It’s an uncomfortable topic, but the truth is that employees present one of the most serious information security threats for every organization.
This is largely a question of opportunity. Insiders have already breached the perimeter by virtue of their roles. The question is why? Why would a person risk his or her job, reputation and even criminal prosecution to attack an employer? This article explores this question as well as what can be done about insider attack risk.
Insider Attacks: Not New, But Now More Serious
Insider attacks predate the computer age. For instance, we can learn a lot about defending against rogue insiders from the (analog) theft of the atomic bomb design by Soviet spies Klaus Fuchs and David Greenglass during World War II. Their attack anticipated the more recent insider security breaches of Edward Snowden and Bradley (Chelsea) Manning. All four men took advantage of privileged roles to steal secret data. The difference is that Fuchs and Greenglass were limited by the amount of paper they could stuff in their pockets. In this age of networks and flash drives, there are no such restrictions.
A Source of Increasing Worry
The 2015 Vormetric Insider Threat Report indicated that 92% of IT leaders worry that their organizations were somewhat vulnerable to insider threats. 49% said they felt very or extremely vulnerable to insider threats. In a related study, 55% of Defense Department IT professionals revealed in a survey that careless, untrained insiders are the greatest source of security threats. The threat level appears to be rising, too. 62% of the IT professionals surveyed for the Insider Threat: Spotlight Report see an increase in insider threats to their organizations.
Who is a Threat?
Industry research suggests three basic types of insider threats:
- Intentional actors – These are people who deliberately mount insider attacks for malicious reasons.
- Unintentional actors – Negligent acts, such as sharing passwords or forgetting to patch a security vulnerability.
- Compromised insiders – System users whose access rights have been stolen by someone else, often without the insider’s knowledge.
The three attacker types overlap. An intentional insider attacker will likely be on the lookout for unintentional actors. And yesterday’s unintentional insider actor is today’s compromised insider.
What is Motivating Insider Attackers?
No one wants to think of co-workers as spies or thieves. And, of course, most aren’t. However, it only takes one bad apple to mount a devastating attack. The most common reasons include:
- Greed – Insiders may try to defraud their employers by circumventing internal controls or stealing digital assets like data or intellectual property.
- Revenge – Also known as “emotional attacks,” a disgruntled or recently terminated employee may lash out at the company with an inside attack. For example, InfoSec Institute described a logic bomb planted at Fannie Mae by an employee who had been terminated but retained network access credentials for several hours afteward.
- Political activism – Sometimes called “hacktivism,” this involves employees attacking IT resources to make a political statement or embarrass the company by publicizing sensitive information. Both the Snowden and Manning episodes fall into this category.
- Espionage – On rare occasions, employees may actually be “plants” from competitors or cyber crime outfits. They are looking for intellectual property or paths to fraud that can benefit their real employers.
How Insiders Attack
Attacks methods vary, but the misuse of privileged access represents the greatest insider risk.
The Insider Threat: Spotlight Report found that 59% of respondents felt that privileged users presented the biggest insider threat. Privileged users have back-end, administrative access to IT resources. They can modify configurations and create user accounts. It’s not surprising that they can inflict the most insider damage.
How do insiders get privileged access? In some cases, they already have it by virtue of their positions. Often, though, they have to steal their access. They hide in wrong assumptions about people and rules. They manoeuver through others’ blind spots via the usual social engineering. For instance, Jerome Kerviel, who caused a $7.2 billion trading loss at the French bank, Société Générale, was able to hide his activities using his managers’ passwords, according to the Wall Street Journal. How did he get away with it? For one thing, controls at the bank were sufficiently lax that privileged account passwords were not updated regularly. Perhaps even more importantly, few evidently thought that Kerviel was capable of such activities so they ignored him.
The atomic spy story is also instructive in this regard. According to The Los Angeles Times, David Greenglass gleaned information about the atomic bomb through “eavesdropping and casual conversations with scientists, who considered him ‘too stupid and too outspoken to be a spy.’” Security was lax enough for Greenglass to slip a detonator into his pocket and walk off – an act that changed the course of history.
Similarly, Edward Snowden allegedly asked for and received passwords to top secret systems from his NSA colleagues. It’s a bit hard to believe, but a number of employees at one of the most security-conscious agencies in the world violated the most basic rule of infosec: don’t share your password. Steven Aftergood, a secrecy expert with the Federation of American Scientists, commented on this problem to Reuters, saying, "In the classified world, there is a sharp distinction between insiders and outsiders. If you've been cleared and especially if you've been polygraphed, you're an insider and you are presumed to be trustworthy.”
How Do You Mitigate the Insider Attack Risk?
Stopping insiders from abusing privileged access requires understanding disloyalty. Only a person disloyal to the organization at risk would undertake an insider attack out of greed, political passions or a desire for revenge. The problem is that a subjective emotional quality like disloyalty, which people almost never admit to colleagues, is nearly impossible to detect.
Insider attack risk can still be mitigated, even if the challenge of identifying potentially disloyal employees seems insurmountable. It takes controls, which tend to be lacking. The Insider Threat: Spotlight Report revealed that fewer than 50% of organizations have appropriate controls in place to mitigate insider risk. So, there’s clearly work to do. In general, there are three ways to build controls that insider attack risk:
- Deterrence – Preventing insider attacks means erecting barriers to misuse of privileged access. This sounds simple. It’s not. Reasons include complexity of systems, their interdependence and the multiple people who are involved in managing security countermeasures.
- Detection – It is possible to detect insider attacks if you know what to look for. The difficulty is that disloyalty often takes place in tiny, hard-to-spot moves like pocketing a thumb drive.
- Analysis – Using analytics tools to examine server access logs and the like may reveal insider attacks. Again, the subjective motivations of attackers, combined with weak controls, may render analysis too little, too late.
Given how difficult it can be to predict or spot an insider attack, deterrence is the best defense. You still need detection and analysis, but it is unwise to rely on them. The objective should be to make it as hard as possible to launch the attack. Then, if an attack is attempted, detection and analysis can determine who did it and what weaknesses they were trying to exploit.
Privileged Access Management (PAM), a Defense against Insider Threats
Deterring, detecting and analyzing insider threats in a complex IT environment presents considerable challenges. A Privileged Access Management (PAM) solution offers a secure, streamlined way to execute the necessary countermeasures. PAM authorizes and monitors all privileged users for all relevant systems. It is a deterrent to insider attacks. Privileged session monitoring capabilities also provide detection and analysis of insider attacks. PAM lets you:
- Grant privileges to users only for systems on which they are authorized.
- Grant access only when it’s needed and revoke access when the need expires.
- Monitor and forbid certain actions in real-time.
- Avoid the need for privileged users to have or need local/direct system passwords.
- Centrally and quickly manage access over a disparate set of heterogeneous systems.
- Create an unalterable audit trail for any privileged operation.