The Insider Threat (Part 1)

Within security, a lot of focus is spent protecting and defending from external threats.  Competitors and/or adversaries looking for a competitive advantage will employ various techniques in order to gain a competitive advantage over another.  What gets overlooked is the threat with from within; the Insider Threat.

The term Insider Threat has taken on various meanings over the years.  Recently, military’s around the world have used it to describe or highlight the terrorist or Jihadist threat – the employee who has split loyalties and took violent action.  Nidal Hasan, the infamous Fort Hood shooter instantly comes to mind but there are others especially in the screening process for fledgling national armies.  As a result, Insider Threats have started to become about more workplace violence and identifying those who are experiencing personal troubles that ultimately manifest themselves violently – the key word being violently.  This is all important and can’t be downplayed, but within security and intelligence fields, this obscures the significant threat that silently operates within the work place.  These individuals don’t take violent action, but operate within the fold and extract institutional knowledge, intellectual property, plans, and critical information about their employer to aid another.

The Insider Threat is not new; it’s existed well back to Biblical Times.  After all there is the expression – the two oldest professions are prostitution and spying.  So while the violence is abhorrent, and one cannot discount or downplay that, but the focus here exists in the insider theft of intellectual property and the security training and awareness programs that make an otherwise loyal and trustworthy employee turn into an unsuspecting and potentially crippling insider threat.  It’s important for companies to know their co-workers, employees, subordinates and know what is going on in our workplace that could impact our security posture.  Network solutions are plentiful and can provide exceptional data analysis and can be used to provide redundant tools to help in the identification of potential issues.  However, it can also be claimed that most network security solutions can be undermined by one careless employee clicking on a suspicious email or the trusted member who walked out the door with a ream of data.

This will be a two part discussion.  Part 1 will discuss ways the Insider Threat operates; highlight what motivates them; what significant event impacted them; and what their end goals might be.  Part 2, later in the week, will address things your business – big or small – can do to identify and neutralize these types of threats.  These are ever evolving and the days when secret meetings took place in a dimly let bar with a man wearing a trench coat and fedora are just as easily done today through an online chat or an anonymous email account.  The threat is real.  It’s not meant to scare, but to cause you to be alert and aware and to understand yourself.

Sole proprietorship businesses and small business in general are just as susceptible to insider threats, especially if you are a start up or working in a niche market.  Consider the competition for resources and financing efforts that go into the development of new products and services.  It’s not unheard of for one company to offer a key employee of a competitor better compensation.  And there are case study after case study that show how that employees decide to walk away/steal proprietary information or trade secrets while they walk out the door.  It is not inconceivable to imagine an organization that you are working with will look to gain access to your intellectual property or design to complete their business.  It’s not unlikely for someone to want to gain access to your client/customer list and what your proposals look like to try to steal a customer and present a better proposal.  And it’s not unlikely that a person that you are working could use your data or numbers to strengthen their business.  Are they happening right now to your business?  Maybe.  Could they happen?  Perhaps.  How would you know if you don’t at least consider the potential?  As security minded people we need to look with a cautious eye and always look to protect our information.

Insider Threats are on the rise.  What accounts for this?  On 28 June 2012, the Assistant Director of the Counterintelligence Division of the Federal Bureau of Investigation laid out four key elements in a congressional hearing.  Some of these will sound familiar with the traditional MICE model – Money, Ideology, Compromise/Coercion, and Ego, and others will address a foreign intelligence involvement.  First, he cited employee financial hardship, especially during tough economic times.  And these economic hardships have a direct impact on foreign governments.  When financial crisis hits, one of the first actions taken by governments, as well as individuals, is to tighten purse strings and take cost-cutting, or  measures.  This directly affects projects they support and line items in the budget, especially research and development.  It’s easier to steal technology rather than invest in their own research and development.

Research and development costs are growing and it takes tremendous investment for companies and global super powers alike.  And with the rise of start ups and the ease of companies who are perfecting the latest and greatest advances in technology, the competition is through the roof to gain the latest foothold.  Companies and foreign governments would like nothing more than to reduce their R&D costs and just “acquire” yours.

