The High Cost of Malicious Exploitation of Information and Information Systems by Insiders: Battling the Rise of the Insider Threat
“I trust everyone, it is the devil inside that I do not trust,” is a great line from the movie The Italian Job when discussing issues like insider threat.
Everyone has the potential do to harm, including trusted employees. The insider threat to critical information systems is widely viewed as being of the greatest concern in corporate governance today. Global studies reveal that current or former employees and contractors are the second greatest threat to information security, exceeded only by hackers, and that the number of security incidents has increased geometrically in recent years.
In most cases of security breaches today, one can borrow a phrase from the former comic strip character, Pogo, who said "We have met the enemy, and he is us.” Nobody wants to believe the truth, but corporate espionage and data leakage via the insider threat is causing huge problems. Many companies either do not have the proper monitoring mechanism to realize or do not want to admit that it is happening to them. For some reason, with many cybercrimes, including insider threat, victims feel embarrassed and ashamed. They are the victims, they did nothing wrong, but for some reason these criminals turn the tables on who is at fault.
People do not like to hear it and employers do not like to admit it, but the biggest threat to a company is their internal employees. Your employees or anyone with special access (like a contractor, temporary worker or partner) have more access than an outsider and therefore can cause a lot more damage. However, most organizations and media still focus on the external threat and pay little attention to the insider threat. This is because the external threat is easier to see and easier to defend against. If an external attacker defaces a web site, it is easy to detect and defend against. It is also difficult to deny because everyone can tell that it happened. However, if an employee makes copies of all of the customer financial history or the organization’s intellectual property and walks out with it on a USB drive that fits in his or her wallet, it is very difficult to detect and defend against.
Inside threats are by some accounts the most difficult security threats to resolve. Because identifying the motives of those behind interior threats can present particular challenges to organizations. Individuals sometimes deliberately try to access proprietary data, while others inadvertently access and even unintentionally distribute sensitive information. This inherently limits the role of technical counter-measures.
What motivates the insider?
Typical Insider makes an attempt to force some sort of undesirable consequence within an enterprise to forward one of the following goals:
- Profit – Some party is paying the adversary to disrupt the target.
- Provoke change - The adversary is attempting to motivate some change in the organization. This could include invoking some sort of policy change or even blackmail.
- Subversion – The adversary may be trying to subvert the mission of the target organization.
- Personal motive – The adversary may be trying to exact some sort of revenge against the enterprise. The Insider may also be trying to demonstrate their prowess in controlling some portion of the enterprise.
Who are the malicious insiders?
The malicious Insider has access, knowledge, privileges and skills. The Insider has unfettered access to some part or parts of the system. The Insider has extensive knowledge of both the system and the target. The Insider should have no problem getting the privileges they need to mount an attack. The knowledgeable Insider has the skills to mount a credible attack.
If a competitor or similar entity wants to cause damage to your organization, steal critical secrets, or put you out of business, they just have to find a job opening, prep someone to ace the interview, have that person get hired, and they are in. The fact that it is that easy should scare you.
Risk of betrayal of trust does not depend upon the presence of an implacable foreign adversary. It depends only upon an insider with the opportunity to betray, some combination of character weaknesses and situational stresses, and a trigger that sets the betrayal in motion. Common weaknesses include an arrogant attitude that the rules apply only to others, greed, impulsiveness, narcissism, feelings of entitlement, vindictiveness, alienation, paranoia, naiveté, and sensation-seeking.
Who would mount an Insider attack?
Unauthorised and malicious users are described as individuals within an organisation that mask their identity, their behaviour, or both, for the purpose of compromising the security of the database.
Authorised and intelligent users are described as privileged internal employees that use IT resources appropriately and in accordance with the defined security policies of an organisation.
Authorised and dangerous users are described as privileged internal employees that make unintentional mistakes that appear as malicious or fraudulent and compromise the defined security policies of an organisation.
Malicious Activities committed by insiders
The insider threat is manifested when human behavior departs from compliance with established policies, regardless of whether it results from malice or a disregard for security policies. The types of crimes and abuse associated with insider threats are significant; the most serious include espionage, theft, sabotage, embezzlement, extortion, bribery, and corruption. Malicious activities include an even broader range of exploits, such as copyright violations, negligent use of classified data, fraud, unauthorized access to sensitive information, and illicit communications with unauthorized recipients.
• Identity Theft –An employee accesses and steals customers’ information.
• Confidential Data Theft – A user browses database records and copies them onto a USB drive or e-mails them to his personal address.
• Phishing –An attacker creates a valid-looking, but malicious web page to convince users to enter a password or personal data.
