Understanding the “Insider Threat”
The revelations that last month’s Sony hack was likely caused by a disgruntled former employee have put a renewed spotlight on the insider threat.
The insider threat first received attention after Edward Snowden began to release all sorts of confidential information regarding national security. While many called him a hero, what was too often under-reported was the way Snowden gathered his information – by misusing his credentials. In fact, the 2014 Verizon Data Breach Investigations Report stated that privilege abuse was the most common type of insider threat by far.
Insider threats can pose a real security risk to companies. They can be caused by someone who is purposely malicious, as Sony discovered, or it can be something as simple as someone opening an attachment loaded with malware that allows outsiders the opportunity to steal information.
“It is important to understand that there are several different categories of insider threat actors, and each of them represents significant challenges to organizations,” said a security researcher at DoTerra.
- Compromised actors: Insiders with access credentials or computing devices that have been compromised by an outside threat actor. These insiders are more challenging to address since the real attack is coming from outside, posing a much lower risk of being identified.
- Negligent actors: Insiders who expose data accidentally — such as an employee who accesses company data through public WiFi without the knowledge that it’s unsecured. A large number of data breach incidents result from employee negligence towards security measures, policies and practices.
- Malicious insiders: Insiders who steal data or destroy company networks intentionally – such as a former employee who injects malware in corporate computers on his last day at work.
- Tech savvy actors: Insiders who react to challenges. They use their knowledge of weaknesses and vulnerabilities to breach clearance and access sensitive information. Tech savvy actors can pose some of the most dangerous insider threats, and are likely to sell confidential information to external parties or black market bidders.
Data theft by insiders is as much the result of companies failing to implement strategies and technologies to employee monitor behavior and govern access to data as it the actual malicious behavior of an employee seeking financial gain or revenge, Jason Hart, VP, Cloud Solutions, at SafeNet, pointed out.
“The enemy within has been a threat to data security for decades and is nothing new,” said Hart. “However, the frequency and impact of insider security incidents have increased because the notion of a ‘security perimeter’ has completely disappeared. Companies have embraced distributed, mobile models for their workforces based on the consumerization of IT and the increased use of shared resources.”
This is especially true with BYOD, cloud services or consumer hosting. “These practices have reduced the effectiveness of traditional security, which has focused on the securing the perimeter, endpoints within the enterprise, and corporate networks.”
To defend against the insider threat, IT departments will need to take a different approach to security. According to Asaf Cidon, CEO of Sookasa, it is time to stop thinking about securing the network or the perimeter and begin focusing on securing the data.
“The worst-case scenario often isn’t a hacker breaching internal systems, despite all the attention that massive hacks like Sony get. It’s an employee that loses his smartphone or has his laptop stolen,” Cidon said. “The best defense lies in securing the data—not just the devices. That means encrypting at the file-level, so confidential information is protected no matter where it ends up. IT administrators need tools that enable proactive security. By being able to track, audit, and control—even employees’ personal devices, security is dramatically enhanced. And by being able to change permission settings in real-time, IT admins can address threats underway, from lost or stolen devices or malicious insiders.”
The key is understanding what data needs be classified as critical, where that data resides and flows, and conducting a risk assessment based on confidentiality, integrity, accountability and auditability, Hart added. “There is no single technology that can provide the silver bullet to stop insider threats. Companies need to adopt technologies such as identity and access management and authentication to set policies that govern who can access what and when. This needs to be coupled with monitoring technologies that provide alerts when data is being accessed from a device or individual outside the normal patterns of activity.”
The sooner companies stop thinking breach prevention and start thinking breach acceptance, the sooner they will be better prepared to minimize the impact of data breaches whether they are from insiders or hackers.
By Jeremy Page