Whilst the sophistication of techniques may vary, the degree of access and extended time-frames generally available to trusted insiders provides an ease of action that is a significant multiplier to any malicious activity. This is usually complemented by an in-depth understanding of the business and information systems, providing a confluence of intent, capability and informed action that is difficult to counter.
Although there is obvious overlap with other security efforts within an organisation, dealing with insider threats also require a different perspective and approach.
This post is the final in our blog series on the work we have recently contributed to the IET’s Engineering and Technology Reference.
Who is the insider threat?
The term “insider threat” may conjure up images of bitter system administrators sabotaging a company network, individuals stealing classified information from government agencies and greedy bankers defrauding their clients, but the scope of this threat is much broader than these stereotypes.
At the most basic level insider threats can be broken down into two types: those acts that are deliberate, or malicious; and those that are accidental, or non-malicious. While the concept of the malicious insider is generally easily understood, the idea of an accidental insider is one that can be overlooked. The Carnegie Mellon University CERT Division (CMU-CERT) has produced much of the foundational work on the insider threat, and defines the accidental insider threat as:
- Contractor or consultant
- Client or customer
- Joint venture partner
In all instances the individual can be considered a trusted insider, however their relationship to the organisation, degree of access and differing roles will impact the types and severity of attack or incident they may be involved in, as well as the motivations for the activity and how the organisation can best go about protecting itself.
Protecting against the insider threat
Although there is an increasing awareness of the insider threat, there remains a lack of understanding and focus on how to effectively counter it. This is illustrated by the fact that 36% of organisations assess their insider threat prevention measures as not effective.
At a high-level the insider threat should be approached like any other information security risk: by reducing the likelihood of an incident through preventative controls on the one hand, and limiting the impact of any incident through early detection and rapid, effective response on the other.
Some of the foundational principles of information security are particularly effective when applied to insider threats. For example, ensuring the separation of duties across critical and sensitive functions; implementing the principle of least privilege in conjunction with tight role-based access controls; a robust auditing programme; effective account and privilege management; rigorous pre-employment background checks; and fostering a business-as-usual security culture within the organisation are all extremely powerful controls in regard to the insider threat, as well as being considered information security best-practice more generally.
This also highlights the fact that effective controls are not obscure and do not necessarily need to be resource-intensive or expensive. While anecdotally there is a tendency to look for technical solutions, with a current trend in deploying honeypot and honeynet systems, in reality non-technical controls are arguably the most powerful, feasible and long-lasting measures available.
Beyond this, much of the research into the area highlights the significant contributing role that factors such as organisational culture, employee attitudes to work, previous behaviour and elevated levels of stress play in precipitating malicious activity by an insider. Given this there is wide scope for non-security related efforts to address these factors, for example through HR practices and more considered organisational leadership and communications, in order to reduce the likelihood of incidents. Insight into these factors can also be used to supplement detection efforts, for example through heightened monitoring of those individuals deemed of concern.
- As mentioned, the CMU-CERT has produced an excellent body of work in this area: here.
- The UK Centre for the Protection of National Infrastruture (CPNI) also provides guidance and conducts ongoing research in this area: here.
Nurse, J.R.C.; Buckley, O.; Legg, P.A.; Goldsmith, M.; Creese, S.; Wright, G.R.T.; Whitty, M., 2014, Understanding Insider Threat: A Framework for Characterising Attacks, Security and Privacy Workshops (SPW) 2014 IEEE.
Contact and Follow-Up
If you would like to find out more about protecting against the insider threat, please get in touch with our team via the Contact page or email [email protected]