-
Home
-
Knowledge Base
-
Caleb Hill
- Infiltrating the Heart of Darkness: Alleviating Issues with Insider Threats
Knowledge Base
Infiltrating the Heart of Darkness: Alleviating Issues with Insider Threats
 |
In one plausible (albeit niche) interpretation of Robert Conrad’s classic novella “Heart of Darkness,” protagonist Charles Marlow journeys into the dim depths of Africa only to find the darkest thing there was brought in from outside. Namely, he finds the famous master of a remote trading post, Mr. Kurtz, devolved into a mentally ill dictator of the interior. The “civilization” that Marlow had come to find was, in fact, its own worst enemy.
At the heart of the darkest cyber security incidents, intentional or unintentional insider threats are often to blame. Whether malicious or just confused, internal forces are the sordid center of (as The Lion King’s Scar would put it) “the murkiest scams.”
Modern cyber security endeavors to protect important information with a “defense in depth” approach, which stacks up security measures like the layers of an onion (or an ogre), forcing external attackers to slip through a labyrinth of obstacles reminiscent of Indiana Jones. An insider threat bypasses all or most of these precautions. While the adventurous cyber archaeologist runs panting into the inner chamber of the jungle temple, shocked and sweaty after his ordeal, the insider threat is already there, holding the golden idol with a smirk on his face.
Insider threats are an acute danger to any company with information to protect. Employees must be given access to this information because, if not, the data is no longer valuable. However, when the information gets into employees' hands or heads, it becomes valuable and vulnerable. The impenetrable chinks of the company’s cyber chain mail become abruptly powerless when the dagger strikes from within. This article outlines insider threats, describes the main classifications in which they come, and (most importantly) guides how to protect oneself and one’s company from them.
Matters of Malevolence
Insider threats can be classified into two broad and distinct categories: intentional and unintentional. If the distinction seems obvious, it is a crucial line to draw. Many people (myself included) write off insider threats a strange and horrible occurrence that only happens to “other people.”
This is because I only considered one side of the insider threat distinction mentioned above. The classic examples of disgruntled employees (such as the Tesla duo who leaked production secrets to a foreign media entity) bitterly sneaking into the server room with malware on a USB stick are few and far between. Such insiders are high in shock value but rare enough to be low on actual impact.
Before we go any further, I want to clarify what definitions we use for these two categories.
An intentional or malicious insider threat will be defined as the following:
A malicious insider threat, may be either a current or former employee, contractor, or business partner who has or had authorized access to an organization's network, system, or data and intentionally exceeded or misused that access in a manner that negatively affected the confidentiality, integrity, or availability of the organization's information or information systems.
An unintentional insider threat that does not involve ill-will, can be defined as follows:
A current or former employee, contractor, or business partner who has or had authorized access to an organization's network, system, or data and who, through action or inaction without malicious intent, causes harm or substantially increases the probability of severe future harm to the confidentiality, integrity, or availability of the organization's information or information systems.
These definitions do divide types of threats along two axes: one, whether the threat is internal to the organization, and two, whether the danger involves malevolence or not. Malevolent insider threats are bad enough, but those that are not, while less sinister in appearance, can be more devastating in practice.
Fortunately (at the risk of getting ahead of myself), most insider threat defenses are effective regardless of the intention behind the threat.
Inside-Out Invisibility
Speaking of defenses, insider threats often take advantage of an innate weakness in many information technology systems: they have little internal visibility. For example, no matter how often people tell you to watch your back (or lick your elbow), you will likely fail. Most people cannot physically look at their back or touch their tongue to the tip of their elbow. In the same way, many systems have a blind spot when trying to look from the inside out.
According to a study from IBM, nearly 50% of companies considered a lack of visibility into their infrastructure a significant security risk for their information. One of the reasons for this is that the infrastructure in place to manage software, devices, and users functions as the “eyes” of the company. The eye does not watch itself; instead, no one is “watching the watchers.”
Whether intentional or unintentional, those with more privileged access to company resources are capable of causing more harm. Multiple security controls can be configured to combat these issues (such as the least privilege enforced by a “privileged access management” solution). Still, there is often little incentive to do so, mainly because these solutions add greater perceived complexity to daily tasks. This prospect offends one of the most fundamental laws of human nature, akin to the Newtonian law of inertia: laziness. This constitutes another contributing reason for the lack of visibility into insider threats. The constant threats from external attackers feel like enough of a hassle to deal with without the added burden looking inward as well.
However, this measure is necessary. According to a resource from the Cybersecurity and Infrastructure Security Agency (CISA), 46% percent of the most costly cyber-crimes resulted from an insider threat. In comparison, insider threats caused 28% of all electric crimes. These numbers could be much higher when factoring in the difficulty with which many insider threat actions are detected.
