Are your biggest security threats on the inside?

Ask most computer pros to talk about IT security, and you’ll likely hear about all sorts of external threats, like malware, hackers, spyware, DOS attacks and the like. But what if the bigger – and more costly – threat comes from within?

The now infamous Ashley Madison website has had a pretty successful run at helping its clientele be disloyal. So perhaps some would view it as poetic justice if the website became one of the most scandalous breaches in history at the hands of one of its own.

At least that is the conclusion of IT security analyst John McAfee, who noted recently “yes, it is true. Ashley Madison was not hacked – the data was stolen by a woman operating on her own who worked for Avid Life Media.”

If true, the fact that the Ashley Madison breach was due to an internal, and not external, threat shouldn’t come as too big a surprise. Many IT security studies this year have pointed to the growing threat of insider data theft and corporate breaches.

In some cases, insider threats can be more financially damaging and more difficult to defend against. After all, external threats involve someone trying to break in. The insider threat already has the keys to the front door and knows where the family jewels are stored.

Still, external and internal threats often share one key motive – the desire to profit from data. With external threats, hackers are traditionally looking to steal data that they can sell in the black market. With internal threats, the incident may involve an employee – or former employee – looking to cash in on something they developed or strategic information that competitors want.

[Related: Insider threats force balance between security and access]

That was the case this January in Boston, when the Proctor & Gamble Company filed suit against four former Gillette Company employees, accusing them of wrongfully using and disclosing confidential information and trade secrets to a direct competitor.

In July, an employee of Merit Health Northwest Mississippi was accused of removing patient information from the facility over a two year period without authorization. The employee reportedly stole patient names, addresses, dates of birth, Social Security numbers, health plan information and clinical information, all for the purpose of identity theft.

Perhaps the most difficult to defend against is the disgruntled employee, notes Jane LeClair, chief operating officer at the National Cybersecurity Institute, which tracks data breach incidents. One might be tempted to think the NCI spends the lion’s share of its time on external data breaches, but insider threats have become a top concern.

“Insider threats are something that most organizations don’t have a terribly high focus on today,” LeClair believes. “I think there is a lot to be done in that area. We, as Americans, are really a very trusting people. So it’s hard for a lot of organizations – especially smaller organizations – [to view employees as a primary threat].”

Obviously most aren’t. But enough are, or could be, that employers need to be looking over both shoulders – one facing outside and the other in, LeClair indicates.

“In many cases, when we talk insider threat, the person may no longer be with the company – so if you add that piece to the definition you can see why it becomes pretty big; much bigger than people probably think about,” LeClair notes. “People who leave may be angry or frustrated, or are laid off. You can understand why the company wants to get them out quickly because they can have that need for revenge in some cases.”

Or they may still be with the company but are disengaged.

“They feel unappreciated or unfulfilled. They are hard workers but they don’t feel that the organization is appreciating them or recognizing them, or perhaps not paying them what they feel they’re worth. That’s another level of dissatisfaction that is very frequently thought about. I would say that’s probably one of the bigger reasons.”

Then there is a relatively new insider threat which may prove to be among the most dangerous – the politically motivated perpetrator.

“I’ve always looked at from the human perspective,” explains Candy Alexander, an IT security consultant and former chief information security officer. “It’s important to note if you are a security person or an IT person to pay attention to what is going on in our society with current events. It will be reflected into the electronic world. In our society and culture today there is a lot of intolerance for lots of things. We’re seeing that through sorts of events.”

A different moral compass

Could social conscious be a motivating factor in the Ashley Madison case? It’s still too early to tell, but some IT security experts tell CIO that it is certainly possible.

Since word of the Ashley Madison breach broke in July, many IT security experts and forensics professionals began debating the source of the attack, which revealed the email addresses of millions of account holders and site visitors. Many immediately suspected an insider threat, since the culprit(s) seemed to know too much about the firm’s technology.

“A hacker is someone who uses a combination of high-tech cyber tools and social engineering to gain illicit access to someone else’s data. But this job was done by someone who already had the keys to the Kingdom. It was an inside job,” McAfee stresses.

To support his charge, McAfee cites the following information that was shared by the hacker:

  • An office layout to the entire Ashley Madison offices.
  • Up-to-date organizational charts for every division in the company.
  • A stock option agreement list, including signed contracts.
  • IP addresses and the status of every server owned by the company, which amounts to hundreds worldwide.
  • Raw source code for every program that has been written for Ashley Madison.

Clearly some individual, or individuals, had an all access pass to the company’s systems.

Accidental exposure

Many top IT security experts believe that the most common form of insider data threat is that of accidental exposure – an employee unintentionally and unwittingly creating a vulnerable situation or allowing data to be accessed. That certainly accounts for many threat incidents.

“All companies are going to have the possibility of this occurring because accidents do commonly occur, and I do believe that accidental exposure is much more common than intentional harm,” explains Meg Anderson, chief information security officer at Principal Financial Group.

“So lack of awareness is one cause of accidents – such as lost laptops, misdirected email, even paper reports that are still walking out of companies,” Anderson says. “Those are relatively small incidents. But we also have data on all kinds of new devices now, so we’ve added possibilities of iPhones being hacked, tablets, etc.” They all run the risk of financial loss, fines, lost customers, plus the potential loss of reputation.

[Related: UBA vs. the rogue insider]

Insider threats also vary depending on what the organization does and the type of data it collects, Anderson says.

“There are a lot of scenarios and I think a lot of it depends on the organization. You cannot discount financial gain. There are going to be insiders that want to make money on your data and on your intellectual property. It could involve insider trading – having authorized access and passing that along to somebody else. “

“The third thing I can think of is that a lot of times employees think that they own what they work on while they’re at work. One thing that is often compromised is source code – programmers thinking they own their source code. They may also be temporary contract employees that work for us. They take that code from company to company, because you do reuse code, and it makes sense to them that it is their property.”

Still, Anderson agrees that it the disgruntled employee that probably poses the greatest theat.

“When we talk about intentional damage it could be far more impactful because it’s less likely to be noticed and it also could go on for some time – a ‘slow flow’ sort of approach,” Anderson says.

To spot a thief

So how do you spot the potential data thief in your midst?

It starts with observing behavior, notes Ganesan (Ravi) Ravishanker, CIO at Wellesley College, in Massachusetts.

“We do the usual best practices,” Ravishanker says. “Most of us rely on the annual audit. We create the best practice controls and do the best we can. We also rely on the business units to partner with us to be able to develop controls, to develop reports; we do have very comprehensive reports that we generate on which users have access to what data. That gets adjusted because people’s roles change. We need to make sure that we keep people’s access as limited as possible.”

But technology is only part of the solution. It is equally important is to watch for changes in user behavior, Ravishanker says.

“One of the big things is really looking at changes in employee behavior,” LeClair agrees. “Maybe their work performance is dropping off or they’re arriving later. Conceivably it could even be better work performance in that they’re grabbing data. Or behavior toward other employees might be something that you notice.”

Finally, in addition to all the best security practices that an organization should focus on, the bottom line is how well the organization treats its workers.

“The thing I feel best about is that we have a Best Place to Work, and it’s on the Best Place to Work list for a reason,” Anderson concludes. “I do think that if you have fully engaged employees that feel appreciated and that their work is being recognized, they are less likely to feel that they want to commit crime on the job.”

Join the CSO newsletter!

Error: Please check your email address.

More about AvidGillettePrincipal Financial Group

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Weldon

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place