Manage Learn to apply best practices and optimize your operations.

Non-malicious insiders: The biggest insider threat of all?

There's little question that malicious insiders pose a clear and present threat to enterprise information security, but according to one of the industry's top experts on insider threats, non-malicious insiders can be equally dangerous.

Randy Trzeciak, director of the Software Engineering Institute's CERT Program at Carnegie Mellon University, said his team has conducted extensive research looking for patterns of behavior from non-malicious insiders that may cause harm to an organization.

In this video interview, recorded at the 2014 RSA Conference, Trzeciak discusses the five common patterns of insiders who harm organizations even though they lack malicious intent.

Intentionally malicious insiders are a significant risk as well, and Trzeciak discusses SEU CERT's federally funded research and development center's efforts to identify both technical and non-technical patterns of behavior to give enterprises insight into how insider threats evolve over time and what organizations can do to detect and respond to them.

Surprisingly, Trzeciak said software developers often rank among the most dangerous insiders.

"We have a number of cases that we've analyzed where malicious coders or developers have introduced vulnerabilities that were used to harm the organization," Trzeciak said, "either before or after they left the organization."

Finally Trzeciak discusses whether enterprises should implement industry-specific insider threat detection controls, and the emerging category of tools to identify suspicious insider activity.

More information:

Expert Kevin Beaver reveals five common insider threats and how to mitigate them.

In this Security School lesson, Dawn Cappelli offers practical strategies to mitigate insider threats.

Eric Parizo: Hi, I'm Eric Parizo from It's great to have you with us. Joining me today is Randy Trzeciak. Randy is the director of the Software Engineering Institute's CERT program at Carnegie Mellon University. Randy, thank you so much for joining us today.

Randy Trzeciak: Thank you. It's great to be here.

Eric Parizo: Let's talk about insider threat research for a few minutes. For those who aren't familiar with your team's work and the area of insider threats, talk briefly about what your program does and the resources that you offer.

Randy Trzeciak: My team is the Insider Threat Center at CERT, which is part of the Software Engineering Institute, which is a federally funded research and development center. For 13 years we've been researching insider threats to try to identify patterns of behavior, both technical patterns and non-technical patterns of behavior, with the goal of giving organizations some insights into how insider threats tend to evolve over time and what they can do to prevent, or detect, or respond to malicious as well as unintentional non-malicious insider activity.

We've done that over 13 years by collecting over 800 incidents which we've analyzed, and from that we've developed patterns of behavior which describe how those incidents tend to evolve over time. Our goal is to provide awareness of the insider threat problem but offer solutions to preventing, and detecting, and responding to the problem as well.

Eric Parizo: You've published some interesting research recently, including a piece on what you call the unintentional insider threat via social engineering. What did you learn about there?

Randy Trzeciak: Sure. Traditionally, we've focused on the malicious insider, really looking for people who intend to harm an organization, and that is a key critical asset that you want to try to identify within an organization. Organizations in many cases are concerned about malicious insiders, but they're equally concerned about the non-malicious insider who does tend to harm an organization as well. There isn't malicious intent, but the impact is still the same. Data could be disclosed, a service could be made unavailable, or something might be shut down and they couldn't fulfill the mission of an organization within an organization.

What we try to do is to look for patterns of behavior from the non-malicious insiders to see if there are things that organizations can do to prevent those types of incidents from happening as well. We have a report which is available on the website to find more information. What that describes is five common patterns of insiders who harm organizations but don't have malicious intent.

A number of those scenarios could be that I take information home with me which is authorized, and that information is lost. That could be a lost laptop, a thumb drive. Something is made available to someone on the outside but, again, without malicious intent.

Another type of scenario that's described is where somebody is sent something, a social engineering or phishing type attack. They click on a link and it exposes the information within the network. Non-malicious intent, but it still harms the organization.

Finally, the social engineering aspect is described in detail, about someone who is approached from someone either inside or outside the organization. They're convinced to provide some credentials to the organization, someone outside the organization, and those credentials are used to be able to go and disrupt the operation, to exfiltrate information, or to defraud the organization.

