"Inveniam viam aut faciam" : I will either
find a way, or I shall make one
you know the enemy and know yourself,
you need not fear the result of a hundred battles. If you know yourself
your enemy, for every victory gained you will also suffer a defeat. If
neither the enemy nor yourself, you will succumb in every
-Sun Tzu: The Art of War
done to an organization by a trusted person who has/had access to a
area of the organizations infrastructure.
attackers are a risk, and normal risk management procedures say that
severity of a certain risk is made up of a company’s exposure
to a certain type
of attack. This can be expressed
- Damage: This can be any
damage/loss to the
organization; the following areas give possible
Person: This includes
permanent staff, family members,
contractors, and corporate visitors. Basically anyone to whom the
- Infrastructure: An organization has
(both in the physical and
the logical sense) areas of its infrastructure where outsiders are
not allowed. Therefore allowing anyone else any access to these areas
some level of trust being placed in these individuals.
(as a %) x Threat
(expressed as annual % of occurrence) = Risk)
internal threat aims to do, or will end up doing, certain common things
look at that a different way. Any organizations digital assets must be
guaranteed in three areas:
combination of the above, such as taking a copy and then deleting the
threat to these three key properties of the organizations data is what
protected against. These threats are embodied in:
- Confidentiality: There
will always be data in the company that
must be kept private. This can be because it is of a sensitive nature
because it gives a competitive edge in business. For whatever reason,
must be put in place to ensure that the data remains confidential
- Integrity: While
some data must be kept private, it is
also just as important that the data is still correct. What use is a
secret formula if someone has managed to change the amounts used? So
measures must also ensure that the data is trustworthy.
data could be private and you may trust it
fully, but is it useless if you cannot access it. This may happen
theft, a disaster, and deletion, basically anything that makes the data
unavailable for use. So finally, measures must also ensure that the
way to gauge exposure to a certain threat is to look at the absence of
measures that are used to safeguard against that threat, the measures,
are taken against insider threats, can be broadly broken down into:
at each section to see where the lack of cover in each creates exposure:
are important because in all organizations there is a point at which
be trusted and logical or physical countermeasures cannot be used. This
where policies and their enforcement come into play. A lapse in any of
above points means that you are seriously hampering the usage of the
therefore have less legal recourse in using them.
the organization have policies for:
controls exist to not just prevent unauthorised access to your
assets, but also to create accountability for the actions authorised
undertake on the information assets they have access to. Without proper
trails or logical measures then the organization can never really say
what to what. This once again severely limits not only the detection of
threat but the recovery and prosecution thereof.
the systems create proper audit trails?
users singularly accountable? i.e.; no shared accounts
“least privilege” principle applied?
access right controls centrally approved/controlled?
roles regarding access right assignment adhered to?
there a company-wide enforcement of roles and rights?
hosts (server and client) setup as per best business practises?
- Is the
network securely designed?
there proper, standard and adequate access controls?
there a regular review of access rights?
main advantages a malicious insider has is that in order to do work,
organization has already granted some level of access. This means that
controls may not be able to stop a person getting their hands on data.
where physical controls come into play, the organizations need to be
monitor what data is leaving/entering their infrastructure on a
This way even if a person does misuse their access, it will not help
failure here means, quite literally, that your data can walk out the
personal devices prohibited?
personal data-shuttle capable devices prohibited?
business data-shuttle capable devices registered, monitored and audited?
the entrance/exit points of the organization manned?
those manning the entrance/exit points capable of identifying and
possible data-capable devices or forms?
staff complaints and problems resolved?
the organization know its staff?
logs of allowed devices and/or data kept?
spot checks of done, even of allowed devices?
people entrusted with data responsible for the data?
take a closer look at the embodiment of the threats as we mentioned
are staff members who feel
they have been wronged in some way by the organization. They now want
something to “get their own back”. These people are
generally very easy to
spot, just watch people who react badly after not getting the
raise/promotion/leave they wanted, those that have just been
While they are easy to spot, they are also the most unpredictable, as
person’s emotions are high they very often do things they may
later regret, but
that still doesn’t bring back your database. This type of
threat generally aims
at the deleting/destruction of an organization’s resources
and are not really
too worried about other people knowing who it was.
things get a bit worse, with your upset
staff you at least had some warning, as you generally know and can
who is upset. In this case, nothing has happened at work to influence
member, but something outside of work has now placed pressure on this
member to do something damaging to the organization. These pressures
range from blackmail, debt, bribery, threats, urgent need for money,
other problem is that these people may not want to be noticed and the
they do may not be readily apparent (as is the case with making a copy
this classification of
threat, we are upping the game substantially. Planted staff are
involved with industrial espionage, which is a lot more common than a
may think. The problem here is that the person planting the staff
make sure that their agent has all the qualities you want. Also this
will be very careful to not draw attention to what they are and what
doing. Making it difficult to find and catch them.
