By Ewout Vermeulen and Thom Otten In the current era of ‘anytime, anywhere and any device there is no longer a traditional perimeter or digital wall that shields the internal organization from the outside world. This also has consequences for the security policy with regard to insider risk and outsider risk. Previously there was a clearer distinction and an organization could take more targeted measures against threats from within and from outside. Now that the covid-19 crisis has stimulated working from home enormously, that distinction is no longer there or at least much less clear. The result is a spaghetti of threats and possible solutions.
Known or un-known?
Previously, the focus was on the insider and outsider threat. Now, it is much more about whether we know the ones that threaten our security. The National Coordinator for Counterterrorism and Security defines Insider Threat in its Cyber Security Assessment Netherlands (CSBN) 2020 as ‘an internal actor who poses a threat based on access to systems or networks from the inside, with the motive of revenge, financial gain or ideology. An insider can also be hired or commissioned from the outside.’ The US Department of Homeland Security has a similar definition but explicitly mentions authorized access. The government also points out that a careless or negligent employee can also be a real threat. And also, the definitions of bodies such as NIST or CERT involve authorized (old) employees who for many reasons directly constitute a threat to data and applications.
When it comes to the dangers of a malicious insider, the examples are many. They range from fraud and theft of intellectual property to data theft, insider trading and espionage. And for the latter it is certainly not like what you see in the movies, with suitcases with millions of dollars. Recently, a senior NATO official from Estonia was found to be spying for Russia. That had brought him the modest amount of 17,000 euros.
The Netherlands is also clearly involved in this espionage problem. For example, the National Coordinator for Counterterrorism states in its Cyber Security Assessment that the digital threat has a permanent character. And according to the same NCTV, the General Intelligence and Security Service (AIVD) and the Military Intelligence and Security Service (MIVD) there are also economic espionage activities, which are mainly aimed at Dutch top sectors and knowledge institutions.
What drives the insider? Verizon explains in its annual Data Breach Investigations Report. Greed is – unsurprisingly – at the top at 64 percent. Organizations are extorted for money. 15 percent do it solely for the thrill and in 14 percent of cases an unhappy employee is involved.
How to recognize an insider? To begin with: accessing or downloading large amounts of data is a red flag. This also applies to accessing or frequently requesting sensitive data that is not linked to the position of the employee concerned or which falls outside their behavioral profile. Furthermore, it should be recognized if an employee copies sensitive files to an unauthorized storage device such an USB stick.
What can you do against insider risk? That starts with the realtime monitoring of user behavior to predict abnormal user behavior detection which relates to possible sabotage, data theft or abuse. Secondly it is important to detect and stop abuse of privileged access in time by properly arranging privileged access management (PAM). In third place, sentiment analysis provides a good way to determine whether an employee has become a threat in the context of cyber security. Is someone dealing with a bad appraisal at work? Is there a lot of stress? Are there any financial problems?
Ultimately, insider risk – and outsider risk – is about security awareness and a holistic approach to security within the organization. That means a thorough analysis of the current situation and based on that a roadmap to achieve the required maturity. In this way, insider and outsider risk can be properly addressed.
This blog focused to the insider risks. In another contribution we will discuss the outsider risks in more detail.
Ewout Vermeulen and Thom Otten are security consultants at Traxion provider of Identity Centric Security Services in the Netherlands and Belgium with over 130 highly qualified professionals. Traxion is part of Swiss IT Security Group.