Internal Threats

INTERNAL THREATS

“If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself and not your enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.”
-Sun Tzu: The Art of War

Define “Internal Threats”
Damage done to an organization by a trusted person who has/had access to a trusted area of the organizations infrastructure.

Examining the Definition

Damage: This can be any damage/loss to the organization; the following areas give possible classifications:

Financial
Credibility
Reputation
Intellectual property
Trust,
Image
Property
Data

Trusted Person: This includes permanent staff, family members, contractors, and corporate visitors. Basically anyone to whom the organization gives access.
Infrastructure: An organization has (both in the physical and the logical sense) areas of its infrastructure where outsiders are generally not allowed. Therefore allowing anyone else any access to these areas shows some level of trust being placed in these individuals.

Internal attackers are a risk, and normal risk management procedures say that the severity of a certain risk is made up of a company’s exposure to a certain type of attack. This can be expressed

(Vulnerability (as a %) x Threat (expressed as annual % of occurrence) = Risk)

Threats
Any internal threat aims to do, or will end up doing, certain common things to an organizations infrastructure/assets:

Delete/Remove
Change/Alter
Copy/Duplicate
A combination of the above, such as taking a copy and then deleting the original.

Or lets look at that a different way. Any organizations digital assets must be guaranteed in three areas:

Confidentiality: There will always be data in the company that must be kept private. This can be because it is of a sensitive nature or because it gives a competitive edge in business. For whatever reason, measures must be put in place to ensure that the data remains confidential
Integrity: While some data must be kept private, it is also just as important that the data is still correct. What use is a trade secret formula if someone has managed to change the amounts used? So the measures must also ensure that the data is trustworthy.
Availability:You data could be private and you may trust it fully, but is it useless if you cannot access it. This may happen because of theft, a disaster, and deletion, basically anything that makes the data unavailable for use. So finally, measures must also ensure that the data is timeously available.

Thus any threat to these three key properties of the organizations data is what must be protected against. These threats are embodied in:

Disgruntled staff
Coerced/Pressurised Staff
Planted Staff
Unintentional damage
Unintentional access

Exposure
The best way to gauge exposure to a certain threat is to look at the absence of those measures that are used to safeguard against that threat, the measures, which are taken against insider threats, can be broadly broken down into:

Policies
Logical
Physical

Lets look at each section to see where the lack of cover in each creates exposure: -

Policies

Does the organization have policies for:

Network usage
Pre-hire checks
Enforced leave
Non-disclosure agreements
Company resources usage
Disciplinary processes

Are the policies:

Known
Reviewed
Consistent
Enforced
Explained
Understandable
Legal
Reasonable

Policies are important because in all organizations there is a point at which staff must be trusted and logical or physical countermeasures cannot be used. This is where policies and their enforcement come into play. A lapse in any of the above points means that you are seriously hampering the usage of the policy and therefore have less legal recourse in using them.

Logical

Can the systems create proper audit trails?
Are users singularly accountable? i.e.; no shared accounts
Is “least privilege” principle applied?
Are access right controls centrally approved/controlled?
Are roles regarding access right assignment adhered to?
Is there a company-wide enforcement of roles and rights?
Are hosts (server and client) setup as per best business practises?
Is the network securely designed?
Are there proper, standard and adequate access controls?
Is there a regular review of access rights?

Logical controls exist to not just prevent unauthorised access to your information assets, but also to create accountability for the actions authorised people undertake on the information assets they have access to. Without proper audit trails or logical measures then the organization can never really say who did what to what. This once again severely limits not only the detection of insider threat but the recovery and prosecution thereof.

Physical

Are personal devices prohibited?
Are personal data-shuttle capable devices prohibited?
Are business data-shuttle capable devices registered, monitored and audited?
Are the entrance/exit points of the organization manned?
Are those manning the entrance/exit points capable of identifying and checking all possible data-capable devices or forms?
Are staff complaints and problems resolved?
Does the organization know its staff?
Are logs of allowed devices and/or data kept?
Are spot checks of done, even of allowed devices?
Are people entrusted with data responsible for the data?

One of the main advantages a malicious insider has is that in order to do work, the organization has already granted some level of access. This means that logical controls may not be able to stop a person getting their hands on data. This is where physical controls come into play, the organizations need to be able to monitor what data is leaving/entering their infrastructure on a physical level. This way even if a person does misuse their access, it will not help them. A failure here means, quite literally, that your data can walk out the door.

Threats
Lets also take a closer look at the embodiment of the threats as we mentioned them earlier:

