AccountingQueen
$16/per page/Negotiable
Insider Threats
Nhanh T. Nguyen
ISSC361: Information Assurance
Professor Jared Spencer
March 23, 2017
Introduction
An insider threat event is typically uncommon in nature when compared to external attacks. The insider attack can be a malicious in intent or simply negligent actions of an employee. According to the Software Engineering Institute (SEI) at Carnegie Mellon University, Insider threats are tougher to identify due to their ability to mask their identities and intentions.
“a malicious insider threat to an organization is defined as a current or former employee, contractor or other business partner who has or had authorized access to an organization's network, system or data and intentionally exceeded or misused that access in a manner that negatively affected the confidentiality,” (Preimesberger, 2014)
Usually, the type of information that an insider threat holds can delivered the most destructive, opposed to an external attack. The type of access and clearance levels an internal threat actor has to an organizations proprietary information can be catastrophic because the insider threat actor has the means to publicize the private sensitive information without the company consent. Though this is an illegal act, also a lawful deterrent, insider threats are still relevant.
An external threat attack actor is not as an intimidation because they do not have the same levels of access that provide insider threats leverage to carry out a more damaging attack. Examples of insider threats are Edward Snowden, Chelsea Manning, and Nada Prouty to name a few. These individuals had access to sensitive data that are entrusted to them, that allowed them access of which they were not allowed to freely disseminate proprietary information. The result of their actions has led to policy changes regarding restricted access to internal employees. When these organization policies are compromised or an act of pilfering to sensitive information occurs, second, third, and fourth order effects can negatively affect a nation’s security posture, in addition to negatively affecting an organizations finances and reputation.
Relevance and Significance
It is important to identify the profile and characteristics of what an insider threat looks like. Organizations find themselves in a unique situation where they have to identify indicators of what a threat actor looks like. An insider threat does not fit any profile physically, and an insider can be an array of a disgruntled employee, to an individual that seeks financial gain, or even individuals that are coerce to the act of espionage. Furthermore, an insider threat can be anyone ranging from your friends list on social media to co-workers, neighbors, or even your significant other. As the challenge to identify an inside threat, there are ways to identify illicit actors by behavior patterns.
According to Michael Gelles, a director with Deloitte Consulting LLP, “To detect insiders’ actions before they do harm, Gelles advises organizations to establish a series of threat indicators, such as policy violations, job performance difficulties, or disregard for rules, based on high-value assets they wish to protect.” (WSJ, n.d.) By identifying these behavior patterns and unusual displays, companies will have a greater achievement in properly identifying possible threat actors and established necessary courses of action to mitigate said threats. Knowing these behavior patterns can assist an organization to determine what can be an indicators of an insider threat. These behavior patterns can eventually lead investigators to discovering an individual’s role, access level, work habits, their interactions with sensitive information, and physical movement.
It is also important to identify the capabilities of an insider threat. The insider threat has the ability to access sensitive information from within an organization. It is extreme important to have strict access and limit the number of users who are provided with authorization to sensitive information. Edward Snowden, a former Booz Allen Hamilton defense contractor had almost all the access to the intelligence community systems where he was able collected and released thousands of classified documents. “In the years since, journalists have released more than 7,000 top-secret documents that Snowden entrusted them with, which some believe is less than 1% of the entire archive.” (Szoldra, 2016) Organizations and government agencies that are given the task with defense of national security and protection of proprietary information should be cognizant of individuals that have been granted access to large amounts of information. It is imperative to identify these individuals, so in an event of a security breach of information, investigators have a lead on such individuals and should be prioritized for targeting.
Additionally, it is important to determine an organizations vulnerabilities to insider threats. Understandably it is not possible to completely remove the risk of insider threats because companies and government organization need to give access to sensitive information. But companies and the government organizations can be proactive in determining existing vulnerabilities to hinder a threat actor’s ability to exploit said vulnerabilities. Companies such as Apple, Microsoft, Uber, to name a few, actively pay hackers to find existing vulnerabilities in their software’s to preemptively identify existing vulnerabilities.
“On Tuesday Microsoft announced that it's now willing to pay up to $100,000 for information about security bugs that can be used to bypass the defenses of Windows…” (Greenberg, 2013) “$25,000 for ways around Apple’s digital compartments and into its customers’ data, $50,000 for bugs that give hackers a way into iCloud data, and $200,000 to turn over critical vulnerabilities in Apple’s firmware” (Perlroth, 2016)
Finally, it is important to determine appropriate mitigating measures an organization or nation should take to stop or mitigate an insider threats abilities. By not properly identifying insider threats massive repercussions can exist. “In January, it was revealed that 27 million records were stolen from the Korea Credit Bureau, including names, resident registration numbers and credit card details for 40 percent of the population of South Korea.” (Preimesberger, 2014) An instance like this data breach conducted by an insider, mitigating measures need to created to ensure information is protected from exploitation. An organization should have a threat plan in place and set stringent standards to accomplish insider threat possibility. Most organization should have a security management team in place with other mitigation team members to neutralize threats.
