Regardless of whether one agrees with his actions and motivations, Edward Snowden showed last year—and continues to demonstrate—the impact that so-called insiders can have on an organization. Much of the focus of data center security is on protecting networks from outsiders, but insiders theoretically pose the greater threat: because they already have access to sensitive systems, they can often avoid tripping alarms that might otherwise signal some form of attack. As a result, managing insider threats can be a difficult task: it necessarily requires a level of mistrust among employees and sometimes, as in the case of the U.S. government, involves a “snitch” program that more resembles a Stasi state than a cooperative effort. But dealing with these threats is one thing (and it’s up to companies and other organizations regarding the kind of culture they wish to create and what they want to sacrifice to improve security)—the emphasis here is simply recognizing some of the main sources of such threats.
The Classic Insider
Typically, one might think of an insider threat as an employee or even executive who for some reason decides to take some action that is detrimental to the organization. That action might involve sabotage, theft of information or even equipment, or provision of access credentials to unauthorized parties—perhaps owing to bribery or blackmail. In the case of Edward Snowden, the “theft” of information (a strange concept since the government is funded by taxpayers, to say nothing of how an intangible thing can be stolen) had arguably justifiable motives, but in other cases, the motives may be more nefarious.
Regardless of motivation or action, the “classic” insider is what usually comes to mind when a company is seeking to implement security to deal with this threat. Background checks, behavior monitoring, periodic financial inquiries, layered access control, stringent updating of access-control lists and so on are all methods that companies may choose to employ in fighting this threat. But other kinds of insiders must also be considered—individuals and groups with inside access to a network may not be part of the organization proper.
The Erstwhile Insider
An employee that resigns or is fired may become less of a threat in the classic sense, but he or she may still retain sufficient information to still pose a danger. Of course, the most obvious way to mitigate this threat to some extent is to revoke access and other privileges once an individual leaves the company. In some cases, the erstwhile insider may simply have knowledge of trade secrets; in others, that individual may have knowledge of how the network operates and, perhaps, what its weak points are. High-level system administrators, for instance, can be particularly dangerous.
Addressing “newly outsider” threats is obviously more difficult than insiders, since there is less leverage. Cases of disgruntled or fired employees may warrant some precautionary internal measures, but even in the case of mutually agreeable departures, former employees may be approached by malicious actors and possibly offered significant rewards for providing (perhaps seemingly innocuous) information about the company.
The Insider “Stooge”
Naturally, we tend to think first of insider threats as those with malicious intent. But some can be threats unwittingly—or even through no fault of their own. “Insiders can at times be rendered stooges, sometimes in ways that are stunning in their simplicity and brazenness,” note Eben Kaplan and Charles Hecker at Forbes. “In these cases, hackers gain access to well-protected computer systems not through the use of sophisticated malware, but via their ability to convince target organizations to divulge sensitive information, a practice known as social engineering.” Publicly available information on social-media sites, data aggregators and even the company website can give “social engineers” everything they need to weasel their way into the company’s network—assuming employees fall for the scam. Such an effort might involve “spear phishing,” which is much more targeted and knowledgeable than the traditional Nigerian scam, for instance.
Protecting against such attacks seldom involves taking “stooges” to task individually, but instead developing a solid security policy and training employees in how to follow it. Even then, however, the most vigilant employee can suffer a lapse from time to time—say, after a long day or when distracted by an important task. How many times have you clicked or nearly clicked on an email attachment or link and thought a moment later, “I wasn’t paying attention—what if that had been malicious?”
The Third-Party Insider
Not only must an organization consider insiders, former insiders and even unwitting (“stooge”) insiders, it must also consider third parties that have access to networks or even information that is mildly sensitive. As noted above, spear-phishing attacks can employ publicly available information to give a scam greater believability; imagine what a little mildly confidential information—even if by itself it is of little threat—can do. Third parties, such as infrastructure service providers, can be privy to just this sort of information, and more besides. For instance, according to KrebsOnSecurity, the recent Target hack “traced back to network credentials that were stolen from a third party vendor. Sources now tell KrebsOnSecurity that the vendor in question was a refrigeration, heating and air conditioning subcontractor that has worked at a number of locations at Target and other top retailers.”
The New York Times even cites a case where hackers used a Chinese takeout menu to break into a company’s network. “Unable to breach the computer network at a big oil company, hackers infected with malware the online menu of a Chinese restaurant that was popular with employees. When the workers browsed the menu, they inadvertently downloaded code that gave the attackers a foothold in the business’s vast computer network.” In other words, the third parties need not even have an official relationship with the company in question.
Given the numerous avenues of attack, a company could easily break its bank and still fail to achieve total security—and that’s just considering insiders. The key in dealing with the insider threat, as well as the outsider threat, is to find the right economic balance: recognize that security investment pays dividends, but eventually such investment reaches the point of diminishing returns. In some cases, following basic smart practices like frequent backups, layered and regularly updated access control, and so on can protect a company from various threats. In other cases, a determined attacker will eventually find a way into the network regardless of the security measures in place. Like so many aspects of life, addressing security threats requires balancing the risk with the reward.