is what happens when your staff have no
malicious or harmful goals in mind, but because of weak or missing
they have the ability to perform certain actions that they should not
to. When they make a mistake therefore, they may end up doing a lot
than if the controls had been in place. Think of a person deleting a
mistake, but they end up removing it from the server. This type of
also occur by people changing jobs. The job market is a lot more fluid
it ever has been, especially for ‘knowledge
workers’. Now when these staff
leave, they will probably go work in a similar job and this generally
that they will be working for the competition, therefore any knowledge
person had will now go with them to the new job. There is nothing you
about this, except make sure your staff do not have excess access and
do not purposely drive these people away.
is where the organization has expanded its
internal network into something that is externally accessible. That
strange but think of this, when an organization installs wireless onto
trusted network, the border of that network now ends where the radio
and therefore anyone able to use those radio waves is now an insider.
people are allowed access from homes or hotels, suddenly now all of
places and the communication medium between the areas is now also the
network. An organization that does not properly structure their network
up with large headaches.
answer here is: Do you trust every member of staff 100%, 100% of the
one in a modern medium-to-large organization will say yes, there are
many variables and possibilities. Am
being harsh? Ask yourself this: Why do you trust your staff? What have
done to earn that trust? You would not trust a person walking past the
organization’s building on the street, so why when you hire
that person do you
now suddenly trust them? Upon what does the organization base that
add into the mix that even trustworthy people can do something wrong
are under stress or are being pressurised, and suddenly the problem is
larger. Then we need to add in the damage that someone could
cause due to a lack of controls, and suddenly the need to worry is
there is a chance of damage, why should I worry about it? Look at it
firewalls, intrusion-detection systems, encryption and other technical
have made it very difficult (or it should anyway) for an attacker to
access to your trusted network. This therefore limits the number of
could commit these attacks. But your trusted network is generally setup
..well.. more trustingly. This is because it makes it easier for your
work on it and accomplish their jobs. Therefore, if an attacker had
directly to your trusted network, bypassing most logical defences, then
knowledge and skill required to commit an attack is drastically
is an important point to remember, insider threats are easy and
damaging. Plus, most staff are given some level of network resource
order to do their job, making any potential attackers job easier. An
will also be able to become familiar with the processes and procedures
weak points, with what data is valuable and where it is stored, and
contextual information which make committing an attack easier. These
some of the reasons why organizations need to worry.
thing to realise here is a simple fact: Prevention is ideal but
detection is a
must. Full insider threat prevention is impossible, it will happen, but
organization must be able to assess the damage, mitigate it, and
quickly and efficiently. Next you must know what is being attacked.
organizations know which are its critical resources? And why? Once you
this you can begin to work out an acceptable level of loss, remembering
the lower that level is set, the more resources and measures have to be
place. Once you know what is critical you can then look at the next
important fact; access. Who has access? Why do they have access? What
they have? How did they get the access? Remember that access to the
organizations resources is what makes insider attacks such a threat, so
understanding those questions can begin to point you in directions to
know all of the above you can start reasonably putting measures in
as a starting point here are some general prevention mechanisms to put
/ Awareness: Any
organizations weakest point is its staff.
All your staff are on the trusted network and have varying levels of
therefore if they can be manipulated into helping an attacker (social
engineering) then you are facing a large problem. But if you can
staff, raise their awareness, then you have an entire organization of
who will be able to help you find and deal with all threats –
in Depth: This
is a general concept that simply means
that an organization must not place all its security needs on one
setup, because that would mean that once an attacker
–internal or external- is
past that system, then they have free rein. The better idea is to have
levels of security within the organization, so that any attacker would
bypass multiple levels of security to get what they want.
- Backups/Archiving: It
has already been said that there will be
loss, and that the recovery and detection of an insider attack must be
and effective. For this to occur any organization will need a
backup plan for its critical resources, as well as an archive of its
audit trails to ensure that no information is lost which may help
is a very important principle. Anyone
should only have the access needed to do their job, anything else
should not be
allowed. Bear in mind, that this does not mean taking away resources,
hinder them in fulfilling their job, but just the access to excess
Access is very important in any insider threat model and attack, if you
properly and carefully monitor that, you will go a long way to dealing
threat. Note, this does not only apply to logical resources (access to
documents, etc) but also to physical resources. For example, how many
the company actually need access to their USB ports for business
need to bring in personal data-shuttle-capable devices?
insider threat is one that companies do not like to face, because it is
difficult and very often requires a change in mindset and how things
ignoring it will not make it go away, it will just make it the chances
happening greater and the damage it causes when it does a lot more.
take some short-term pain for a longer-term benefit. I also do not
seeing the insider threat as the answer to why everything goes wrong,
should at least be a consideration. So start looking into this stuff
and as always, have fun and learn.