Capabilities of an Insider Threat and the Vulnerabilities an Organization Might Face
Corporate information breach are the worst threat to the security of Information Technology infrastructure today. This can be proven by the fact that trends in market analyses, company survey results, and industry development as well as and related studies. Internal threats constitute the harmful activities with data that lead to violation of some or all of the core procedures of information security, confidentiality, availability, and integrity and emanate from within an organizations information system infrastructure.
Despite having a lot of various internal threats, some are prevalent than others. Among the most common include violating internal information security rules that might cause information breach, unauthenticated and unauthorized access, destruction or modification of confidential information. Others include brute forcing access using password cracking attacks and user installing malware, viruses, Trojans, botnets, and root-kits in one’s corporate network. Typically, the data targeted by internal threats include removable storage devices such as Hard Drives, USB removable Flash drives, card readers, or DVD discs and file-shares with an attempt to copy and carry it elsewhere (Securelist, 2017).
It might also be exhibited by attempts to steal devices that carry confidential information such as personal computers, work mobile phones, user laptops, and hard drives ("IBM Mobile - BYOD - Bring Your Own Device", 2017). Sometimes, it is the theft of corporate data either in parts or whole. This can be achieved by installing unauthorized Wi-Fi networks with the intention to steal or sniff into confidential data or important documents with the aim of removing hard copies from company location.
Detailed description of an Insider Threat
Perpetrators of insider threats have some common characteristics such as being an introvert. People who constitute insider threats usually are quiet and keep to themselves either because they are demotivated or because it is their nature. Insider threats are also characterized by greed and financial needs. This, in turn, make them vulnerable to being blackmailed and they, therefore, develop a compulsive and consequently destructive behavior such as becoming rebellious, passive, inflexibility and low loyalty. Edward Snowden characteristic traits backings his massively exaggeration personality as he was rebellious and show destructive behavior prior to seeking asylum with Russia. Snowden had fabricate his military experience of being in a Special Force unit, as a cover up for being washed out of Army basic training. He stated that he was kicked out of the U.S. Army for breaking both his legs during a training event. Characteristic displayed by Edward Snowden is nothing more than a strings of compulsive lies to portray his supposed patriotism (Enjeti, 2016).
Insider threats have also been known to be narcissists. Surprisingly, people constituting these threats also strive to minimize their faults, and when they mess up, they rarely take responsibility for their actions because they cannot tolerate criticism and they believe that their value exceeds their performance (Kurzynski, 2015). They will also not show empathy. They have constant patterns of disappointment and frustration and do not manage crises effectively. As Bradley Manning a U.S Army intelligence analyst was responsible and sentence to thirty five years in prison for delivering hundreds of thousands classified sensitive documents to WikiLeaks. Private Manning, who is a transgender, was granted the right to be recognized legally as Chelsea Elizabeth Manning. Chelsea’s actions had led to be found guilty of espionage and theft of classified documents and aiding the enemy. As Chelsea was being incarcerated, that she blamed the Army for the continuing harassments to include being bullied and requested for a gender change.
Her ongoing outburst to include having confrontation with her superior commissioned officer caused her demotion in rank and dishonorable discharge prior to being sent to Fort Leavenworth, KS. Chelsea continue to dispute the charges and pleaded not guilty to her actions of leaking sensitive information, which is accessible by the Al-Qaeda. Private Manning was ultimately charged with twenty two specified offenses, including communication national defense information to an unauthorized source, and aiding of the enemy, among other charges of Article 92 of the Uniform Code of Military Justice (UCMJ). Chelsea character traits support the characteristic of an Insider threat (Owen, 2016).
It not rare to find individuals that characterized as an insider threat accessing the corporate network at odd hours such as when on leave, at home, during holidays, or even working odd hours without authorization. They are very enthusiastic about overtime and working over the weekend or unusual work periods. It is also common to find them making unnecessary copies of data especially if it is proprietary and lies outside the scope of their duties. As an undercover spy for the FBI and CIA, Prouty, Nada was able to keep a low profile while working with high-profile terrorism cases. To support the statement and characteristics of an insider threat, Prouty displaced these character traits by volunteering for dangerous missions and other high-profile cases like the USS Cole Bombing. Prouty has been completely exonerated by the CIA, after they uncovered her sham marriage and revoked her citizenship status. Prior to being acquitted, Prouty is originally a native of Lebanon and became eligible to work as a Special Agent in the United States after she got married while attending college with her student visa.
