[BreachExchange] 7 Profiles Of Highly Risky Insiders

Audrey McNeil audrey at riskbasedsecurity.com
Mon Apr 11 19:05:27 EDT 2016


http://www.darkreading.com/vulnerabilities---threats/7-profiles-of-highly-risky-insiders/a/d-id/1325045

There are plenty of articles with scary numbers about the size and scope of
the Insider Threat. This isn’t one of them – you already know it’s a huge
concern and that few organizations maintain a reasonable level of control
over it. So where do you get started? By looking at the root of the problem
to understand who these insiders are, and why they pose a risk.

You may be tempted to match these insiders to specific jobs or roles. But
it’s best to resist such an impulse, because insider traits emerge
throughout an organization, regardless of a threat’s position. To lend
clarity, here are seven profiles of common high-risk insiders.

Convenience Seekers like to ignore protocol. The "official" way to do
things is too long, difficult, or complicated. Or they may prefer their own
methods, such as opting for their preferred file-sharing service instead of
a corporate one. They’ll also frequently use personal email to get around
performance or attachment size limitations.

Accidental Victims make mistakes, perhaps because of a lack of training (or
learning) of proper processes and systems. Accidental Victims will hit the
wrong button, send a document to the wrong "Bob" or otherwise make an
honest mistake. Most likely, our Accidental Victims are tired, stressed or
distracted when they do these things. They’re especially vulnerable because
external threats often "create" fear and panic as part of a phishing scheme
or phone scam, so their targets won’t realize that they’re being set up.

Know-It-Alls want to "contribute," "show value," and be visible whenever
possible. Unfortunately, they may over-share information in an email
response. They might respond to a request when someone more qualified
should. Or they could initiate communications about topics with less than
the required tact or subtlety. They’ll post on social media before they
think about sensitive topics such as unannounced quarterly results. Some
Know-It-Alls will intentionally seek to steal or manipulate sensitive
information for fun, out of curiosity – or to prove they can.

Untouchables do not believe that any of the "scary stories" could happen to
them. They’ve earned privileged access, and they’re copping a cavalier
attitude about it. IT personnel may constantly take advantage of their
super-user credentials out of convenience, for example, only to cause
malware infection of a mission-critical server when they open a highly
targeted phishing email. Auditors, financial execs, developers, and others
with privileges could retain too much information locally, then lose their
laptop, or leave it out in the open for a thief to swipe.

Entitled Ones are convinced that they have a right to certain types of
data, or to do things their own way. They ignore process or policy. They’ve
concluded that they "own" data, including customer lists, source codes,
scientific research, and process documentation/templates. And while we
normally associate the C-suite with those who do not feel the rules apply
to them, anyone can develop this attitude at any level of the company.

Traitors are malicious employees. Sometimes, they’re hatching a plot at the
time of being hired. More often, however, they harbor good intentions on
the first day of work, but lose their moral compass after falling into debt
or growing disgruntled over a lack of upward mobility and/or a salary
increase. Or they internalize destructive discontent due to differences
with colleagues, bosses, or the organization itself.

Secret Insiders aren’t supposed to be inside at all. But that’s where they
are, having effectively executed the first stage of an external attack:
gaining a foothold inside the network. (While we’ve focused on "defenses"
against such attacks for the last few decades, the reality is that a breach
will be successful at some point.) At this stage, Secret Insiders have
network access, and security requires that measures be in place to "detect"
such a breach. But, unlike the six aforementioned high risk profiles, they
are professional hackers. They’re motivated, knowledgeable – and now
command all of the access and privileges of an insider.

For better or worse, security options have evolved from early login
IDs/passwords, firewalls, and desktop anti-virus (AV) products to dozens of
solutions that work in concert to protect the network, users, and data. An
Insider Threat program will implement many of these, such as access
controls and data loss prevention (DLP) tools, along with well-defined (and
enforced) processes and newer technologies, like User Behavior Analytics
(UBA).

Bottom line: user education is not new. But it is frequently overlooked as
a potential solution due to mindsets developed when most of us didn’t know
how to change the clocks on our VCRs, and never bothered to learn.
(Congratulations if you did not need to Google "VCR" to understand that
sentence). Yet, today’s employees were raised with Nintendo, the Internet,
and smartphones. They take pride in knowing about the latest apps, and
every feature of their mobile devices. This means organizations can appeal
to this generation’s "tech pride," educating them about how recommended
"professional habits" can elevate them to positions of trust.

In other words, users are more capable of recognizing risks – and the value
of preventative measures and processes – if we simply involve them.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160411/838fccf5/attachment.html>


More information about the BreachExchange mailing list