While companies are busy protecting their computer systems from external cyberattackers, they should start worrying about threats posed by disgruntled employees, contractors, and vendors who have authorized access to networks. This group poses such a significant cyberthreat that last September the U.S. Department of Homeland Security (DHS) issued a warning, but other countries are just as vulnerable.
Reinforcing the problem are results of a survey of 200 IT security decision-makers in the U.S. federal government, military, and intelligence communities, which shows that more than 60 percent believe malicious insider threats to be just as or more damaging than malicious external threats such as terrorist attacks or hacks by other governments. Released in February, the survey was conducted in December by SolarWinds, a leading provider of IT performance management software, to uncover the respondents’ most critical IT security challenges.
Insider hostility can happen for any number of reasons: being passed over for a promotion, not getting an expected bonus, or the threat of being fired. Financial gain is also a popular motivator. Helping another company steal or destroy data to gain a competitive advantage or to harm the victim company’s interests or reputation are other drivers. According to the DHS, attacks can cost victim companies up to US $3 million in damages from theft of financial information and intellectual property, damaged or destroyed assets, and company-wide disruption to internal systems and customer operations. But there are other types of harm as well.
Former National Security Agency contractor Edward Snowden, probably the most well-known disgruntled insider, leaked classified information to the media. Other reported cases include a technician sabotaging systems that controlled a major U.S. city’s traffic lights over a labor dispute, a government agency employee with marital problems placing his wife’s name on a terrorist watch list, and a contract programmer who introduced malware into systems to increase business. These are all examples shared by the CERT Division at the Carnegie Mellon University Software Engineering Institute, in Pittsburgh.
And it’s getting easier for insiders to gain access because these attacks are hard to detect, according to the SolarWinds survey. Some of the reasons given include the high volume of network activity, lack of IT staff training, growing use of cloud services, pressure to change IT configurations quickly rather than securely, use of mobile devices, and allowing employees to use their own devices to access the company’s systems.
SPOTTING ODD BEHAVIORS
These are some characteristics to be on the look out for, according to the “Combating the Insider Threat” report issued last May by the DHS National Cybersecurity and Communications Integration Center. They include remotely accessing the network while on vacation, sick, or at unusual times; working odd hours without authorization or offering to work overtime or weekends; making unnecessary copies of material, especially if it is proprietary or classified; signs of vulnerability such as drug or alcohol abuse, or gambling debts; acquiring unexpected wealth; unusual international travel; and unexpected absences.
Although preventing and detecting attacks can be difficult, there are steps any company can take to combat insider threat risks.
In its “Best Practices Against Insider Threats in All Nations” article, CERT recommends 18 ways to prevent, detect, and respond to insider threats. They include:
- Beginning with the hiring process, monitor and respond to suspicious or disruptive behavior.
- Anticipate and manage negative issues in the work place.
- Incorporate insider threat awareness into periodic security training for all employees.
- Implement strict password and account management policies and practices.
- Institute stringent access controls and monitoring policies for privileged users.
- Define explicit security agreements for any cloud services, especially access restrictions and monitoring capabilities.
- Monitor and control remote access from all points, including mobile devices.
- Develop a comprehensive employee termination procedure.
- Enforce separation of duties and least privilege to limit access to technical systems and physical spaces,
- Establish a baseline of normal network device behavior.