There are various threat sources to an organization’s assets (in this article, data and intellectual property). These threat sources can be external or internal actors in organizations.
As an information security practitioner, cybercrime investigation is part of my day-to-day job. I have experienced and investigated cases involving both types of actors. Those involving an insider form the largest chunk and are growing at an alarming rate.
An insider is usually a trusted member of any organization. They are supposed to work and act in the best interest of the organization. Well, they should, but sometimes they don’t. When they don’t, the results can be disastrous, to say the least.
Who fits the description of an insider? This can be anyone in the organization from the front desk clerk, operations team, executive, IT staff to contractors. With such a vast probability space, the attack surface also widens. A wide attack surface increases the vectors at the disposal of a potential attacker.
Overall, this makes the business of an organization protecting itself a very complex affair. An insider has the potential of causing the most harm to an organization compared to an outsider. This is because the user is usually trusted, has more privileges, has direct access to the systems and maybe not under continuous monitoring from the various state-of-the-art security installations in an organization.
It’s also important to note that not all insider related attacks are intentional. An internal user can be taken advantage of by other malicious actors (external or internal) through various techniques such as social engineering and be used to perpetrate a cybercrime.
Some examples of cybercrime involving insiders are your friendly front desk staff being helpful to a visitor by accepting to print a document shared via a flash drive that has malware that infects the network. Other instances could include database administrators tampering with the tables of a financial system to create illegal transaction accounts.
Software developers remotely accessing applications through a covert backdoor to manipulate systems. Network administrators installing firewall scripts that run automatically to bring down the network and sabotage business activities and contract cleaners colluding with external parties to plug in illegal devices, for example, rogue access points in the data centre.
The list is endless. These few examples show how sophisticated some attacks can be and how complex a subject it can be to fully protect an organization.
Many times, organizations allocate an enormous chunk of their information security budgets and resources mitigating risks associated with external threats compared to internal ones. This is human nature as it goes against the natural grain for one to protect against themselves. A casual analysis of the cybersecurity marketplace shows organizations are spoilt for choice with offerings by various vendors whose products come with all the bells and whistles to mitigate external threats, from generic and specialized firewalls e.g. web application firewalls, intrusion detection systems, anti-virus systems … the list is endless. A similar analysis of the same marketplace for products to mitigate internal threats leaves us with a handful of options.
Technological advancements and investments in external threat mitigation for example perimeter security in devices like state-of-the-art firewalls has made it hard for external actors to attack organizations and they are now resorting to clever ways of achieving their goals in organizations such as through compromising unsuspecting insiders or collaborating with willing internal actors.
It is important to note that there is no one shoe fits all approach to enterprise security. Situations are unique and isolated to organizations. The approach that an organization takes to implement security is based on many parameters or variables. From my experience, there is no silver bullet to cybersecurity. What we try to do as cybersecurity practitioners is risk management. Guaranteeing 100% security in an enterprise is equivalent to having the horizon as your ultimate destination, which is the domain of superheroes.
In the next Nuggets, we will look at the various controls that an organization can put in place to mitigate risks posed by insider threats.
By: Jimmy Gathage - Head of Information Security