Insider Solutions: Like a Good Neighbor…
We’ve discussed insiders being the threat, but they are also the solution or at least part of it. No cyber security team can put together an effective insider threat mitigation program without the help of their “insiders”: employees, management, and IT technicians.
The cyber team can configure an array of controls that make malicious action difficult for intentionally malevolent insider threats while making it more difficult for users to compromise their company’s security inadvertently. However, employees will ultimately have to have much control over what they do with the company’s data: the least privilege may still be the most they need to do some damage.
That’s where employee training comes in, not only to course-correct the behavior of each employee but also to help each employee provide course correction and threat detection for other employees.
Cyber security teams can work directly with data collected by their automated systems. However, there are many signs of insider threats (such as increased stress, hostile behavior, or irresponsible copying of information), which are best noticed by other people on the inside rather than by a security system. According to CISA’s insider threat mitigation guide, the development of an employee into an insider threat is a process that includes tell-tale signs that a robust mitigation and training program can catch.
Behavioral indicators that betray insider threats who have malicious or disgruntled motivations include the following (according to CISA’s Insider Threat Tip Card)
- A colleague remotely accesses the network at odd hours or during sick time/vacation
- Works at odd times without authorization
- Creates unnecessary copies of work material
- Expresses interest in matters outside the scope of their duties
- Shows signs of substance abuse, financial or mental health issues, gambling, hostile behavior, or illegal activity.
This type of writing on the wall becomes more legible as people pay attention. It’s unhelpful to create an organizational culture of suspicion, but cultivating one that encourages a healthy concern for one’s coworkers benefits the team atmosphere and the company’s security.
Insider Solutions: The Path of Least Resistance
Pinpointing and mitigating unintentional insider threats (UIT) are simultaneously more nebulous and more involved than the checklist of misanthropic tendencies above. According to a paper exploring mitigations and contributing factors for UITs, the unintentional side of insider threats is bound up in environmental variables such as workload, stress, boredom, lack of situational awareness, and arduous business practices.
The paper breaks the contributing organizational factors for UIT into four categories: data flow (poorly communicated procedures or directions), work setting (insufficient security practices within inadequate management systems), work planning and control (job pressure or poor task planning), and employee readiness (fatigue, boredom, or illness). These categories outline the organizational areas companies can improve to reduce the likelihood of unintentional insider threats.
The principle behind this is that individuals often (if not always) take the path of least resistance. Under a heavy workload, different routines, clunky security procedures, or poor task prioritization, the path of least resistance does not involve paying careful attention to slightly suspicious emails or doing due diligence to scrub intellectual property. Making one’s job easier becomes more important than making one’s information safer.
Though good security training can help employees understand the importance of being careful and vigilant at all times, business and security administrators need to keep basic human tendencies in mind. An environment with strict security controls but encouraging incautious behavior with company information is not conducive to safe data.
If nothing else, a more or less well-run business with transparent procedures, smooth implementation, and moderate security controls will have fewer issues with UIT than a poorly organized and inefficiently run business locked up tighter than Scrooge McDuck’s vault.
For you as an employee, you can do the following:
- Pay attention to your stress load and workload: if it is high, make sure not to compromise security for speed
- Keep up with your company’s data protection procedures: you can only do your due diligence if you know what it is
- Identify awkward processes and improve them: smoother workflows translate to more robust security
- Don’t bite off more than you can chew: make sure you can perform your workload thoroughly and securely
In Conclusion
In their quest for information security, every business must fortify their walls, curate their arsenals, and prepare their provisions. Systems must be configured, servers hardened, spam filters installed, and firewalls lit aflame. However, resources and attention must equally be directed inwardly to pick out and prevent the shadowy shapes within our walls; whether innocent or malicious, insider threats are a perennial piece of the security puzzle. They can be mitigated by creating an environment where users are unlikely to circumvent security measures because they are too cumbersome or arduous, as well as by paying careful attention to unusual negative behavior patterns and triaging disgruntled employees before they take action.
Cybersecurity Awareness Poster
 |
Click here for a cybersecurity awareness training poster that Intrada Technologies clients may print and post to meet cybersecurity insurance requirements. |
About the author
Contact Us
|
Contact Information: |
Hours of Operation: |
OUR FOCUS
Intrada Technologies is a full-service web development and network management company with a focus on creating ongoing, trusted partnerships with each of our clients.
We make sure our clients have what they require to run their businesses with maximum efficiency and reliability, as many of their needs are mission-critical.
Our unique, collaborative partnerships allow us to provide our clients with the assurance that we will be there when they need us.