[BreachExchange] A CSO’s Guide to Insider Threats
Audrey McNeil
audrey at riskbasedsecurity.com
Thu Jun 22 18:58:57 EDT 2017
https://www.thecipherbrief.com/column/expert-view/csos-
guide-insider-threats-1092
Each minute of each day federal cybersecurity teams triage an unimaginable
number of threats to our national security. While many of those threats are
from nation-state backed hackers attempting to breach our defenses, there
are just as many critical threats coming from inside an agency.
Insider threats are not new. Since the existence of protected information,
there have been adversaries, competitors, and enemies looking to gain
advantage. The ability to store, transmit, and process huge amounts of data
has only underscored the importance of actively addressing insider threats.
Not all insider threats are the same; they differ in terms of their attack
methods and objectives. Identifying insider threats and creating an
effective mitigation strategy requires an understanding of threat types,
motivations, and goals.
At the most basic level, there are two types of insider threat: the
malicious insider and the negligent threat. While both are trusted members
of the organization, the behaviors that make them a danger to information
security are very different. The malicious insider, while trusted, is in
some way compromised by a lure that turns them into a bad actor. The
enticement could be financial gain, a desire to harm the agency, or the
need to protect themselves from harm. These individuals use their position
of trust and privileged access to introduce malware, directly ex-filtrate
data, or carry out another form attack, and then share or sell the data to
nation-state actors or their sinister proxies.
On the other side of the equation is the negligent insider threat. This
trusted insider is not looking to cause harm from their online activities
but does so by inadvertently circumventing established security protocols.
They may write down their password in a convenient but obvious location or
click on a phishing email and introduce malware into the network. And
they’re the person who becomes a targeted, cultivated victim of a social
engineering attack.
It’s the human aspect that makes insider threats difficult to identify and
extremely dangerous to governments, companies, and organizations.
Malcontents are hard to ascertain, even within the rigorous vetting
procedures of security clearances and background checks. Also, the
motivations for a malicious actor evolve over time. A variety of unexpected
life events—financial distress, personal crisis, lack of career
advancement—may provide the catalyst for a trusted employee to become a
malicious insider theat. Meanwhile, there are thousands of negligent
insiders in every federal agency. These are people who are unaware of the
basics of cyber and personnel security or who are simply overwhelmed by
multiple layers of complex security requirements.
The impact of insider threats has multiplied in recent years due to the
growing amount of data that we now create and store in data centers and in
the cloud. Not only are there rich stores of stand-alone information, but
even more valuable is data aggregated with other known data sets. Some of
the most worrisome attacks occur on data aggregated over time; it can
reveal a treasure trove of information that can be used for identity theft,
blackmail, or by nefarious state actors.
The insider threat issue is a complex issue. Based on my experience
studying the insider threat problem from multiple angles and applying
various approaches in large organizational environments, successful
mitigation of an insider threat requires a multifaceted approach combining
the application of technology, behavioral analytics, and comprehensive
corporate governance.
The technology part of the equation is covered by the tools of the
trade—endpoint monitoring, anti-malware tools, geo-fencing, encryption, and
data loss prevention solutions—to name only a few. An effective behavioral
analytics strategy not only involves the aggregation of data about user
activity on the computer network, it also factors in additional information
about the employee within the workplace and their social environment.
Organizations and government agencies can aggregate their existing data
sources to learn more about their employees, increasing their chance of
identifying anomalous behavior and mitigating the malicious insider.
Individual data points from human resources, legal, and finance in
isolation may not be significant, but stitched together they can provide
important tripwires to identify potential malicious actors.
The final part of the triad is data and corporate governance. Governance
involves not only determining who can access data while it’s in use, but it
also considers how long data is stored, how it should be archived, and who
can access stored data. Each federal agency will have unique governance
requirements based on mission, but all agencies need to have information
governance rules in place. In the information age, data governance needs
to be a top priority throughout the public and private sectors.
It goes without saying that these challenges to information security will
only get more complex as both the amount of data continues to increase and
the number of threat vectors multiplies. Insider threat will also get more
complex as we welcome the next-generation of workers—not just millennials,
but generation Z and beyond—into the workforce. As dependence on mobile
platforms and flexible work schedules grows, and new technology like IoT
(Internet of things) devices and robotics are introduced into the
workforce, our ability to defend information and discern who is a threat
will become even more complex. However, even with these new challenges, the
fundamentals of good security hygiene—technology, analytics, and
governance—will continue to provide a strong foundation in mitigating
insider threats.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170622/ce2cdd59/attachment.html>
More information about the BreachExchange
mailing list