Insider Threat Characteristics and Mitigation Strategies

What is an Insider Threat?

An insider threat refers to instances in which a malicious employee of a business, organization, or agency uses their internal knowledge to exploit their organization’s infrastructure. These employees, or insiders, have the ability to bypass the physical and logical controls used to protect the perimeter of an organization’s network. Such risks infer that users will violate organizational trust for various reasons including monetary gain, acquiring sensitive information, or simply out of malice and spite.

Why are cases of Insider Threat so common?

Insider threats are most commonly disgruntled employees or ex-employees that believe the target business, organization, or agency has “done them wrong”. As a result, they feel justified in seeking revenge and entitled to compensation. In most cases, perpetrators have had prior disciplinary issues or been tied to other negative events in the workplace.

What are the common steps taken by an Insider Threat?

First, the malicious insider will obtain the necessary knowledge needed to gain entry to the system or network. Next, the insider will investigate and evaluate the nature of the system or network in order to learn about characteristics associated with potential vulnerabilities. It is important for the insider to discover vulnerable points in the organization’s infrastructure where the most damage can be done with minimal effort and little chance of being discovered. The insider will then develop and employ a workstation, on-site or remotely, capable of carrying out nefarious activity indiscreetly. Lastly, the insider will perform the attack and carry out destructive activity. It’s important to note that the majority of insider threat incidents are premeditated and rarely performed impulsively. As a result, the success rate of insider threat attacks is quite high and rarely is the attacker apprehended.

What potential damage can Insider Threats pose to an organization?

Potential damages insider threats can cause organizations are quite diverse and take many forms. Some of these potential dangers include viruses (primarily Trojans) and worms; theft or modification of sensitive corporate data; the theft of money; data corruption or deletion; and the theft of uniquely identifying employee and customer information. Subsequently, victim organizations subject to insider threats can suffer significant financial loss and severely damage their reputation.

II. Insider Threat Mitigation Strategies

Technology Strategies

1. Network Intrusion Detection and Protection Systems
2. Pervasive Video Surveillance
3. Computer Forensic Auditing Technologies
4. Server Hot Sites; Data Backup and Recovery

Policy Strategies - I've elaborated on these a bit to avoid any ambiguity.

1. Background Checks for all new Employees – During the hiring process it is important for an organization to perform thorough background checks for potential applicants. It would be far too costly for an organization to do so for all applicants, therefore the preliminary selection process should narrow down the applicant pool considerably until a feasible number of applicants remain. “Coordinating with your HR department to conduct background verification, reference checks and other pre-employment screening can go a long way toward ensuring that you don't hire the wrong people. [Additionally,] it's important to remember that these types of checks should be conducted for all individuals granted a user account, even if they're not directly employed by your organization.”

2. Monitor Employee Behavior in the Work Environment – In the case of many insider threat incidents, the attacker has had prior disciplinary issues. An organization’s HR department should work alongside security personnel in reporting and evaluating disciplinary incidents in hopes of recognizing potential threats. HR should “ensure that procedures are in place to refer troubled employees to appropriate counseling resources and to take additional corrective action when necessary.” (Chapple)

3. Limiting Remote Access to Organizational Resources – Many attacks from insiders involve the use of remote access mechanisms. Security policies should be implemented to restrict unauthorized accounts from accessing organizational resources remotely. Many organizations ubiquitously use VPN as a means for employees to access network resources remotely, however it is important to limit remote access accounts to those with a legitimate business need.

4. Minimize Scope of Privileges for Users Accessing the System Remotely – For employees accessing an organization’s network remotely, perhaps via a VPN, their level of privilege should be limited in comparison to the level they have in the office. Not only will this help to combat instances of remote access insider threats, it will also help prevent the dissemination of malware through a remote access link.

5. Principle of Least Privilege – The ‘principle of least privilege’ implies that each user on a network should have the minimum necessary set of permissions required to fulfill his or her job responsibilities. (Chapple) Organizations should employ account auditing to ensure that changing roles and responsibilities will not institute unnecessary new user permissions.

6. Increased and Informed Physical Security – Physical security throughout an organization’s premises is a necessity both during and outside of operating business hours. Physical security personnel should have a holistic understanding of what role they play in the enterprise security management structure. They should comprehend numerous security policies including employee access privileges, authenticated personnel, authorization policy, hours of operation, etc.

Work Environment Strategies

1. Employee Autonomy with in Reason
2. Everyday Employee Perks
3. Flexible Work Environment and Scheduling
4. Sufficient Employee Pay and Benefits



Sources

Contos, Brian T. (2006). Enemy at the Water Cooler: Real-Life Stories of Insider Threats
and Enterprise Security Management Countermeasures. Rockland, MA: Syngress Publishing, Inc.

Chapple, Mike. (2007). Thwarting Insider Threats. Retrieved January 26th, 2008, from
Search Security Web site: