf. 
  3. 3.0 3.1 "FBI Counterintelligence: The Insider Threat. An introduction to detecting and deterring an insider spy". FBI.gov. https://www.fbi.gov/about-us/investigate/counterintelligence/the-insider-threat. 
  4. 4.0 4.1 Maasberg, M (2015). "The Dark Side of the Insider: Detecting the Insider Threat through Examination of Dark Triad Personality Traits". 2015 48th Hawaii International Conference on System Sciences. pp. 3518–3526. doi:10.1109/HICSS.2015.423. ISBN 978-1-4799-7367-5. 
  5. Moraetes, George (11 September 2017). "The CISO's Guide to Managing Insider Threats". Security Intelligence. https://securityintelligence.com/the-cisos-guide-to-managing-insider-threats/. Retrieved 8 December 2017. 
  6. "Insider Threat". https://www.insiderthreatdefense.us/insider-threat/. 
  7. Greenwald, Glenn; MacAskill, Ewen; Poitras, Laura (11 June 2013). "Edward Snowden: the whistleblower behind the NSA surveillance revelations". https://www.theguardian.com/world/2013/jun/09/edward-snowden-nsa-whistleblower-surveillance. 
  8. "U.S. soldier Manning gets 35 years for passing documents to WikiLeaks". 21 August 2013. https://www.reuters.com/article/us-usa-wikileaks-manning/u-s-wikileaks-soldier-manning-to-learn-his-fate-on-wednesday-idUSBRE97J0JI20130821. 
  9. Nakashima, Ellen (20 October 2016). "Government alleges former NSA contractor stole 'astonishing quantity' of classified data over 20 years". https://www.washingtonpost.com/world/national-security/government-alleges-massive-theft-by-nsa-contractor/2016/10/20/e021c380-96cc-11e6-bb29-bf2701dbe0a3_story.html. 
  10. "Slipped through the cracks: Orlando killer worked for DHS, State contractor". 13 June 2016. http://www.foxnews.com/politics/2016/06/13/orlando-killer-worked-for-dhs-state-contractor-that-helps-secure-us-embassies.html. 
  11. "FBI Arrests Law Enforcement Officer for Material Support of ISIL". 3 August 2016. https://www.fbi.gov/contact-us/field-offices/washingtondc/news/stories/fbi-arrests-law-enforcement-officer-for-material-support-of-isil. 
  12. "Cop in Court for Allegedly Trying to Assist ISIS". 3 August 2016. https://abcnews.go.com/US/dc-metro-transit-cop-appears-court-allegedly-assist/story?id=41089376. 
  13. "Famous Insider Threat Cases". https://gurucul.com/blog/famous-insider-threat-cases.