Insider Threat--Does it really affect my organization?

A guest post by Randy Holloway
Solutions Architect, ArcSight

 

At this point, you may be asking yourself, "Ok, I don’t even know what insider threat is all about. So, how will I know how to look for it and what to expect?"  CERT at Carnegie Mellon University defines an insider threat (they use the term malicious insider) as, “A malicious insider is a current or former employee, contractor, or other business partner who has or had authorized access to an organization’s network, system, or data and intentionally exceeded or misused that access in a manner that negatively affected the confidentiality, integrity, or availability of the organization’s information or information systems.”  

 

insider threats.jpgIt doesn’t matter if you only have ten employees--you will be affected at some point.   You need to think like the insider with intent to do harm to your organization. What would provide them with the greatest gain? Why would they want to even consider doing this to your company? Do you have anything of value that they might want to take with them to another company such as intellectual property that a competitor would love to get their hands on to steal market share or maybe even put you out of business? To make things worse, if you are a government contractor and this person has access to classified information, they could leak to the public that would not only have the potential to have a major impact on your business, it could land you behind bars. 

 

We are all human and we often tend to focus a majority of our attention on the immediate things we can see and lose sight of things less obvious. Take an everyday task such as driving down the road. If there is an accident on the road five miles ahead of us, chances are we will only know about this if we have the tools available to make us aware of this accident. We may look at our GPS to see if it mentions extremely slow traffic or even warns us there is an accident ahead. We may notice the road signage telling us about the accident or we may just be sitting in bumper-to-bumper traffic that provokes us to turn on the radio to see if we can get more information as to why we are being held up from getting to our final destination.

 

Insider threat works the same way, we have to use the appropriate tools and pay attention to our surroundings to know when we have the potential of being attacked.  We use security software tools to review events flowing through our networks and look for deviations in normal activity. This could involve things such as excessive printing by someone who normally only prints once or twice a week. It could also be someone printing out an entire file of classified information when we know this not the norm for this person’s regular job requirements. 

 

It’s also important to understand and follow abnormal human behavior. Think about things such as, what roles does this person have and does it involve access to important information that could cause damage if released to the wrong people. Other things to watch for may involve things such as:  changes in mood on a regular basis, odd behavior that doesn’t fit the profile for a given person, excessive complaining about their job, increased complaints about problems outside of work, along with many other possible behavioral issues.

 

There are plenty of examples of damage cause by insiders. All of them have had a major impact on the organization they attacked. To name a few:

  • Bradley Manning (*Source wikipedia.com)

    • US ARMY Intelligence Analyst from 2007 - 2010

    • Alias: bradass87

    • Disclosed classified information to whistleblower website WikiLeaks

    • Disclosure Window 2009 - 2010

    • Motives

      • Disgruntled

      • Arrogance

      • Philosophical beliefs

  • Robert Hanssen (*Source wikipedia.com)

    • Special Agent FBI from1976 - 2001

    • Alias: Ramon Garcia

    • Spied for Soviet Union / Russia from 1979 – 2001

    • Motives

      • Greed (received a less-than-expected bonus check)

      • Arrogance

  • Roger Duronio (*Source:  informationweek.com, theregister.co.uk, blackhat.com)

    • Systems Administrator for UBS PaineWebber

    • Worked for UBS from 1999 – 2001

    • Released a Logic Bomb—Crashed 2k servers, left 17k brokers unable to make trades and cost $3.1M to fix

    • Convicted and sentenced to 97 months in prison

    • Quit job on 3/4/2002 and bomb went off on 3/15/2002

    • Purchased almost $22k in PUT options (He makes money if the stock loses value)

    • No background check when hired – numerous priors

 

Bottom line: Sticking your head in the sand and continuing to hope that insider threat will just go away, will do nothing except make matters worse. Take the time to understand the details of what insider threat is really about and how it will affect your organization. Next, start taking the action to deter such activity within your company. It’s easy to say you will prevent it. Still, let’s be honest, you need to focus on first deterring it and then when you go to detect what is actually taking place, utilize the right combination of human and InfoSec tools to minimize the impact it could have on your organization.

Labels: HP| security
Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Search
Showing results for 
Search instead for 
Do you mean 
About the Author
This account is for guest bloggers. The blog post will identify the blogger.
Featured


Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.