“Amateurs attack machines; professionals target people.” – Bruce Schneier
When we think of cybersecurity attacks, we conjure up images of all the bad actors trying to break into our systems and stealing our data. However, what is often overlooked is that one of the biggest threats to our organizations is already lurking inside.
Employees can carelessly compromise your data and cost your organization huge losses including monetary, future profits and reputational loss.
Evidence suggests that the majority of data breaches and leaks occur due to employee negligence or unawareness of standard security practices that they should be following, and/or they do not fully comprehend how violations of policies can affect the organizations’ bottom line.
Often, the lack of unawareness can lead to employees not taking security seriously and even sometimes disregarding it all together it in the name of ease of use, performance, or convenience which can ultimately allow ransomware, RATs and other dangerous malware to infect your system.
Case in point is the data breach at Target. The evidence suggests that an employee at an HVAC vendor of Target opened a phishing email infected with malware and due to the lack of internal controls, the malware was able to spread throughout Target. Security was not a priority, including employees using default passwords and they kept login credentials stored on unprotected servers where they were easily accessible.
Then there are the malicious insiders who pose the greatest threats, in part because it is incredibly easy for employees who have access to the organization’s network to misappropriate data, use data extrusion or destroy/alter the data.
More often than not they are able to use legitimate credentials and permissions in order to access the data, consequently evading detection.
According to the 2017 Crowd Search Partners Insider Threat findings,
- 56% of security professionals say insider threats have become more frequent in the last 12 months.
- 71% Inadvertent data breaches top the list. With 68% Negligent data and 61% malicious data breaches come in a close second and third.
- 60% privileged users, such as managers with access to sensitive information, pose the biggest insider threat to organizations followed by 57% contractors and consultants and 51% of regular employees
- More than 75% of organizations estimate insider breach remediation costs could reach $500,000 while 25% believe the cost exceeds $500,000 and can reach in the millions.
Well-known malicious insider security breaches
- Dejan Karabasevic was an employee of American Superconductor (AMSC). Karabasevic stole Intelectual property in which he then sold to Sinovl, a Chinese competitor. AMSC filed for bankruptcy, forcing the company to lay off more than 450 employees.
- Edward Snowden is a former NSA subcontractor who leaked thousands of top secret information about NSA surveillance activities.
- Bradley Manning disclosed US Army documents to WikiLeaks and was convicted of violations of the Espionage Act.
The psychology behind malicious insider threats can be perplexing to organizations, as the individuals’ motives or actions cannot always be easily identified. The primary drivers of the malicious insider behavior often combine a lack of conscious, distrust or empathy plus organic stressors including financial trouble and job disillusionment; resulting in disgruntled employees, who can steal data; leak it online or corrupt it as payback for a perceived injustice. Espionage, which is a very real thing, where data is sold to the highest buyer. Finally, there are the most trustworthy employees who can and do fall victim to blackmail and/or bribery. In a previous blog last week, I wrote about a blatant security violation. What Is Really At Stake With The People Part Of The Cyber Equation?
The demand for sensitive data, i.e., credit card, personally identifiable, and/or proprietary information is snowballing on the ‘DarkNet,’ and cyber criminals stand to haul in huge financial paydays if they can collect that data. Moreover, evidence suggests that cyber criminals have begun collecting this valuable data by recruiting employees and turning them into malicious insider threats. According to new research from IBM, the health care sector’s IT suffered from malicious insider attacks at a rate far higher than other industries.
All staff needs to be held accountable for their actions because anyone can become corruptible. However, several groups require additional security including
- Former Employees. If accounts are not disabled, ex-employees can take data with them. What is worse, they often can access your data even after termination, either via Logic Bombs, Trojans, and Trap Doors or by just retaining their access because the audit controls were not in place to disable their access.
- Privileged users. The most trusted users in a company are privileged users, and they have the greatest opportunities to misuse your data.
- Third parties. Subcontractors, vendors, consultants and partners who have access to your systems should be treated as a risk to your security.
Insider threats are hard to remediate if the proper controls are not in place. The longer it takes an organization to detect a breach, the more remediation costs go up. Without the proper controls in place, it can be difficult to distinguish harmful actions from regular work.
There are differences between ‘regular users’ and ‘insider threats.’ Be aware of the indicators (This is not a complete list, but it is a good start)
- Repeated violations of the Organizations Security Policies.
- Failed access attempts after hours to unauthorized areas.
- Failure to report bankruptcies or travel outside the country on your SF86 or U4.
- An unusual amount of communication with competitors using social media.
- A high number of files transferred from an endpoint to removable media.
- A high amount of data emailed to a personal email account or file hosting site.
- An unusual amount of browsing of watch-list websites with a lack of regard.
- IT Administrator(s) are performing excessive file deletions.
- Password harvesting, unauthorized access to co-workers computers.
- Encrypting and renaming file extensions.
- Password protecting Zip files.
- The increase of trouble tickets for computers.
Alerts in real-time enable organizations to defend themselves against insider threats including
- Auditing, monitoring, and logging of printing jobs, queries, downloads and emails containing unusually large amounts of data particularly sensitive information.
- Host-based agents to log activity on desktops, laptops and the use of removable media.
Business organizations with effective security controls will be better able to mitigate suspicious employee behaviors and ultimately minimize the risk and impact of the theft of sensitive information and malicious insider disruption.