Insider Threats - What Do You Need To Know?
This post is adapted (by which I mean stolen wholesale) from a piece posted by a member of the Keysight security team, Lawrence Fu, originally targeting an internal audience. We thought that it was applicable here as well, so here you go:
We often think of cyber threats as coming from an anonymous criminal, hundreds of miles away behind a computer screen. However, current and former employees who have intimate and valuable knowledge about a company are also capable of committing a cybercrime. An insider threat occurs when a current or former employee, contractor, or business partner who has or had authorized access to an organization's network, system, or data, intentionally misuses that access in a manner to commit a cybercrime.
Recognizing and Reporting Insider Threat
- Data theft requires access to the data
- Data access is either obtained by hackers using compromised credentials, masquerading as insiders, or is granted by an insider
- An Insider can be an employee, contractor, partner, or vendor who has access to corporate data and systems
Behavioral Indicators of Malicious Insiders
A good way to prevent an insider threat is to learn to recognize some common behavioral indicators. The US Computer Emergency Readiness Team (US-CERT) has identified the following as behavioral indicators of malicious threat activity:
- Remotely accesses the network while on vacation, when sick, or at odd times during the day
- Works odd hours without authorization
- Unnecessarily copies material, especially if it is proprietary or classified
- Expresses interest in matters outside the scope of their duties
- Shows signs of drug or alcohol abuse, financial difficulties, gambling, illegal activities, poor mental health, or hostile behavior
Common Motivations and Intentions of Malicious Insiders
- Financial Distress: insider may seek quick monetary gain to address financial problems
- Disgruntled: angry employee seeks retribution for perceived wrong
- Entitlement: employee believes they are entitled to access to sensitive information and intellectual property
- Layoffs: employee may seek to retaliate in response to layoff
- Ideology: political or religious beliefs may motivate malicious action
- Outside Influence: organized crime or state-sponsored actors can recruit insiders
It is pretty common to picture some far away hacker in a dark basement staring at a glowing screen in the dark riding zero-days into your network. Sure, these things happen, but an even greater threat is the insider. They usually don't even need to do any great feats of hacking - they are already in. So when you are building your security framework with defense in depth in consideration, don't forget to start at the beginning - your own camp.