Understanding the “Insider Threat”
Insider security threats refer to cybersecurity threats that originate from within an organization. These threats can come from employees, contractors, or any other insiders who have access to sensitive information. Concerns surrounding insider threats include data leaks, data theft, and intentional sabotage of systems or data, which can lead to financial loss, reputation damage, and potentially legal consequences for the organization.
The Ponemon Institute independently conducted a study elucidating that external threats are not the sole concern in an organization’s cybersecurity framework. Intrinsic threats, emerging from malicious, negligent, or compromised users, have proven to be a burgeoning risk, as detailed in the 2022 Cost of Insider Threats: Global Report. Over the last few years, insider threat incidents have surged by 44%, escalating the cost per incident by over a third to $15.38 million.
Here are a handful of key takeaways from the report:
- The financial impact of credential theft on organizations has witnessed a 65% surge, skyrocketing from $2.79 million in 2020 to presently standing at $4.6 million.
- The containment period for an insider threat incident has risen from 77 days to 85 days, which has caused organizations to allocate the highest expenditure on containment measures.
- If incidents extend beyond 90 days for containment, organizations bear an average annualized cost of $17.19 million.
Insider threats can pose a real security risk to companies. They can be caused by someone who is purposely malicious, as many businesses have discovered, or it can be something as simple as someone opening an attachment loaded with Malware that allows outsiders the opportunity to steal information.
- SQL Injection (SQLi): Attackers inject malicious SQL code into a query, which can lead to unauthorized access, data theft, or even database corruption.
- Cross-Site Scripting (XSS): Malicious scripts are injected into websites and are executed in the user’s browser. This can lead to session hijacking, identity theft, or defacement of a website.
- Cross-Site Request Forgery (CSRF): Attackers trick users into performing actions on websites where they are authenticated, potentially leading to unauthorized changes or data breaches.
- Distributed Denial of Service (DDoS): Multiple compromised systems (often part of a botnet) are used to flood a target system with traffic, rendering it inaccessible to legitimate users.
- Man-in-the-Middle (MitM) Attack: Attackers intercept and possibly alter communication between two parties without their knowledge. This can lead to eavesdropping or data alteration.
- Session Hijacking: Attackers take over a user’s session to gain unauthorized access to protected resources.
- Phishing: Cybercriminals use fake emails, websites, or messages that appear to be from legitimate sources to trick users into revealing sensitive information, like login credentials or credit card numbers.
- Directory Traversal: Attackers access files and directories that are stored outside the web root folder by manipulating variables that reference files with “..” (dot-dot-slash).
- Malware: This includes a variety of malicious software, like viruses, worms, ransomware, and trojans. They can be spread through malicious downloads, compromised websites, or malicious advertisements.
- Unvalidated Redirects and Forwards: Attackers exploit applications that allow users to specify input which is then used to redirect them to other pages. This can be used to guide users to malicious sites or to carry out phishing attacks.
It’s important to note that the landscape of web security threats is continuously evolving, and the defenses against them must evolve too. Proper security measures, timely patches, and staying informed about the latest threats are crucial for maintaining a secure web presence.
- Compromised actors: Insiders with access credentials or computing devices that have been compromised by an outside threat actor. These insiders are more challenging to address since the real attack is coming from outside, posing a much lower risk of being identified.
- Negligent actors: Insiders who expose data accidentally — such as an employee who accesses company data through public WiFi without the knowledge that it’s unsecured. A large number of data breach incidents result from employee negligence towards security measures, policies and practices.
- Malicious insiders: Insiders who steal data or destroy company networks intentionally – such as a former employee who injects malware in corporate computers on his last day at work.
- Tech savvy actors: Insiders who react to challenges. They use their knowledge of weaknesses and Vulnerabilities to breach clearance and access sensitive information. Tech savvy actors can pose some of the most dangerous insider threats, and are likely to sell confidential information to external parties or black market bidders.
The sooner companies stop thinking breach prevention and start thinking breach acceptance, the sooner they will be better prepared to minimize the impact of data breaches whether they are from insiders or hackers.
Insider-induced security threats can afflict any organization, as evidenced by recent cybersecurity incidents. While the fallout from such breaches can be severe, using specialized insider risk management tools often allows for the detection and prevention of these attacks.
By Gary Bernstein