• Unauthorized Access – An application developer connects from his desktop using a generic ID.
• Data Destruction –An employee accesses confidential database and destroys valuable company intellectual property.
• Financial Fraud –An employee changes his salary, intentionally creates an unauthorized PO, or issues a fraudulent check.
• Social Engineering Attack –An attacker fools the help desk into giving him a colleague’s or system administrator’s password.
Inappropriate Activity – Circumventing Security Policies
• Inappropriate Data Access –A user connects to a database using Excel or a similar application and takes work home.
• Privilege Abuse – A user runs an unauthorized command against company policy.
Hacking Attempts – Gaining Access to Unauthorized Systems
• SQL Injection –An attacker tries to manipulate the form files in the web application to manipulate the application into retrieving unintentional data.
• Denial of Service – A worm or script creates numerous connections and prevents legitimate connections.
• Software Attacks – A user exploits vulnerability in an application.
Brute Force Password Attack or Penetration Attempt – An attacker tries to guess passwords manually or by using a brute force program.
• Accidental Deletion or Sabotage – A user inadvertently has access to sensitive data and modifies or deletes it due to human error.
The above illicit activities could be committed by insider malicious categorized as: traitor, zealot, browser, and well intentioned. The traitor category includes persons who have a malevolent intent to damage, destroy, or sell out their organization. The zealot category involves an insider who believes strongly in the correctness of one position or feels the organization is not on the right side of a certain issue.
The browser category consists of persons who are overly curious in nature (often a violation of the need-to-know principle), while the well-intentioned insider commits violations through ignorance. Downloading shareware, disabling virus protection software, using unapproved CDs can all provide the assistance a hacker needs to penetrate a system. The well-intended user can become the unwitting and unknowing associate.
Strategies for Combating Inside Attacks
Wherever the attack vector comes in organizations must change their security strategy. In the past, organizations have focused their security efforts on stopping external threats by deploying an array of security solutions, including firewalls, Intrusion Detection Systems/Intrusion Prevention Systems, antivirus software, Denial of Services prevention systems; secure router configurations, and vulnerability scanners. Now the challenge of risk management must shift to protecting customers and other valuable corporate data and applications at the core – compelling companies to address the explosion of threats that are now originating inside the organization. According to Gartner, world renowned research house, “more than 70 percent of unauthorized access to information systems is committed by employees, as are more than 95 percent of intrusions that result in significant financial losses.”
To effectively safeguard data, organizations need to identify and remediate threats from outside and inside the organization. The following strategies for combating inside attacks are listed below:
1. Monitor internal activity and identify internal threats – Ensure data security by monitoring all access paths to sensitive corporate and customer data.
2. Perform inside threat and penetration forensics – Obtain continuous, real-time logging of all SQL and HTTP activity and monitor logins, logouts, failed login attempts as well as unauthorized access.
3. Be able to rapidly identify suspicious activities and recurring patterns of malicious activity – Identify activities such as questionable access to databases, devices, or applications, attempts to alter or delete database files, and installation of malicious software.
4. Obtain real-time, actionable information on inside threats – Track all requests and response activities of users and applications, capture login and other activity metrics, and provide policy-driven alerts.
5. Develop information security policy and create awareness across the rganization.
6. Monitor database activity without impacting system performance – Employ a solution that can monitor database activity from a dedicated network appliance so that detailed traffic analysis and entire user sessions can be captured without any performance impact.
7. Obtain comprehensive reporting on security posture and suspicious activity – A comprehensive reporting solution can provide the entire security organization with timely, relevant information on insider risk levels and overall security posture.
8. Allow visibility into risk levels and activities – Utilize a product that features inside threat dashboards to allow all security stakeholders to easily track inside risk levels and activity, and assess the impact of insider incidents on business continuity.
9. Employ a cost-effective, easy-to-deploy, manageable security solution – Reduce the cost of risk management and compliance by utilizing predefined rules and reports, privacy friendly logging features, and encrypted, time-stamped files.
Yet despite the huge investment made in security technologies, data leakage and inappropriate user activity from inside the enterprise will become a more daunting and often more complex challenge coupled with the responsibilities of securing massive amounts of data, monitoring complex applications, and managing large numbers of users.
Organizations must incorporate information security governance as integral part of IT governance and create awareness in order to reduce security risks due to human error which is considered as the weakest link in robust corporate defense system.
Beza Belayneh is Chief Information Security Architect and Co-founder of South African Centre for Information Security based in Johannesburg, South Africa. He could be reached at beza[at]sacfis.co.za