Historically, cybersecurity has been constructed to mitigate external risks. Solutions such as antivirus software, intrusion detection systems and network monitoring tools all primarily screen for malicious activity that originates with cybercriminals. Certainly, this approach has its merits, given the proliferation of sophisticated botnets, cyberattacks and cybercrime-as-a-service business models that have put enterprise networks under increasing pressure from the outside.
For example, DDoS attacks had a banner month this June, temporarily taking down major consumer-facing services including Feedly and Evernote. Recent threats such as CryptoLocker has also upped the ante by combining ransomware with strong encryption. In the current security environment, enterprises have much to account for, but nevertheless not all risk comes from professional hackers equipped with cutting-edge malware.
The insider threat: Employees, contractors and associates can put organizations in harm's way
The "insider threat" has quickly become one of the top buzzwords in cybersecurity, but what does it mean? Most of the time, it refers to individuals who either intentionally or accidentally put a firm's security in jeopardy, through actions such as:
- Stealing intellectual property from business partners for personal gain.
- Misusing legitimate privileged access to sensitive systems and data.
- Utilizing porous consumer cloud services and personal Web accounts on company endpoints.
- Creating weak passwords and, moreover, leaking personal info that may fuel social engineering schemes.
- Deleting, corrupting or subtly modifying data to cause financial damage.
While the insider threat typically connotes malicious intent, it can just as easily have roots in employee neglect as well as failure to adhere to established network security practices. Verizon's 2014 Data Breach Investigations Report outlined the variety of ways in which internal threats may bubble to the surface, ranging from disgruntled workers pilfering data on their ways out to carelessness with email and unapproved technical workarounds.
Overall, Verizon ranked privilege abuse as far and away the top manifestation of such risk, with it having factored into 88 percent of 153 incidents of insider misuse. In practice, this category of action often entails taking advantage of access to corporate LAN, physical assets and remote sites, or simply leaving any of them exposed to external attackers.
"Accidental insiders": Who they are and why enterprises should be aware of them
The risk of individuals unwittingly opening up and exacerbating vulnerabilities is hard to overstate. Back in 2012, Trend Micro vice president Tom Kellerman, contributed to a panel discussion of such "accidental insiders" on Federal News Radio. He pointed to how Web attacks and drive-by downloads could compromise the resources upon which IT depends, turning trusted staff into accidental insiders who don't realize that they are jeopardizing cybersecurity at large.
Phenomena such as bring-your-own-device have also created new attack surfaces. Plus, inconsistent implementation of mechanisms such as two-factor authentication on privileged accounts makes them ever more enticing targets for cybercriminals.
"Even a well-intentioned, seasoned, privileged user with wide access to a network poses great risks because they are high-value targets to corporate 'hacktivists' and persistent adversaries eager to penetrate a company's defenses," observed Jack Harrington, vice president at Raytheon Intelligence Information and Services, about a recent Ponemon Institute report on the insider threat, underwritten by his firm.
To curb this broad set of risks, U.S. Presidential Executive Order 13587 from October 2011 stipulated that every federal agency and systems integrator implement measures for containing insider threats by the end of 2013, citing the importance of "deterring, detecting, and mitigating insider threats, including the safeguarding of classified information from exploitation, compromise or other unauthorized disclosure."
Accordingly, many organizations are now tasked not only with detecting and fending off malicious attacks from many potential internal and external vectors, but also with accounting for possibilities such as data leakage via email or employee being unaware of social engineering and phishing. Still, many of them continue to leave soft spots in their security apparatuses.
The 2013 edition of the Verizon Data Breach Investigations Report estimated that 48 percent of data breaches were facilitated by errors, such as stakeholders being unfamiliar with proper protocols. With firms now so reliant on complex partnerships with other enterprises and contractors, it can be easy for process details to get lost along the way.
Small and midsize businesses at heightened risk from insider threats
Insider threats, both malicious and accidental, cause headaches for organizations of all sizes. Much of the time, incidents slip by security solutions and are only flagged by other employees – Verizon found that more than half of 122 insider misuse incidents it examined were discovered through such internal signals.
The CERT Insider Threat Center at Carnegie Mellon University recently issued its 2014 State of U.S. Cybercrime Survey and discovered similar issues in detecting, prosecuting and addressing internal risks. The survey of 557 firms – 43 percent with 500 or fewer employees – revealed that:
- Insiders were behind almost one-third of the respondents' reported security incidents; thirty-seven percent of the surveyed companies had experienced cybercrime issues in 2013.
- Nearly half (46 percent) stated that insider threats had been more damaging than external attacks.
- More than 80 percent of intrusions involved theft of sensitive data, with similar figures for confidential records and customer information.
- Thirty-seven percent of organizations could not identify who was at fault in insider-initiated cybercrime.
- Overall, three-fourths of inside incidents were not reported to law enforcement.
Dealing with the insider threat is undoubtedly difficult, since it can take many forms and often involves individuals with deep working knowledge of critical IT systems. Sabotage, data theft and sloppiness can all compromise an enterprise's security posture, whether the persons in question intended to do harm or not.
In a presentation at the 2013 Black Hat conference, Patrick Reidy of the U.S. Federal Bureau of Investigation argued that many existing approaches to cybersecurity do not adequately take on the insider threat. The underlying issue, he posited, may be the misguided notion that insiders are synonymous with hackers and as such have similar skillsets and motives, when in reality they likely joined their organizations with no malicious intent.
How can enterprises deal with insiders? We'll look at that in the second part of this series, focusing on procedural and technical mitigation techniques for the insider threat.