Security threats to organizations can be broadly categorized into external threats and insider threats. An external actor usually must do some leg work or research to first identify, then figure out how to take advantage of, an organization’s weaknesses. They are not a member of the organization, so they must either hide their presence or force their way through existing defenses and then get out quickly. On the other hand, an insider not only has special knowledge of his or her organization’s weaknesses, but is also wearing “team colors.” As a trusted member of the organization, it is less likely that their activities will arouse suspicion.
But just as there are a wide variety of potential external threats coming from all manner of bad actors - from hackers, to organized criminal syndicates, to nation-states themselves - there are also more than just two types of insider threats. It is important to understand these different types, because each presents their organization with a unique set of challenges.
WikiLeaks and Edward Snowden’s leak of classified National Security Agency information are perhaps the most well-known examples of a particular breed of insider threat where an individual, whether out of a perverted sense of duty (such as in the case of Snowden), dissatisfaction with the organization, or for personal or financial gain, shares or publicizes sensitive information without permission. In the case of Snowden and WikiLeaks, such a loss of information causes serious harm to United States national security and diplomacy and could even put American lives at risk. In the private sector, the loss of trade secrets to a competitor could potentially cost a company – and the US economy – millions of dollars.
According to the FBI, one recent example of this type of insider threat is Sergey Aleynikov, a former computer programmer for a large Wall Street firm who exfiltrated 32 megabytes of proprietary computer codes — a theft that could have cost his employer millions of dollars. Although he used his computer skills to deftly hide his activities for months, he was discovered due to irregularities spotted through routine network monitoring, and, in December 2010, was found guilty of theft of trade secrets.
Insider Sabotage / Violence
Though espionage most certainly represents the biggest financial threat to organizations from insider threats, those insiders bent on sabotage or violence are the most destructive. These individuals use their access to facilities or networks to intentionally destroy or disable the organization’s assets or cause harm to others. Often these individuals are motivated by disagreements or dissatisfaction with their organization, a dismissal, poor performance reviews, or even a mental illness. In many cases, the perpetrator is an employee with a history of substandard performance, who has held onto his or her credentials or maintained access to the network or the physical facilities.
One recent example occurred in Los Angeles, where city employees in the midst of a labor dispute took over the city’s traffic light system for four days, causing major traffic issues throughout the already busy metropolitan area. Another example of espionage at the corporate level occurred at a major defense company, where a recently terminated system-administrating contractor purposely crashed the company’s main operating system, denying access to hundreds of employees. However, the most terrifying example occurred in November 2009, when former U.S. Army major and psychiatrist Nidal Malik Hasan committed a mass-murder at Fort Hood, killing 13 people and injuring another 30, in one of the worst acts of U.S. workplace violence.
The Unsuspecting Insider Threat
More often than not, experts say that insiders are unwitting accomplices who simply download a virus from a social network or a web site, or fall prey to a socially engineered ploy to gain access to the network through them. According to a study from Symantec and the Ponemon Institute, negligence was the main cause of the greatest number of data breaches—39 percent—not maliciousness. Unfortunately, this type of threat is difficult to detect and deter because the insiders themselves are typically unaware of their participation in the scam.
In one 2010 example, the owner of a California escrow firm opened up an attachment in an email message that appeared to come from UPS. Instead, the email installed a virus that disabled key company security measures and enabled criminals to hack into company’s bank account and send wire transfers totaling $465,000 to individuals and organizations around the world.
The insider threat can be as varied and multifaceted as any external threat. From malicious insiders bent on espionage or sabotage to unsuspecting employees who fall victim to a phishing campaign - it’s important for organizations to consider what they’re dealing with before spending a lot of money on a program meant to detect and deter those threats.
Topics from this blog: insider threat