Suspicions of her activities as she was being more proactive on the FBI computers while searching information on a distant relatives suspected to have ties to Hezbollah. With having the abilities of speaking a second language that is vital to work terrorist cases helped her advanced within the agency. However, with her access to sensitive information, and being an illegal alien poses great risk to national security. Nada Nadim Prouty is the only case known to be an illegal alien to infiltrating U.S. intelligence agencies with potential espionage implication (Stein, 2010). Other traits include poor mental health, gambling, financial difficulties, and illegal activities ("Insider Threat Best Practices", 2017). The actions of these insider threat actors prove great dangers to our national security.
Technology involved insider threat
As Cloud computing is becoming emerge technology pattern for ways both organization and government to facilitating the dynamic versatile resource as part of their operation. The advantage of this could technology allows companies and government to retain the same applications and operational procedures which is readily manageable by the internet. The accessibility of data can be access virtually anywhere, anytime as it maximizes enterprise productivity and efficiency. There other advantages in could computing is that it requires no additional hardware, keeping cost at a minimum, and the flexibility for organization to deliver faster and more accurate retrieval of applications and data.
However, the cloud technology does have a few draw back which can be vulnerable if the information is sensitive in nature. Once you provide anything to the cloud, you are handing over your data and sensitive information. “The use of cloud services affects the security posture of organization and critical infrastructures, therefore it is necessary that new threats and risk introduced by this new paradigm are clearly understand and mitigate.” (Kandias, n.d)
Wireless technology has been around for approximately 200 years and was first seen when Alexander Graham Bell and Charles Sumner Tainter invented the technology. As wireless applies to the IT world, the ability to communicate through the air as a mean to transmit data is a fascinated concept. Bluetooth is another type of wireless technology that transmit data over a short range using different wavelength. However with the innovations and ability of these technology, poses a threat as mobile computing flow of information over the air that can easily intercept by a threat actor that are looking to steal information or gain control of a system. As Robert Ferris reported that Chinese company hacks Tesla car remotely. It was a Tesla Model S and demonstrated several security vulnerabilities. Even though this is a security team that performed the test which use the malicious WiFi hotspot to gain access, proved that wireless technology does present risks. (Ferris, 2016)
These technology are evolving at a fast pace and due to the Network configuration and is easier, faster, and less expensive seems very appealing to organizations and the government due to the convenience, mobility, productivity, and deplorability. However, the wireless technology also present a host of issues and unauthorized access points which poses vulnerabilities. The transmission of data using radio frequencies provides a threat actor an avenue to attack which can result in a compromise of the confidentiality, integrity, and availability.
Future trends on insider threat
The threats we all known and become familiar with are hackers and their capabilities do harm to an organization beyond the boundaries of the network walls. These threats are on a continuum basis that will keep organizations and government to upgrade their security postures. However, as a trend to the ongoing threats, approximately 55% of cyber-attacks were carried out by insiders, according to IBM (Rose, 2016). The overall lack of knowledge of insider threats has become the Achilles heels to organization as the impact of this type of threat will be a devastating effects. This may impact national security, and definitely will impact the organization financially and their reputation. The act of an insider threat will abuse their privileges such as Edward Snowden and Chelsea Manning to steal sensitive classified information and leaked the data.
Despite the knowledge of these incidents of insider threats, “the rising of insider threat is exacerbated by the ever-increasing concentration of computer power and network access provided to privileged user” (Rose, 2016).
Examples companies involved with insider threat
The incident in 2013 made headline news when Edward Snowden, a former National Security Agency (NSA) subcontractor leaked top secret information about the NSA surveillance activities. Snowden later fled to Hong Kong, China to meet with journalists from “The guardian”. During his engagement with the journalists, they managed to print newspapers detailing the information he had leaked about the surveillance of American citizens. Snowden was charged with theft of government property, also a violations of the ‘Espionage Act’ by disclose classified information to the public and he is currently seek asylum in Russia. The aftermath of the incident triggered the public opinion about the government surveillance program in some ways, however, the incident have not caused a major shift. However, there are other opinion floating about the decision on Russia to harbor Edward Snowden. Some United States politicians view the matter differently, for instance, Senator John McCain recommend the time to re-think the relation with Putin’s Russia as they granted asylum to Edward Snowden. The decision can possibly derail a planned, for most certainly going to undermine the current status of United States and Russian relations.
