Wolf in Sheep’s Clothing: Combating the Insider Threat

Written by

Amidst droves of sophisticated malware and external threats that target our sensitive data, the most prevalent and destructive security threat we face today lurks silently within the confines of our organizational boundaries. While vendors dazzle us with the latest threat and vulnerability detection technology on the market, our own employees are positioned to sidestep these advanced solutions with ease and raise the gate on our protected information assets. 

The insider threat not only consists of those who engage in intentionally-malicious behavior which compromises information security, but also those who remain completely unaware of any wrongdoing, due to lack of education pertaining to safe information handling practices.

In a 2015 study commissioned by CompTIA, it was revealed that out of a survey pool of approximately 1,200 full-time US employees regarding their technology use and cybersecurity awareness habits, a staggering 45% of employees received no cybersecurity training from their employers.

Additionally, the survey went on to reveal that 63% of employees use work-issued mobile devices for personal activities, and 94% of employees connect their work-issued devices to unsecured public Wi-Fi networks. These figures reflect a frightening reality that corporate America has yet to not only take cybersecurity as seriously as it should, but also realize the ever-present insider threat it continues to foster through lack of cybersecurity awareness education. 

Corporate and economic espionage is a booming business across the world, and lack of user cybersecurity awareness training grooms easy targets for attackers seeking access to proprietary information via social engineering, malware infection, recruitment of internal employees and even personal insertion into the corporate construct for direct access to targeted information.

In a 2011 report, The Office of the National Counterintelligence Executive estimated that financial losses to foreign competitors resulting from theft of trade secrets ranges from tens to hundreds of billions of dollars annually. In a recent FBI survey, it was discovered that roughly half of the 165 participating companies claimed to have fallen victim to economic espionage or theft of trade secrets. It was also revealed that 95% of those attempts originated from parties associated with the Chinese government.
There are a number of preventative measures that all organizations must take into consideration and, where possible, implement to mitigate the insider threat. To begin, a comprehensive cybersecurity awareness program must be established to educate all inbound personnel, as well as facilitate continuing awareness of existing personnel via annual refresher training. Regular training encourages users to remain vigilant against new and previously-known threats via employment of information handling best practices, including education pertaining to various methods of social networking attacks. Such attacks include vishing, phishing and whaling, all consisting of attempts to bait users and executive leadership into divulging sensitive information, whether by phone, email, social media or other means.

Far from Hollywood portrayals of corporate espionage one may envision, these antiquated and downright basic measures are weapons-of-choice for establishment of advanced persistent threats (APT) that reside on corporate information systems for years on end, exfiltrating priceless trade secrets via a “low and slow” approach to avoid detection. It’s in this very manner that, in 2009, a senior Coca-Cola executive facilitated an attacker’s establishment of remote access to the corporate network by clicking on a link contained within a seemingly-harmless email, through which the attacker set up shop and covertly exported countless confidential files over an extended period of time. 

Additional training elements should include responsible use of social media, maintaining confidentiality of user credentials, acceptable use of email, fostering workplace awareness through identification and reporting of suspicious behavior, etc. Any cybersecurity awareness program must also be backed by organizational policy to detail not only acceptable use practices, but also punitive measures resulting from policy violation.

A policy without teeth to back it up is an ineffective one. Knowledge of punitive action resulting from non-compliance is crucial to ensuring users remain vigilant in adherence to safe information handling practices. 

Where possible, enforce job rotation to rotate personnel across positions and avoid long-term stagnation of an employee under any given role or responsibility. Job rotation interrupts collusion between two or more employees working together to execute organized attacks against an organization, and may also be utilized as a detection mechanism to identify suspected insider threat activity. Mandatory vacations are also an effective implementation to support such efforts. Removal of an employee from the workplace for an extended period of time can reveal changes in information handling activity that validates suspicions of foul play. 

Enforcing separation of duties ensures employees are restricted to access only those areas required to carry out their professional duties. Excessive and unnecessary employee access to sensitive physical and virtual locations is a primary method of data exfiltration and one often overlooked by many organizations.

Prevention of data exfiltration, or loss via establishment of a comprehensive data loss prevention (DLP) strategy is crucial to controlling means of information loss, whether intentional or unintentional. To support such a strategy, DLP software implementation can be leveraged to detect and prevent external information transfer, as well as connectivity of unauthorized mass storage devices to corporate assets via notification of administrative personnel upon attempts to do so.

Data-at-rest (DAR) encryption, which works to encrypt data while not in motion, such as that stored on a hard drive, may be employed as part of your DLP strategy to ensure information contained on a compromised physical device does not risk exposure to unauthorized parties. Remote connections into the corporate network should also utilize virtual private network (VPN) connectivity to encrypt and secure the integrity of sensitive, work-related data transmissions.  

These measures are far from exhaustive and are merely considered sub-components of a complete cybersecurity program, but serve to provide business owners some recommended cybersecurity best practices to safeguard their information assets from the insider threat.

Behind the façade of technical complexities that rule our enterprises with beautiful precision wages a war that devours our sensitive data from the inside out, necessitating a defensive stance that begins with getting up front and personal with our employees about their positions on the cyber battlefield.

What’s hot on Infosecurity Magazine?