For the past two years we have been hearing a lot about huge data breaches followed by efforts to implement more secure measures of data protection. It is a commonly held belief that utilizing outsourced solutions such as data conversion services could lead to cyber threats and data breach incidents. However, the shocking thing is that the network vulnerabilities that allow outside cyber attackers to make an entry, infect databases and even take down the organization’s servers often and increasingly originate with trusted inside staff. Insider threats are one of the most difficult threats to detect and a major concern for government agencies. This is because the perpetrator is already within the organization and can use his/her access to view, copy or delete documents at will over days, weeks, months or even years.
Insider threats include theft of intellectual property (IP), trade secrets, unauthorized trading, fraud, spying, and IT infrastructure sabotage.
Insider threats can be of three different types:
- Neglectful insider: They are the ones who do not intentionally leak or damage data but expose the agency to considerable risk through bad practices due to negligence or carelessness.
- Malicious insider: They are the ones who intentionally steal information and cause damages to serve a political purpose or to make profit.
- Compromised insiders: They are insiders who have had their network access credentials stolen by outside attackers, who then use them to steal data. Once outside attackers have these credentials, they appear to be legitimate users to many monitoring tools.
Let us examine some of the causes that contribute to insider threats.
- Huge increase in the size and complexity of IT infrastructure: Organizations may partner with outside agencies that provide them services in the areas of HR, logistics, call centers, data cleansing and so on. That makes it important to ensure that the partners’ servers are clean and reliable.
- Employees who bring their own devices to work: Employees that do work on their mobile devices often inadvertently expose their employers to threats. Malware exposure and the possibility of the device exploding are major concerns.
- The social media revolution: There is a huge possibility of data leak via social media. Social media also provides opportunities to recruit insiders and use them to access the business’s assets.
In 2012, the White House issued the National Insider Threat Policy and the Minimum Standard for Executive Branch Insider Threat Programs. The policy intends to “deter cleared employees from becoming insider threats; detect insiders who pose a risk to classified information and mitigate the risk through administrative, investigative or other response actions”.
Majority of government workers use privileged access to increase their professional productivity and support the objectives of their agency. Cyber attackers are usually driven by the intention to cause mayhem or to test security integrity, whereas true insider threats are those who wish to harm their agency or government, or want to benefit personally from their privileged access. Insider attacks can cause severe harm and require longer recovery times and clean up challenges depending on the data or other content that has been compromised.
Detecting insider threat activity in an increasingly cloud centric IT world is rather challenging. Threat analysis typically begins with determining what information is the most valuable to the attackers or the agencies they serve. Government agencies have various types of data related to military, personnel, negotiations, legal proceedings, blueprints for weapons systems, and other areas that require written approval or a required clearance level for access. Security officers must secure potential avenues via which insiders may establish network access including enterprise file sync and share services, person cloud storage, email, USB devices, printers and applications.
Fortifying the government network against insider threats depends on securing and establishing best practices and audits for admins with root level or application-level configuration access. Security officers can design practices that limit access to admin-level area or even cycle responsibilities between several admins. A good model of privileged account management should ideally:
- Start with least privilege
- Control and segregate applications
- Manage privileged accounts
- Audit current accounts to expose unused privilege
- Employ intelligent monitoring or reporting when password changes are made
- Identify weak passwords
- Redefine alerts for the levels of threat
Insiders who have access to sensitive information can steal the data much more easily than outsiders. The right policies and advanced technology could help address this risk. Organizations must be aware that data leaks originating from mistakes are also a serious concern. This type of data leak is more likely to occur following an insider’s rather than an external party’s actions.
An effective insider threat detection program should include a series of unscheduled system emergencies of various thresholds to test automated insider threat security process as well as the workers required to halt a threat. Emergency events can be monitored to relay performance, response time, changes in process and failure back to those responsible.
Government agencies must view insider threats as an active and ongoing danger to the US government. Insider threats are grave concerns for private organizations as well. So, IT teams need to take proactive steps to prevent insider threat and safeguard the institution’s data assets.