The United States Army whistleblower whose sentence to a 35 year in prison was commuted by President Obama prior to him leaving office. As the incident unfold in 2010, Private Manning has gone through a transformation not only the approval of her transgender but also the endangered the relations of U.S diplomats and foreign sources. The classified report that was released made U.S diplomates to think twice about what they wrote and also made their foreign contacts to think twice about what they told the diplomats (theguardian, 2017). There are no proven death case of incident follow the attribute of the secret information release, however there are awkwardness and embarrassment and damaged U.S. diplomatic relations after the leak. The incident causes government officials, business leaders, educators and journalists remain reluctant to speak freely in private with U.S diplomats, these evidence presented in the leak has fracture the US military relations with foreign governments. The Manning-era WikiLeaks that was published in 2010, since the incident, Chelsea Manning accepted the consequences of her actions and agreed to face the justice system. Meanwhile, Julian Assange has seek asylum with Ecuadorian embassy in London to escape rape charges in Sweden after the United States government launched a criminal investigation into the WikiLeaks and cooperate with other allied nations for assistance (MacLellan, 2017).
When Nada Nadim Prouty fled the Lebanese Civil War, at the age of 19, she came to the United States on a Student visa. During that same time, Nada Nadim Prouty entered into a fraudulent marriage to not only afford her college tuitions but also to remain in the United States. After graduating with an accounting degree, she joined the Federal Bureau of Investigation (FBI). As a Special Agent on an international terrorism unit, she worked on the USS Cole, Khobar Towers, Laurence Foley, and other terrorism related cases. Nada Nadim Prouty then use her cultural background and linguistics abilities to be efficient at her position working with the CIA. Not until her the CIA caught up with her ruse effort on the marriage to a U.S Citizen in order to gain citizenship in the United States. Among other investigations, allegedly uncovered that Nada Nadim Prouty committed immigration fraud. Due to the incident, many raised concerned that she was able to conceal her past from two of the nation’s top anti-terrorism agencies about their vulnerability and infiltration. As she insinuates herself into a sensitive position in the U.S. government, many concerns on the security background process these agencies have in place. This is another case that marked another serious security breach at the FBI, which comes with criticism for their security procedures.
Regulatory issues surrounding insider threat
Due to the heavy impact of information security breaches, an organization is obliged to take actions to mitigate them so as to identify and stop insider threats before they escalate. Some of the policies that an organization can implement include ensuring that an organization has an acceptable use policy. This policy should include procedures that control the reporting of suspected insiders. Another mitigating measure includes training for all employees regarding information security threats. All the levels of an organization need to be trained regarding insider threats and be armed with the tools to communicate cases of such threats within the organization.
Another measure is to safeguard corporate data. The data that should need to be safeguarded should be protected using the least-privilege option where only minimal access is provided to users. This means that one only gets access to what they are authorized to do.
The organization should also try to keep Vigilant always. Security and IT employees need to adopt a paranoid approach towards information security. This will help them implement security in depth approach where data is protected via many parallel means. More vigilance should be employed during retrenchment or firing. In such cases, access needs to be terminated immediately to all the systems.
Global implications for insider threat
After the incident of Edward Snowden, which leaked a series of highly classified National Security Agency (NSA) documents, will forever change the way cyber-security community will operate. This incident along has a rippling effect throughout the companies. Not only did NSA changed their practices when dealing with classified information, but the majority of cyber-security community has change their policies as well. After the incident, a majority of 55 percent said their employees now receives more cyber-security awareness training and re-evaluation of employee data access privileges (Greengard, 2014).
Two years prior to the incident of Edward Snowden, the United States government also dealt with an incident of similar nature of classified information leak. This was the event of Private Manning when she has leaked hundreds of thousands of classified files to WikiLeaks. These two incident along has damage the reputation of the United States government and their ability to safeguard vital information. These disastrous security leaks could have been prevented by the government best practices. The two incidents was similar in nature and without any aide from outside source, they were able to steal classified information vital to the United States government. Since the both of them operated within the grey area, as they was privileged to the data. The best practice is to have limited access to download and or transfer information to another source.
The CIA and FBI also made changes to their security postures as part of their hiring process after the incident with Prouty, Nada Nadim along with re-evaluate current employee as part of their security clearance renewal process. The polygraph procedure changes as well, since the process can be cheated when it comes to accuracy measures of pulse, blood pressure, sweat and other physiological parameters.
