Insider Threats: Roots and Remediation

Insider Threats: Roots and Remediation

Charles Parker, II

In 2015, nearly half of the federal agencies responding to a survey indicated they have been a target of insider threats. 20% of the respondents noted they had lost data due to this. Insider threats continue to be in the news with varying levels of intensity and depth. This has encapsulated the minor cases up to national, confidential data and information being stolen. In less exciting and more commonly experienced forms, there may be sales representatives leaving with customer data and lists, mechanical engineers leaving with intellectual property, IT engineers copying confidential algorithms, receptionist telling someone from “IT” over the phone private information regarding the business technology, and other forms. The insider threat can be from anywhere, anytime.

Vulnerabilities

A very general definition of a vulnerability is an area that may be attacked with less effort than others. These are sought by the deviants. These may be the low-hanging fruit that does not take a large amount of effort. Insider threats may be in this area, depending on the environment. For the insider threats, these may be intentional or unintentional.

Unintentional

Unintentional issues are the insider threats that are not malicious or done on purpose. This may be an accident or simple oversight. This may be the staff member accidentally emailing a file. The employee may attach a file they believe is mundane, while it actually is a payroll file or sent to the incorrect party due to the autofill function in the email. This occurs without a malicious intent and may be caused by stress, lack of time, or simply not paying attention. The user may lose their laptop or USB. This is a potential nightmare. With the mass amount of storage available, these could easily contain a company’s complete set of subnet addresses, personnel records, or medical records. IF these records would have been encrypted, the risk level and potential issues would be much lower. With any sensitive data, a lack of encryption is problematic.

Malicious

The malicious insider is more of a concern. Here the user has an issue with the business and intends on leveraging their knowledge or access to data. The end result is a significant issue for the business. This has been openly publicized with the SysAdmin on the west coast shutting down the network when he found out he was about to be fired. This may also be the prior staff member exfiltrating intellectual property or network info to a group of hacktivists.

Defenses

All is not lost. There are many options available to the business to defend against this threat. These however require management’s overt, direct support. The access to sensitive data should be limited. The users should have access to data required for their position. They should not have access that is not needed. What happened in the past was there would be a template for AD for new employees or an entire work group. This would simply be applied to all of the new employees without reviewing what their duties would be and applying access based on this.

The data and information should be encrypted while at rest and in transit. When confidential, sensitive data is involved, it needs to be encrypted at the appropriate level. When the data is encrypted, if it were to be exfiltrated and the user did not have the key, the circumstance would be less problematic. Due to time constraints, with a robust encryption it would take a computer process the file a few human lifetimes to decrypt the file.

There are protocols in place for a reason. One of these involves users that have ceased their employment, either voluntarily or not so voluntarily. There should be a protocol and template to follow. Certain people don’t want yet another checklist. This is important though as it endeavors to ensure everything that needs to be done is. This also allows the process to be updated or reviewed on a regular basis.

Log management is also important. The logs document the user’s activities while at the business. There may be certain activities that show the user is not acting appropriately and are an anomaly, e.g. downloading a mass amount of data. These could certainly mean nothing or could be indicative of the user is getting ready to leave.

About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.