Not all Risks Become Threats
Insider threats are an updated version of the wolf in sheep's clothing - the people we rely on to safeguard systems and data can sometimes be the ones who pose the greatest risk. From malicious actors to negligent employees, insider threats come in many forms and can have devastating consequences for organizations of all sizes.
Who’s an Insider? An insider is “anyone who has access to an organization’s sensitive information or systems." This includes employees, contractors, and consultants.
Everyone who has insiders has insider risk, but that’s not the same as insider threat. A threat is a risk that has materialized. All insiders pose a risk, but until something happens, there's not a threat.
Someone may accidentally copy a file to their personal account, but if it’s not sensitive, confidential, or otherwise concerning, then it doesn’t automatically become a threat.
But that risk could be one step away from a threat. If that uploaded file was sensitive and was exposed, then it becomes a threat (important note: always consult company policies to determine what constitutes a threat).
Types of Insider Threats
There are numerous categories of insider threats, but I’ll categorize them as follows: Negligent, Malicious, Unintentional, Compromised, and Shadow
Negligent
This employee unintentionally shares sensitive information through a careless mistake, such as leaving a laptop with confidential information in a public place or sending an email to the wrong recipient.
In 2016, a Boeing employee mistakenly emailed a spreadsheet full of employee personal data to his spouse, for the purpose of providing a formatting template.
Malicious
This is a disgruntled consultant who intentionally steals sensitive data or sabotages the organization's systems in retaliation for being terminated.
A recent example is when a member of the Massachusetts Air National Guard was arrested by the FBI in connection with the leaking of classified documents that were posted online.
Unintentional
This is an employee who unknowingly exposes the organization to a cyber threat by falling victim to a phishing scam or downloading a malware-infected file.
In 2020, Twitter suffered a massive security breach after several employees fell victim to a phishing scam. The attackers used the stolen credentials to gain access to the accounts of high-profile individuals and posted fraudulent messages.
Inside Agents
This is a trusted contractor who is recruited by an external threat actor to steal confidential information or sabotage the organization's systems.
In 2018, a Chinese national who worked for Apple was arrested for stealing trade secrets related to the company's autonomous vehicle project. The employee allegedly downloaded confidential data to a personal device, planning to use the information to start his own self-driving car company in China.
Shadow
This employee uses unauthorized software, or even compromised tools, to perform the job, such as using personal cloud storage to store sensitive data. Tainted software is one example of an invisible insider threat— software that contains a backdoor that the remote threat actor uses to violate confidentiality.
Solarwinds had their Orion product updates infected with malware as early as January 2019, allowing the threat actors to infiltrate and monitor numerous US federal agency networks.
Building Blocks of Insider threats
What does it take to form an insider threat? Here are some common characteristics that organizations should be aware of:
Authorized access
Insiders have authorized access to the organization's systems, networks, and data, which can make it difficult to detect malicious activity.
Knowledge of sensitive information
Insiders may have knowledge of sensitive information that can be used for personal gain or to harm the organization.
High level of trust
Insiders are often trusted by the organization and may have access to sensitive information or systems that are not available to other employees.
Intent
Insiders may have a motive or intent to harm the organization, such as financial gain or revenge.
Opportunity
Insiders have the opportunity to cause harm because they have access to sensitive data or systems and may have the skills to exploit vulnerabilities.
Lack of awareness and education
Insiders may be unaware of the risks and consequences of their actions, or they may not understand the organization's policies and procedures related to information security.
Building an Insider Threat Management Program
Creating an effective insider threat management program (ITMP) involves a comprehensive and strategic approach that involves the following steps:
- Identify the scope and objectives of the program: Determine the goals of the insider threat program, including the assets and information to protect, the risks to mitigate, and the stakeholders to involve.
- Develop policies and procedures: Develop clear policies and procedures that address insider threats and define the roles and responsibilities of different stakeholders. Align the policies with legal and regulatory requirements.
- Conduct a risk assessment: Conduct a risk assessment to identify the critical assets and information that could be targeted by insider threats, and evaluate the likelihood and impact of different types of insider threats.
- Implement technical controls: Implement technical controls (e.g., user monitoring and behavior analysis, access controls, data loss prevention) to detect and prevent insider threats.
- Provide training and awareness: Educate employees and stakeholders about the risks of insider threats, the policies and procedures of the program, and how to report suspicious behavior.
- Monitor and review: Continuously monitor the program's effectiveness, reviewing policies and procedures to ensure they are updated.
- Respond and investigate: Develop an incident response plan to respond to insider threats, including procedures for investigating and managing incidents.
- Continuously improve: Continuously improve the program based on feedback and new threats, ensuring it aligns with the organization's security strategy.
Additional Considerations
Now that one is ready to go and prevent all the threats, it's important to consider privacy. While GDPR was the bellwether for national privacy initiatives, many other countries and states have already created, or are on the books to create, their own privacy regulations. In designing the ITMP, keep individual privacy requirements in mind: "While policies must be straightforward and easy-to-follow, they also must meet data protection requirements regarding the monitoring of employee held devices."
Beyond Fear to Formation
While the risks posed by insider threats can seem daunting, implementing an effective insider threat management program is feasible and well within reach. By taking an active and holistic approach, organizations can detect and mitigate insider threats before they cause harm. Whether implementing access controls and monitoring systems, or providing regular security awareness training, there are many strategies that can be used to mitigate the risk of insider threats.
About the Author:
Ross Moore is the Cyber Security Support Analyst with Passageways. He was Co-lead on SOC 2 Type 1 implementation and Lead on SOC 2 Type 2 implementation, facilitated the company’s BCP/DR TTX, and is a HIPAA Security Officer. Over the course of his 20 year IT career, Ross has served in a variety of operations and infosec roles for companies in the manufacturing, healthcare, real estate, business insurance, and technology sectors. He holds (ISC)2’s SSCP and CompTIA’s Security + certifications, a B.S. in Cyber Security and Information Assurance from WGU, and a B.A. in Bible/Counseling from Johnson University. He is also a regular writer at Bora.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire
Mastering Security Configuration Management
Master Security Configuration Management with Tripwire's guide on best practices. This resource explores SCM's role in modern cybersecurity, reducing the attack surface, and achieving compliance with regulations. Gain practical insights for using SCM effectively in various environments.