Since insider threats emanate from technical, organizational, and behavioral issues, these must be addressed through technologies, policies, and procedures. Some best practices need to be adopted to reduce insider threats in an organization. Decision makers should understand the real scope of an insider threat and make efforts to communicate to the relevant authorities. The following best practices might be adopted in attempts to promote information security:
· Behavior Patterns That Can Indicate an Insider Threat. (n.d.). Retrieved March 2, 2017, from
http://deloitte.wsj.com/cio/2014/08/07/the-behavior-patterns-that-can-indicate-an-insiderthreat/
· Greenberg, A. (2013, June 19). Microsoft Finally Offers To Pay Hackers For Security Bugs With $100,000 Bounty. Retrieved March 2, 2017, from https://www.forbes.com/sites/andygreenberg/2013/06/19/microsoft-finally-offers-to-pay hackers-for-security-bugs-with-100000-bounty/#6f52e31148d8
· Perlroth, N. (2016, August 4). Apple Will Pay a ‘Bug Bounty’ to Hackers Who Report Flaws. Retrieved March 2, 2017, from https://www.nytimes.com/2016/08/05/technology/apple-will pay-a-bug-bounty-to-hackers-who-report-flaws.html?_r=0
· Preimesberger, C. (2013, December 29). The Seven Largest Insider-Caused Data Breaches of 2014. Retrieved March 2, 2017, from http://www.eweek.com/security/slideshows/the-seven-largest insider-caused-data-breaches-of-2014.html
· Szoldra, P. (2016, September 16). This is everything Edward Snowden revealed in one year of unprecedented top-secret leaks. Retrieved March 2, 2017, from http://www.businessinsider.com/snowden-leaks-timeline-2016-9
· US v. Prouty, Nada Nadim, et al. (n.d.). Retrieved March 2, 2017, from http://www.investigativeproject.org/case/254/us-v-prouty
· IBM Mobile - BYOD - Bring Your Own Device. (2017). IBM Mobile. Retrieved 28 February 2017, from
http://www.ibm.com/mobile/bring-your-own-device/
· Insider Threat Best Practices | The CERT Division. (2017). Cert.org. Retrieved 1 March 2017, from
https://www.cert.org/insider-threat/best-practices/
· Kurzynski, T. (2015). How do you recognize an insider threat?. Halock.com. Retrieved 1 March 2017,
from https://www.halock.com/blog/recognize-insider-threat/
· ManageEngine,. (2017). Bring your own device management.. ManageEngine Mobile Device Manager
Plus. Retrieved 28 February 2017, from https://www.manageengine.com/mobile-device-management/bring-your-own-device-byod-management.html?gclid=CjwKEAiA3NTFBRDKheuO6IG43VQSJAA74F77ewqm1kxasLkK4zXkyL-ldpv4kM8iB42Idw2kQuXPcRoCqUHw_wcB
· Securelist,. (2017). Recognizing internal threats – Securelist – Information about Viruses, Hackers and
Spam. Securelist.com. Retrieved 1 March 2017, from https://securelist.com/threats/recognizing-internal-threats/
· Enjeti, S. (2016, September 16). Key Elements Of Edward Snowden’s History Have Turned Out To Be
Massively Exaggerated. Retrieved March 23, 2017, from http://dailycaller.com/2016/09/16/key-elements-of-edward-snowdens-history-have-turned-out-to-be-massively-exaggerated/
· Owen, T. (2016, March 19). Chelsea Manning Revealed How the US 'Insider Threat' Program Tries to
Catch Whistleblowers. Retrieved March 23, 2017, from https://news.vice.com/article/chelsea-manning-revealed-how-the-us-insider-threat-program-tries-to-catch-whistleblowers
· Rose, R. N. (2016, August 30). The Future Of Insider Threats. Retrieved March 23, 2017, from https://www.forbes.com/sites/realspin/2016/08/30/the-future-of-insider-threats/#161904fd7dcb
· Ferris, R. (2016, September 20). Chinese company hacks Tesla car remotely. Retrieved March 23, 2017, from http://www.cnbc.com/2016/09/20/chinese-company-hacks-tesla-car-remotely.html
· MacLellan, S. (2017, January 18). Chelsea Manning's redemption proves how far WikiLeaks has fallen.
Retrieved March 23, 2017, from http://thehill.com/blogs/pundits-blog/the-administration/314919-chelsea-mannings-redemption-proves-how-far-wikileaks
· Greengard, S. (2014, February 10). Defense Contractors Up Security After Snowden. Retrieved March
25, 2017, from http://www.baselinemag.com/security/defense-contractors-up-security-after-snowden.html