Eric Parizo: I know your team recently updated a white paper on programmers as malicious insiders. How do you categorize the threat that they pose?

Randy Trzeciak: The insider threats as we describe those are people with authorized access to your networks and systems. The malicious insiders harm the organizations, where the non-malicious still harm the organization as well but without malicious intent. We want to try to raise awareness to there are programmers in the software development environment that could intentionally introduce vulnerabilities into a software package that could be used to harm the organization after the software is deployed.

For example, if I were to code a backdoor into a key critical system, that particular individual who wrote the software would have access to come back in after they leave the organization or something that's not known by the organization and can use it to harm the organization.

Other types of scenarios are where programmers have intentionally or even unintentionally missed some of the security controls that should be in place. That does allow for people to harm an organization. Again, most of the time that's without the individual's intent, but in some cases there is malicious intent to not include security controls in software.

Finally, that could be a path for someone who steals the software. The software could be a key piece of intellectual property. The individuals, the developers, could use that to take it with them to a competitor and take the key intellectual property, being software, to an organization outside of the organization.

Eric Parizo: Just briefly, in terms of those who have a malicious intent, is that mostly theoretical, or have you seen that play out in practice?

Randy Trzeciak: We have a number of cases that we've analyzed over the years where malicious coders or developers have introduced vulnerabilities that were used to harm the organization either before they left or after they left the organization.

Eric Parizo: So it's very real.

Randy Trzeciak: It is real, yes.

Eric Parizo: An insider threat center research note highlighted recently how insider intellectual property theft is most likely in certain verticals, specifically IT, chemical, and banking. Generally speaking, should enterprises customize their insider threat detection efforts based on the verticals that they're in and, if so, how should they do it?

Randy Trzeciak: I would say that there are things that specific organizations can do or sectors can do, but in general theft of intellectual property is someone in the organization taking the intellectual property with them to a competitor, to start a competing organization, or to benefit a foreign government or foreign organization. If an organization, no matter what sector they are in, is able to identify what the key intellectual property is and put the protective controls on the intellectual property, then you have a better chance of identifying who's accessing it, who's trying to access it, and if they're trying to exfiltrate it off the network through removable media or through email you have a pretty good chance of at least alerting when that's happening, and that's irrespective of the vertical market that they're in.

We'd start with tools or categories of tools such as data loss prevention tools, categories of tools that can tag your intellectual property, can identify it where it exists, who has authorized access to it, who's moving the asset off the network or through the network, and can alert when certain things happen.

Eric Parizo: Finally, you spoke recently about how after years of research it remains a staggering challenge to predict where and when insider threats will occur. Why is that, and is there anything enterprises can do about that?

Randy Trzeciak: At the core the insider threat is a person, and a person certainly has motivations of which they, in most cases, will act in the best interest of an organization. To be able to predict when an insider maliciously wants to harm an organization, to defraud them, to steal something from them, it's really hard with the technology alone to identify someone who is doing something with malicious intent.

If you're using a category of tools you could identify when something suspicious is happening, but in many cases that suspicious activity is not necessarily malicious. Telling a tool, or coding a tool, or programming a tool to identify suspicious activity, but at the same time differentiating between malicious and suspicious, that's a really hard thing to do from an organization standpoint.

You really do need to combine the behavioral aspects of what might motivate somebody to defraud an organization, or to steal intellectual property, or to sabotage a network or system, which is usually outside of the control of what a traditional IT department is and what they do to prevent or detect malicious activity by insiders.

Eric Parizo: Randy Trzeciak of the Insider Threat Center at Carnegie Mellon University, thank you so much for being with us today.

Randy Trzeciak: You're welcome. Thank you.

Eric Parizo: And thank you as well. Remember, for more information security videos you can always visit\videos. Until next time, I'm Eric Parizo. Stay safe out there.

View All Videos