Defining Insider Attacks
A malicious outside is often portrayed as a person with a black hoodie, typing viciously on a keyboard to extract sensitive data from the depths of an organizational IT infrastructure. Organizations expect these attacks; they know the enemy and prepare for it. But what about the attacks you don’t expect? I am going to talk about insider attacks, who they are, and why I think this is so important to set up security measures to protect your organization from the inside out.
- Who on the inside is exposing sensitive information?
Disgruntled employees attempt to harm their organization, typically seeking revenge for feelings of injustice or anger. These types of attackers tend to attack just before or immediately after leaving an organization, while they still have security access to proprietary data.
Malicious insiders harm their organizations for personal reasons, whether that be financial gain or something else completely. They use privileged access to steal information, or take advantage of orphaned credentials to attack organizational resources.
Although non-malicious in nature, accidental exposure is a form of insider attack. These insiders do not intend to cause harm, however they accidentally release sensitive data due to employee negligence towards security best practices or due to social engineering.
“Quasi-insiders”, or trusted third-party vendors, are also categorized as an insider threat. They are often provided some level security access to internal features and sensitive data. Outside attackers can use these third-party vendors to appear as a trusted insider, all while carrying out malicious attacks.
- Why is it important to protect from the inside, out?
Most people now assume that whatever perimeter defenses are employed, whether that be firewalls, network security zones, VPNs, etc., are enough to protect internal, sensitive data. In reality that is only the first line of defense. Effective data security must protect data from within. Principles such as dual control and split knowledge are fundamental to preventing the loss of sensitive data. Without a combination of people, process and technology to implement access controls, information will be leaked.
I attended a conference at the Alamo AFCEA in 2013 where Lieutenant General James K. "Kevin" McLaughlin, Deputy Commander, U.S. Cyber Command, said that his top security concern was insider threats. Since then, his opinion has not changed. In June 2016, in regards to insider attacks he was quoted saying, “You can imagine the difficulty that would cause a commander, if he didn’t trust his own network or his data.” Insiders, malicious or otherwise, can degrade the quality and authenticity of extremely sensitive data. I completely agree.