“Insider attack” is back in the news, getting attention again, with good reason. This particular article, “Insiders increasingly linked to data breaches in the financial sector” on infosecurity-us.com discusses the continuing problem of insiders within the financial services industry committing fraud. Of course, this is coming hot on the heels of last week's news about a massive insider fraud at UBS in the UK, which looks like it will cost somewhere in the region of $2.3 billion.
I thought it would be worthwhile to point out three key truths when it comes to insider attacks because the reality can often get lost in the FUD and hype.
1) Insider attacks are often not attacks at all.
Statistics on insider attacks, such as those collected by the Open Security Foundation at the datalossdb.org site, indicate that insider attacks are rarely attacks at all. They are more often mistakes made in the normal course of day-to-day activities that result in a breach. It's easy, far, far too easy, to include the wrong email address in a distribution list, lose a backup CD or thumb drive, or grant the wrong group of users access to sensitive data. In fact, according to the Open Security Foundation, accidental insider breaches outnumber malicious breaches by more than 250%.
So when you plan to prevent (or respond to) an insider "attack" remember it probably is not an attack at all. More likely, it's someone doing their best to get through the day. And being human.
2) Insider attacks may not be insiders at all.
The FBI testified before Congress this week on the subject of attacks on the finance industry. Gordon Snow, assistant director of the FBI’s cyber division reported, “these cyber-attacks are usually carried out through targeted phishing emails that contain either malware or a link to a malware-laden website. The phish targets a person within the company who can initiate fund transfers on behalf of the business or institution."
Just as the network perimeter has been blurred to the point where it is debatable if it even exists, let alone where it is, so to has the difference between an insider attack and an external attack grown equally fuzzy. More and more attacks utilize targeted individuals as human trojan horses to walk attackers through the door. So, while the attacker initially appears to be an insider, it may well be an external attacker who has hijacked an unsuspecting insider’s account, system, or worst case, their access to sensitive data.
3) Your best defense is probably a good teacher.
If insider "attacks" are usually either mistakes or externally initiated through social engineering means, what should be clear is that the best form of defense is actually a well-educated workforce. While I would never argue that technical controls aren't necessary, the fact is that the same old story of "education is important" is as true now as it ever was. The IT world has become highly complex, yet organizations hand out access to cutting-edge technology with the same lack of controls as they do access to the stationary cupboard. And things are about to get a lot more complex, as the interaction of insiders, systems, and externally provided cloud services starts to define corporate IT.
Insider attacks are likely to be with us for as long as there are computer systems and insiders (which is going to be a long, long time). We need to be realistic about how to address the most likely scenarios, like accidental disclosure, and plan technical controls around them. But first and foremost, we need to invest in educating the workers who handle, day in and day out, the crown jewels of the company – its information.