This feature first appeared in the Fall 2015 issue of Certification Magazine. Click here to get your own print or digital copy.
Consider these two scenarios: First, burglars desire to break into a bank and steal the money held within. Expending a great deal of time and effort, they carefully study the bank layout, noting where potential entryways are. They watch the bank guards and their movements, secure wiring schematics and note the alarm system, including the locations of cameras. They determine when the vault will contain the most money, monitor police procedures and activities, and note the key employees and their work schedules. They observe when customer activity is most and least likely, plan what disguises to use, and finally, they very carefully devise an exit strategy.
Scenario two is a tad simpler. The team arrives at the bank in the middle of the night, and the branch manager opens the door to let them in.
Whenever the media reports that yet another business organization, learning institution, or government agency has had their digital system breached, the immediate assumption is that outside "hackers" have been diligently at work — poking and probing until they find their way into the system to commit their nefarious deeds. While this is often the case, breaches are also frequently the result, whether by design or through carelessness, of an "insider" attack by an employee of the organization. Monitoring internal threats is a very real part of effective cybersecurity.
One case in point is the well-publicized attack on Target in 2013. In that instance, hackers were able to obtain personal information on more than 40 million customers. What is less well known is that the breach was triggered by the negligence of an insider. The thieves got access to Target's network through a company workstation at a contractor that handles heating and cooling at a number of Target stores nationwide.
Another example of an insider attack is the 2012 breach of security at the Swiss national intelligence agency, NDB. In that instance, investigators concluded that the attack was aided by a disgruntled IT technician who felt that his advice about system operations was being ignored. To prove his point, the technician downloaded terrabytes of classified material from the Swiss intelligence service's servers onto portable hard drives.
While the particulars of inside jobs vary, the key element is that it is always a trusted employee who causes the breach of security, whether intentionally or through negligence. Intentional breaches are usually the result of employee termination, job dissatisfaction, or pressing financial issues. Termination, especially under troubling or hostile conditions, can lead to an employee seeking revenge against the organization, often in the form of data sabotage or data theft.
Employee dissatisfaction can come from an employee who feels his work is unimportant or unsatisfying, one who has failed to obtain a promotion or raise, or one who feels her contributions are not being appreciated. Financial problems outside the workplace are also a common cause of insider attacks. Mounting debt can leave employees feeling trapped, with no escape except to steal from an employer. As with termination and dissatisfaction, those who have financial issues can sell corporate information either directly or through an online intermediary.
Unintentional insider attacks don't even require the element of malice. In these situations an employee does not deliberately try to breach the organization's digital security, but it happens anyway because of carelessness. Perhaps an employee leaves their workstation password on a sticky note on the side of their monitor, for anyone to take. Maybe someone takes their work-issued computer (full of sensitive data) home and then loses it. Maybe someone opens an infected e-mail on the company server, or brings an infected personal mobile device to work, or innocently picks up an infected flash drive found on company premises and plugs it in to see what it contains. All of these relatively innocent actions can lead to data loss.
To lessen the possibility of either intentional or unintentional insider attacks, a three-pronged approach to security must be developed and put into operation by those entrusted with organizational protection and defense. That approach revolves around the triad of People, Processes and Technology.
People — While hardware and software can be programmed not to make errors, human beings are a different story. People are fallible, and make errors in judgement as to what they should or should not do. They have differing moral and ethical values, differing needs, and follow differing patterns of making decisions that affect themselves and their organization. Reference is often made to the so-called 10-10-80 rule where 10 percent of employees would never consider committing a crime, 10 percent are actively looking for opportunities to commit a crime, and 80 percent would consider committing a crime ... depending on opportunity and their own personal needs.
To mitigate and reduce the potential for errors or deliberate actions, organizations need to invest in ongoing employee awareness training. Ideally, this type of training establishes in the minds of employees a cybersecurity culture in which every action they perform is judged against a set standard of security. It also creates a culture where the phrase "See something, say something" is more than a slogan, where employees remain acutely aware of what their fellow employees are doing ... or not doing.
Process — The members of an organization are its most important asset, but they, and the system itself, must have guiding rules and policies, operating parameters designed to prevent data loss. Security policies must be all-inclusive and cover every aspect of the functioning of the system. Company policy defines who has what level of access, and what activities are allowed by that person. The watchword should always be "least privilege" access.
Company policy must also define a host of other activities, such as what files can be moved or exfiltrated, what coding or software can be brought into the system, how often logs are examined, and how files will be stored or siloed. The policy must also work hand-in-hand with human resources in regard to hiring, termination, promotions, demotions, work evaluations, and the ongoing monitoring of employee attitudes and performance. Such policies work to ensure that the system and the employees keep on the rails and that if someone or something goes astray, it is efficiently noted and corrective action taken place.
Technology — The utilization of technology in preventing data breaches and other cyberattacks, is a key element in any successful cybersecurity program. It must be understood, however, that technology, while an important key, cannot prevent those with malicious intent from breaching a system. Technology creates a layered defense against attacks, and can be very effective in thwarting all but the most determined intruders. Well-configured firewalls, continually updated anti-intrusion software, updated operating system software, intrusion-detection software in the form of HIDs and NIDs, and automated monitoring for "unusual' activity can all combine to make it exceedingly difficult for attackers, both inside and outside, to move within a system and perform their nefarious deeds.
Perhaps the most important key to mitigating the threat of an insider attack is to recognize that no cybersecurity system is perfect. No matter how high or thick you build your defenses, those with malicious intent can find a way, from the outside or the inside, to breach your security. Recognizing this important fact will help you in your efforts to protect your sensitive data.
To begin with, you need to carefully identify your most important data, anything that is critical to the success of your organization. You can't protect everything, but you can concentrate on the protection of the company's "crown jewels." Having identified those assets, begin building your defense of them by carefully monitoring who has access, why they have access, who gave them the access, and most importantly, how they can manipulate the data.
Internal threats are perhaps the most difficult cyber-threats to guard against, because people who already have access to a system are generally considered to be trustworthy. No cyber-defense is perfect. It is impossible to prevent insiders from harming your organization and its systems 100 percent of the time. If you concentrate on the triad system of people, process and technology, however, you will greatly reduce the potential for attackers to do harm.