The US Department of Homeland Security (DHS) recently issued a guide to help organizations guard against malicious insiders. The National Cybersecurity and Communications Integration Center developed this guide with a list of behavioral characteristics that could become a threat to information security. People exhibiting these behaviors may not necessarily become threats to an organization’s sensitive information, but it’s a good idea to understand potential patterns.
The guide defines an insider threat as a current or former employee, contractor, or other business partner who has or had authorized access to an organization’s network, system, or data and intentionally misused that access to negatively affect the confidentiality, integrity, or availability of the organization’s information or information systems. Edward Snowden and Chelsea Manning (born Bradley Manning) are two very public examples of people who would fit this category.
The motivation for this behavior is varied and can include monetary gain, sabotage, exposing perceived wrong doing or gaining a competitive advantage. The means to the end is typically abusing access rights (their own or others) to systems and stealing devices containing sensitive information. Someone who abuses access rights could download sensitive information and email it, load it onto a portable device or upload it to a file sharing service or site for later retrieval.
Here is a list of behaviors that could be suspicious. As I said earlier, these do not define an insider who means to do something malicious, but they are indicators.
• Remotely accesses the network while on vacation, sick or at odd times
• Works odd hours without authorization
• Notable enthusiasm for overtime, weekend or unusual work schedules
• Unnecessarily copies material, especially if it is proprietary or classified
• Interest in matters outside of the scope of their duties
Many of these characteristics could indicate a diligent worker or someone who is on a tight deadline for completing an important project. These combined with disruptive behavior in the workplace could indicate potential problems.
The guide goes on to talk about Detection, Deterrence and Training and recommends some approaches to combat the insider threat. The first on the list is to deploy data-centric, not system centric security. One of the technologies recommended is an enterprise digital rights management solution.
Controlling access to the data rather than the system is a better approach to preventing an insider threat, since the data is ultimately what the bad actor wants. It also ensures control is maintained regardless of location or device. An enterprise digital rights management solution is a data-centric technology that encrypts files and controls access and use through permissions. This guarantees that only authorized users see sensitive information.
Making employees aware of the issues through training and deploying appropriate technology to lock down data as its created is the best way to combat insider threats before they become a problem.
Photo credit Pascal