How to Prevent an Insider like Harold T. Martin III from Stealing Information

Share and earn Cybytes
Facebook Twitter LinkedIn Email

Companies spend an exorbitant amount of time trying to protect their data and systems from outsiders. Between firewalls and scanners, malware detection and prevention, employee education and other security protocols, organizations can dedicate countless resources to cybersecurity measures.

observeit_harold-t-martin-insider-threatThink about this: Are you accounting for the people who are already inside? You must think about employees and contractors with access to the organization’s systems when you consider the ways to protect the company’s network and systems.Unfortunately, that’s not enough.

Insider threats are a huge problem: 90% of security incidents are caused by people, per the 2015 Verizon DBR. Additionally, 55% of attacks are originated by an insider (whether inadvertent or malicious), according to a 2015 IBM Cyber Security Intelligence Index.

So, how do you protect your enterprise from Insider Threat? Let’s look at the Insider Threat who caused the 2016 breach at the NSA:

Harold T Martin III is a former Navy reservist who has been in federal custody since the end of August 2016. It was within that timeframe that Federal agents executed several search warrants at his Maryland home. There, the FBI uncovered what they characterized as “overwhelming” proof that he mishandled classified information. Per the court filing, the materials found consisted of the personal information of government employees and a top-secret document “regarding specific operational plans against a known enemy of the United States and its allies.”

This incident with Harold T. Martin III, is a classic example of a worst-case scenario of Insider Threat. Not only was he caught, but Booz Allen Hamilton stock fell approximately 5% after the insider threat was reported in the news. Insider Threat expert and co-author of Insider Threat Program: Your 90-Day Plan, Shawn M. Thompson says, “While the stock price will likely recover, BAH also likely faces damage to its reputation and goodwill, which is incalculable.”

According to NPR, Federal Prosecutors stated in a court filing that, “The alleged theft of classified documents by a former NSA contractor was ‘breathtaking’ in its scope…”

NPR further reported that “Documents that Martin is alleged to have taken detail some of the country’s most sensitive intelligence operations. Authorities have not said why he allegedly stole the documents, or whether they believe he planned to do anything with them.”

IDS news reported that: “…Martin allegedly gathered more than 50 terabytes of NSA documents since 1996, storing them on heavily encrypted devices. Some of what Martin stole were ‘hard-copy documents that were seized from various locations … that comprise six full bankers’ boxes worth of documents’ according to official charges filed by the government.”

While we cannot tell you exactly how Harold T. Martin III stole the information, we do know there are many different ways that he could have stolen information. Appropriate controls in place to monitor large print jobs from a computer, USB data exfiltration, cloud Drive uploads, sending data to personal email addresses or sending files via Instant Messenger can be monitored, but one has to wonder, did they have too many alerts and controls, therefore, trouble figuring out which alerts were more important? This is where a User Activity Monitoring solution like ObserveIT could have addressed these issues:

Scenario 1: Documents are copied to a USB Device—ObserveIT would alert security teams about the action and allow them to quickly investigate what was copied to the device with video playback (providing irrefutable evidence).

Scenario 2: Documents are sent to the printer—ObserveIT would alert security teams that a user printed an unusually large amount of data. Then they could quickly investigate what was printed by watching a video replay of the incident.

Scenario 3: Data is uploaded to a cloud storage application—Information uploaded to applications like DropBox, WeTransfer, Pastebin, or Google Drive, can be difficult to track with ordinary log files, therefore enabling insiders a prime exfiltration point for a large amount of data. If information were uploaded to cloud storage applications, ObserveIT would alert administrators about the event and administrators could quickly investigate what was uploaded by watching a video replay of the incident.

Scenario 4: Collusion—to get access to this kind of classified information in the first place, it could mean that other personnel or nefarious outsiders were involved. This kind of collusion can be identified – even after the fact – with ObserveIT’s records, especially in its ability to monitor business and personal chat logs and business and personal email.

Scenario 5: There are too many security tools in place and the security team has issues identifying which alerts to follow—it’s this scenario in which ObserveIT might shine most brightly. ObserveIT makes wading through the noise easier, by bringing other security tools to life! Teams can work within the dashboards of other security tools such as SplunkArcsightIBM QRadar, CA Access Control, Citrix XenApp® and Citrix XenDesktop®, Lieberman Software, Tibco LogLogic, RSA enVision and ServiceNow IT ticketing system, so they don’t have to switch between applications.

With user activity monitoring and video playback, large print jobs from computers, USB data exfiltration, Cloud Drive uploads, sending data to personal email addresses, or sending files via Instant Messenger do not have to be investigated by combing through event logs. With just the simple push of a playback button, the monitoring of these exfiltration points is so much easier and investigations can occur that much more quickly.

 Are you ready to protect your organization’s data and reputation from Insider Threats? Start today with your free 15-day trial of ObserveIT to see what you’ve been missing. Or, request a demo with one of our experts to learn more. 

Share this post and earn Cybytes
Facebook Twitter LinkedIn Email
About ObserveIT
ObserveIT is a user monitoring and investigation solution that identifies and eliminates insider threats. It continuously monitors user behavior and alerts IT and Security teams about activities that put their organizations at risk. ObserveIT provides comprehensive visibility into what all users are doing, while meeting compliance standards and reducing investigation time from days or hours to minutes.
Promoted Content
[report] 2018 Cost of Insider Threats: Global Organizations
According to The Ponemon Institute’s report, “2018 Cost of Insider Threats: Global Organizations,” the average cost of an insider threat annually is $8.76 million. It’s critical for organizations to understand the main causes of insider threats, because detecting insiders in a timely manner could save millions of dollars. Depending on the industry and size of company, the cost of an insider threat varies dramatically. Check out the full report to see The Ponemon Institute’s findings, and understand how to detect and prevent insider threats in the future.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge

Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?