Imagine getting ready to fire a disgruntled employee who is also a systems administrator for your company -- a...
major national railway. However, you allow him to convince you to let him resign instead. Then, before he returns his laptop, he uses it to access the railroad's networks, delete critical files, remove some administrative accounts and change passwords.
This actually happened in 2015 at the Canadian Pacific Railway, and it resulted in an erratically functioning network and the company's IT support staff being locked out of their accounts. The perpetrator, Christopher V. Grupe, was sentenced to one year in prison for this insider attack.
The threat of insider attacks is a real and present danger.
Describing the insider threat
According to the definition from the CERT Division of the Software Engineering Institute at Carnegie Mellon University, a malicious insider threat is "a current or former employee, contractor, or business partner who meets the following criteria: has or had authorized access to an organization's network, system, or data, and has intentionally exceeded or intentionally used that access in a manner that negatively affected the confidentiality, integrity, or availability of the organization's information or information systems."
The CERT definition also defines an unintentional insider threat as "a current or former employee, contractor, or other business user who: has or had authorized access to an organization's network, system, or data and had no malicious intent associated with his or her action (or inaction) that caused harm or substantially increased the probability of future serious harm to the confidentiality, integrity, or availability of the organization's information or information systems."
The subject of insider threat detection and security program management is also included in some readily available courses. Training course examples include:
- IS-915: Protecting Critical Infrastructure Against Insider Threats, U.S. Department of Homeland Security, Federal Emergency Management Agency -- online, free.
- Building an Insider Threat Program, Software Engineering Institute, Carnegie Mellon University -- online, free.
- Insider Threat Overview: Preventing, Detecting and Responding to Insider Threats, Software Engineering Institute, Carnegie Mellon University -- online, free.
- CERT Insider Threat Program Manager: Implementation and Operation, Software Engineering Institute, Carnegie Mellon University -- three-day course in Arlington, Va., $2,250 to $3,150.
An insider threat can range from a well-intentioned employee or contractor who simply makes a mistake -- such as clicking on a phishing link -- to a disgruntled employee or contractor who intentionally causes damage. Other unintended insider incidents include:
- accidental disclosure;
- phishing/social mistakes;
- loss or theft of physical records; and
- loss or theft of portable equipment, such as laptops, smartphones or USB drives.
Why would someone want to carry out insider attacks? There are a variety of reasons ranging from bruised egos to corruption, espionage or terrorism.
The 2014 National Cybersecurity and Communications Integration Center white paper "Combating the Insider Threat," offers a table to help you better understand what personality characteristics could be indicators of a potential insider threat:
An insider threat can be exacerbated by major changes in employment conditions, such as mergers and acquisitions activities, corporate layoffs or facility shutdowns.
Primary insider attack modes include kinetic attacks, sophisticated cyberattacks and exploitation attacks. Examples cited by the CERT Insider Threat Center in its "Common Sense Guide to Mitigating Insider Threats, Fifth Edition" are "low-tech attacks, such as modifying or stealing confidential or sensitive information for personal gain; theft of trade secrets or customer information to be used for business advantage or to give to a foreign government or organization; and technically sophisticated crimes that sabotage the organization's data, systems or network."
Detecting insider threat activities
Detecting insider threat activities is not particularly easy. The best first line of defense is to train employees to recognize and report strange behaviors by other employees, business partners, contractors or vendors.
According to the article "Great Employee or Insider Threat?" by Charlie Platt in the Metropolitan Corporate Counsel, some indicators of suspicious behavior to cover in any insider threat employee awareness training include:
- remotely accessing the network while the person is on vacation, sick or at odd times;
- works odd hours without authorization;
- enthusiastically accepts overtime, weekend or unusual work schedules; and
- unnecessarily copies material -- especially classified or proprietary information.
Of course, don't forget your security technologies that can help detect insider attacks, including SIEM or log analysis, data loss prevention tools, and data access monitoring.
Preventing successful insider attacks
As previously mentioned, an excellent guide and desktop reference is the "Common Sense Guide to Mitigating Insider Threats, Fifth Edition" published by the CERT Insider Threat Center. The guide offers 20 best practices to include in a company's insider threat security program. Some of the key practices include:
- "Know and protect your critical assets [e.g., intellectual property, trade secrets, etc.]
- Develop a formalized insider threat program [with a governance element].
- Beginning with the firing process, monitor and respond to suspicious or disruptive behavior.
- Consider threats from insiders and business partners in enterprise-wide risk assessments.
- Be especially vigilant regarding social media.
- Incorporate malicious and unintentional insider threat awareness into periodic security training for all employees. [Emphasize 'if you see something, say something.']
- Monitor and control remote access from all end points, including mobile devices.
- Enforce separation of duties and least privilege.
- Close the doors to unauthorized data exfiltration.
- Develop a comprehensive employee termination procedure."
When an enterprise establishes an insider threat program, executives need to be aware of the potential negative effects this can have on employee morale and sensitivity to loss of privacy. Implementing an insider threat program mandates increased communication with the staff to explain the program, explain how they can help and offer frequent emphasis on program wins.
The 2016 Ponemon Institute report "Tone at the Top and Third Party Risk," noted that "If management is committed to a culture and environment that embraces honesty, integrity and ethics, employees are more likely to uphold those same values. As a result, such risks as insider negligence and third party risk are minimized."
An insider threat program should also include a steering board/committee. Ideally, such a committee should include representatives from law, intellectual property, the office of internal governance, global privacy, human resources, information technology, corporate communications and security.
One final useful fact
Based on the CERT Insider Threat Center's research and feedback from the industry, malicious insiders often conduct illicit activities within 90 days of their termination.
With this in mind, the CERT Division recommends that once an employee is terminated, an analysis of the employee's data download and upload activities should be reviewed for the time period starting at least 30 days before the employee's departure. Optimally, CERT recommends that the review be for the 90 days before termination and should include reviewing email activity to be sure the employee has not mailed sensitive data outside the company, such as to a personal email account or competitor.
Insider threats are real, but not as obvious as we would like.