Disgruntled Staff: These are staff members who feel they have been wronged in some way by the organization. They now want to do something to “get their own back”. These people are generally very easy to spot, just watch people who react badly after not getting the raise/promotion/leave they wanted, those that have just been disciplined, etc. While they are easy to spot, they are also the most unpredictable, as when a person’s emotions are high they very often do things they may later regret, but that still doesn’t bring back your database. This type of threat generally aims at the deleting/destruction of an organization’s resources and are not really too worried about other people knowing who it was.
Coerced/Pressurised Staff: Here things get a bit worse, with your upset staff you at least had some warning, as you generally know and can visibly see who is upset. In this case, nothing has happened at work to influence the staff member, but something outside of work has now placed pressure on this staff member to do something damaging to the organization. These pressures could range from blackmail, debt, bribery, threats, urgent need for money, etc. The other problem is that these people may not want to be noticed and the damage they do may not be readily apparent (as is the case with making a copy of sensitive data).
Planted Staff: With this classification of threat, we are upping the game substantially. Planted staff are generally involved with industrial espionage, which is a lot more common than a person may think. The problem here is that the person planting the staff member will make sure that their agent has all the qualities you want. Also this person will be very careful to not draw attention to what they are and what they are doing. Making it difficult to find and catch them.
Unintentional Damage: This is what happens when your staff have no malicious or harmful goals in mind, but because of weak or missing controls, they have the ability to perform certain actions that they should not be able to. When they make a mistake therefore, they may end up doing a lot more damage than if the controls had been in place. Think of a person deleting a file by mistake, but they end up removing it from the server. This type of problem can also occur by people changing jobs. The job market is a lot more fluid now then it ever has been, especially for ‘knowledge workers’. Now when these staff leave, they will probably go work in a similar job and this generally means that they will be working for the competition, therefore any knowledge the person had will now go with them to the new job. There is nothing you can do about this, except make sure your staff do not have excess access and that you do not purposely drive these people away.
Unintentional Access: This is where the organization has expanded its internal network into something that is externally accessible. That sounds strange but think of this, when an organization installs wireless onto their trusted network, the border of that network now ends where the radio waves end, and therefore anyone able to use those radio waves is now an insider. Or when people are allowed access from homes or hotels, suddenly now all of those places and the communication medium between the areas is now also the trusted network. An organization that does not properly structure their network can end up with large headaches.

Why Worry?
The simple answer here is: Do you trust every member of staff 100%, 100% of the time? No one in a modern medium-to-large organization will say yes, there are just too many variables and possibilities. Am I being harsh? Ask yourself this: Why do you trust your staff? What have they done to earn that trust? You would not trust a person walking past the organization’s building on the street, so why when you hire that person do you now suddenly trust them? Upon what does the organization base that trust? Now add into the mix that even trustworthy people can do something wrong when they are under stress or are being pressurised, and suddenly the problem is a lot larger. Then we need to add in the damage that someone could unintentionally cause due to a lack of controls, and suddenly the need to worry is apparent.

So What?
Even if there is a chance of damage, why should I worry about it? Look at it this way, firewalls, intrusion-detection systems, encryption and other technical measures have made it very difficult (or it should anyway) for an attacker to gain access to your trusted network. This therefore limits the number of people who could commit these attacks. But your trusted network is generally setup ..well.. more trustingly. This is because it makes it easier for your staff to work on it and accomplish their jobs. Therefore, if an attacker had access directly to your trusted network, bypassing most logical defences, then the knowledge and skill required to commit an attack is drastically reduced. This is an important point to remember, insider threats are easy and extremely damaging. Plus, most staff are given some level of network resource access in order to do their job, making any potential attackers job easier. An insider will also be able to become familiar with the processes and procedures and their weak points, with what data is valuable and where it is stored, and other contextual information which make committing an attack easier. These are just some of the reasons why organizations need to worry.

What Can I Do?
The first thing to realise here is a simple fact: Prevention is ideal but detection is a must. Full insider threat prevention is impossible, it will happen, but the organization must be able to assess the damage, mitigate it, and recover quickly and efficiently. Next you must know what is being attacked. Does the organizations know which are its critical resources? And why? Once you know this you can begin to work out an acceptable level of loss, remembering that the lower that level is set, the more resources and measures have to be put in place. Once you know what is critical you can then look at the next most important fact; access. Who has access? Why do they have access? What access do they have? How did they get the access? Remember that access to the organizations resources is what makes insider attacks such a threat, so understanding those questions can begin to point you in directions to start making changes.

Once you know all of the above you can start reasonably putting measures in place, but as a starting point here are some general prevention mechanisms to put in place:

Education / Awareness: Any organizations weakest point is its staff. All your staff are on the trusted network and have varying levels of access, therefore if they can be manipulated into helping an attacker (social engineering) then you are facing a large problem. But if you can educate your staff, raise their awareness, then you have an entire organization of people who will be able to help you find and deal with all threats – including insider threats.
Defense in Depth: This is a general concept that simply means that an organization must not place all its security needs on one system or setup, because that would mean that once an attacker –internal or external- is past that system, then they have free rein. The better idea is to have multiple levels of security within the organization, so that any attacker would need to bypass multiple levels of security to get what they want.
Backups/Archiving: It has already been said that there will be loss, and that the recovery and detection of an insider attack must be quick and effective. For this to occur any organization will need a comprehensive backup plan for its critical resources, as well as an archive of its logs and audit trails to ensure that no information is lost which may help resolve the incident.
Least Privilege: This is a very important principle. Anyone should only have the access needed to do their job, anything else should not be allowed. Bear in mind, that this does not mean taking away resources, which may hinder them in fulfilling their job, but just the access to excess resources. Access is very important in any insider threat model and attack, if you properly and carefully monitor that, you will go a long way to dealing with the threat. Note, this does not only apply to logical resources (access to files, documents, etc) but also to physical resources. For example, how many people in the company actually need access to their USB ports for business purposes? Or need to bring in personal data-shuttle-capable devices?

Final Words
The idea of insider threat is one that companies do not like to face, because it is difficult and very often requires a change in mindset and how things work. But ignoring it will not make it go away, it will just make it the chances of it happening greater and the damage it causes when it does a lot more. Better to take some short-term pain for a longer-term benefit. I also do not advocate seeing the insider threat as the answer to why everything goes wrong, but it should at least be a consideration. So start looking into this stuff and as always, have fun and learn.