Insider Threat Management

A DOE contractor feeling the pressures of rising debt attempted to sell stolen uranium parts to agents of a foreign government. A government researcher who experienced a hostile work environment accessed a secured facility and intentionally left 4,000 biological samples to thaw resulting in a $500,000 loss to the project and setting it back months. And then there was the case of the IT contractor working for the NSA who absconded with a trove of classified data exposing the inner workings of the US government’s intelligence program. That contractor has since sought asylum in Moscow. His name is Eric Snowden.What do all these folks have in common? They’re what have become known as insider threats: employees, contractors, vendors, or others with privileged access to the inner sanctum of an organization. They present a significant risk due to their positioning and an entire field has emerged to deal with the challenge. This field is known as Insider Threat Management.What all of the aforementioned bad actors also had in common is a behavioral profile that if carefully monitored would have tipped off security personnel of their impending actions. The behaviors aren’t the same in all cases and not all acts that lead to asset loss are malicious in nature. If you’ve taken any of the cybersecurity certification training courses here on Cybrary.it, then you’ll know that the weakest link in any security plan are the human resources of an organization. It’s as if you’ve taken the discipline of Risk Management and multiplied the human component by a thousand. It almost requires a degree in psychology to adequately identify potential insider threats.Most organizations primarily focus on external IT threats. Granted, there are certainly enough outside threats to keep InfoSec staffs busy for a lifetime, but security threats from the inside present a particularly insidious challenge. Security defenses such as firewalls and intrusion protection systems do little in combating a disgruntled employee set on revenge or one looking to commit financial fraud. These potential threats are already inside the castle walls and often within easy reach of the crown jewels. The best defense in this case is a combination of policy-based and data-driven security methodologies.Insider Threat Management encompasses a lot of the concepts and practices of risk management. Identifying risks, mitigating them, and determining the value of assets and loss calculations are all components of Insider Threat Management. It also spans various roles within an organization most prominently Human Resources, IT, and InfoSec. The financial and legal departments also come into play, but the spotlight shines brightest on human resources departments. Much of the problem with insider threats is lax hiring practices.A changing employee demographic also appears to be contributing to the problem. Younger workers are more active on social media and often don’t consider the sensitivity of what they choose to share on channels such as Facebook and Twitter. They also tend to be impatient when it comes to obtaining information and may choose to circumvent proper security procedures in order to short circuit the process. These are examples of insider threats of a non-malicious nature. Security policies as part of a risk management process are the best defense in such cases.Insiders with a malicious intent require on-going vigilance on the part of both HR and InfoSec. Certain personality traits can serve as early warning signs of insiders to keep a close eye on:

• Passive aggressive behavior
• Self-perceived value exceeds performance
• Intolerance of criticism
• Inability to assume responsibility for their actions
• Blaming others

Such traits may be acceptable in those running for public office, but can spell disaster in the workplace and must be closely monitored. This is where open communication must occur between HR and InfoSec; failure to identify such insider risk early and result in asset loss later.Damage to the organization can take many forms such as disclosure of confidential information, extortion, media leaks, supply chain disruption, sabotage, and even violence. This is why it’s vital to continually monitor and update data on all personnel with access to the organization – not just employees.Loss prevention from insider threats begins by defining an individual baseline for risk to the organization along with determining insider threat indicators, some of which are listed above. Security policies and operating procedures specifying the level of authorization required to access specific data or confidential information must be established and tracked across the organization.Finally, when an event rises to the level of an incident, then an incident response activity must be initiated. The discipline of computer forensics comes into play. Evidence must be preserved, documented, and analyzed for eventual presentation as part of a legal case. It then follows that an organization’s legal department will become involved. Disposition of such incidents can range from no action taken against the individual to reprimand or termination and legal prosecution. A post-mortem is then performed and the results of the analysis are used to improve existing policies and procedures.The task of Insider Threat Management as we’ve seen spans several departments within an organization and is difficult for most organizations to get their arms around. It’s also a relatively new discipline and one that continues to evolve. A number of third-party vendors now offer Insider Threat Management services on an outsourced basis to both the government and private companies. It’s both a challenging and fascinating field and you can get a great overview by checking out the courses here on Cybrary.it on CompTIA Security+, Cybersecurity, and Computer Forensics.