Another development in the rise of the Insider is the relative ease to steal anything stored electronically, especially when that insider has legitimate access to it (Trusted Member).  Where are you vulnerable?  Are there policies and processes that identify sensitive/critical information?  Do you label/mark data?  Are work conditions such that the pressure makes people compromise their security to meet a suspense?  Are you educating your work force?  These are all considerations that you should ask yourself when evaluating your own security.

Finally, the rise of the global marketplace has lowered traditional walls and enable foreign intelligence services and competitive intelligence service with increased access to individuals of interest.  Want to introduce yourself to a leader in an academic or technological circle?  Send an email, Skype with them, or better yet, bump into them at the bevy of trade shows and conferences around the world.  Once thought to be limiting, can now be enabling.  Are employees trained to be alert and aware of elicitation techniques.  A lot of approaches work in academic angles and appeal to the collaborative/sharing idea and breaking down walls.  What starts off as a thought of collaboration turns into a case of economic espionage and your loyal employee is now a threat.  And they may not even know it.  We must train our employees to be hypersensitive.

Another important aspect not mentioned above, is our failure to recognize that an Insider Threat might exist and build appropriate programs in place to increase our awareness and security posture.  This hits at the heart of the matter.  It’s knowing yourself and your employees/coworkers.  It’s recognizing that something has changed in the life of one of these people that could take them over the edge.  Credit card debt, crash of the stock market, crash of the housing market, the escalating costs of college education.  These can call create that breaking point where people will consider various alternatives.

Research has scratched the surface in evaluating the breaking point in employees, and with the rise of the violent workplace/school shooting, it’s a happening very quickly.  There are the traditional MICE indicators that we can identify in individuals, but generally speaking, a person doesn’t grow up with a desire to turn against his employer or sell intellectual property/secrets.  That’s very rarely a lifelong goal.  It’s more likely than not that something has happened in their lives that caused them to break on a personal level.  Money crunches/greed, an ideological shift caused by a traumatic event, a perceived “unjust” workplace termination at a previous employer, a feeling of being unappreciated.  These event affect people different ways.  Understanding and recognizing that is of critical importance.  Understanding your employees or co-workers and knowing them can help identify indicators.  And coupling those indicators can be ways to identify/spot an Insider Threat.

So how does economic espionage manifest itself?  What are the tools that the Insider uses?

Theft – In it’s most simplest form, it could be printing documents and walking out the door, burning them to a USB drive, uploading them to an online account, and that’s just today; tomorrow there may be fifteen other ways.

Elicitation or Open Source intelligence (OSINT) collection represents another tool for Insiders.  Does the person who is asking the questions have a need to know the information they are requesting?  If your business has access levels (If you do, pat yourself on the back), is this person attempting to gain access to areas that are outside their approved status?

Cyber Attacks – The insider may have provided a username and password to the domain; he may even be the administrator.  A cyber attack may represent a compromised USB drive that the Insider inserted into his computer thereby exposing the business to a virus, or have an inbedded program that sends your data out.

Infiltration Agents – These are individuals who work for one company but act on behalf of another.  Meaning, they are actually employed by one company and are tasked by that company to get hired by a competitor and report on what’s going on?  Think this doesn’t happen?  Check here or here and even here.

Social Engineers – in line with Infiltration Agents, these are individuals who attempt to deceive employees into giving access to sensitive areas, computers, or the building in general to steal or extract information.  They may take the form of a pizza delivery man who attempts to bypass the receptionist; pose as a computer help desk person who will call you or come to your desk and ask to install the latest and greatest software and ask for your username and password.  You think of it and they have done it.  Untrained and unaware employees fall for this more than they would care to admit.

Each of these sections above can go into exhaustive detail but I tried to cover the main points.  There is a lot more to it and in the next blog we will go over how to counter these threats and how a heightened security posture can greatly reduce the threat to your business.


One thought on “The Insider Threat (Part 1)

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s