The most common breaches that originate come from within the organization – those that are caused by well-meaning employees who innocently or unknowingly violate security policy in an effort to get their jobs done. Now it’s time to discuss the most unusual – but perhaps the most dangerous – insider threat: the employee who knowingly breaks security policy in order to achieve a selfish or malicious end.
There are three main areas of deliberate insider threats: Theft for financial gain System or data sabotage, usually to “get revenge” or gain attention. Theft to gain a competitive advantage, sometimes called corporate espionage. Theft for financial gain is one of the most common malicious threats today, particularly in a poor economic climate, and usually involves an insider abusing his or her access privileges to steal personal data or customer lists that can be sold to criminals. This type of theft is usually carried out by a non-technical end user who has everyday access to sensitive information.
Sabotage, on the other hand, has most often been committed by savvy IT staffers who know how to damage the company’s data. Theft for competitive advantage may involve stealing sensitive data, such as customer lists, or it may involve the theft of intellectual property, such as plans or designs. It is often committed by insiders who have been laid of f or plan to change jobs to work for a competitor. What is amazing about all of these malicious insider attacks is that the majority of the breaches occur within a few weeks of the day that an employee resigns or is terminated.
Deliberate acts of theft garnered a good deal of press coverage in 2008. Both theft for financial gain and for competitive advantage were stars in the news. Societe Generale and Countrywide both experienced deliberate insider attacks. Societe Generales rogue trader cost the company $7.2 billion dollars, and his transgressions included a four-year trail of insider activities that were never caught by the company’s risk management and security systems. At Countrywide, an employee simply downloaded confidential data, presumably to a USB device, and sold it over the course of a two-year period. It is estimated that over 2 million Countrywide mortgage applicants may have had their data stolen. And these are only the cases that became public.
The Computer Emergency Response Team (CER T) describes a case that occur r ed at an undisclosed firm, in which an employee simply downloaded a logic bomb from the Internet, and then went into the system logs and changed them so that it looked like his supervisor had downloaded the logic bomb. Next, he went to his supervisor’s boss and said, “Hey, you know, I hate to say this, but my boss downloaded a logic bomb. I was looking through the logs and I saw this. It didn’t go off, but he downloaded it.” The supervisor was fired, and was forced to hire external forensics firm to come in and prove that he didn’t do it. This is a good example of how savvy IT people can manipulate logs to do real damage within the organization.
This example also proves an interesting point that Verizon Business mentioned in its 2009 Data Breach Investigations Report. IT administrators have a large amount of privilege, since they have the ability to disable or prevent security controls from finding out what they are doing. According to Verizon, IT administrators were at the source of 43 percent of breaches in 2008, compared to 38 percent caused by end users.
When dealing with malicious insider threats, it may be more important to focus on environmental changes—such as disgruntled employees, behavioral changes, and unknown persons wandering the corridors—than on technology or network data. You need a solid security awareness program that includes extensive information not just on what could happen to the business, but how the employee can personally be targeted. Don’t just educate the employee at work, but also the individual who uses a PC or other device at home or on the road. Relating your lessons to employees’ personal lives will help create a bond which improves the corporate culture of security and encourages the employee to step up when he or she sees a suspicious situation at work.
Detecting The Malicious Threat Beyond education, there are various technologies that can help identify a malicious insider. Very simply put, this means that if you identify a risk, you should attempt to prevent it—but if you can’t prevent it, implement a detection technology that can at least help you deter mine how and when it happened. Many or ganizations focus too heavily on policy and don’t implement the technology required to enforce it.
As the economy worsens, insider threats may worsen. Financial hardship and underfunded internal security programs may cause once-loyal employees to look to theft or sabotage in ways that they never did before.
Still, although there are many reasons why the insider threat is something to be concerned about, there are technologies and processes—such as security awareness, logging, and privileged password management—that can help reduce the risk that you will become the next Societe Generale or Countrywide.
No matter what steps you take to improve your internal security posture, remember: “If you cannot prevent it, you must detect it.”
~insider report
