Verizon’s 2022 Data Breach Investigation Report (DBIR) was recently released, and there is good news and bad news regarding the risk of insider attacks.
First, the good news. According to DBIR, the majority of breaches continue to originate from external actors (80% vs 18% Insiders). Hopefully we can make you a little less suspicious of Bob, who occupies two offices.
However, when an insider attack occurs, it can be really devastating.
According to DBIR, the median number of records compromised by insider breaches last year was 80,000. This is not good, but it makes it worse. In total, records leaked by insider attacks exceeded 10 billion, with external attackers far below 250 million.
Thus, while the rate of breaches caused by insiders remains low, it is an ongoing and serious concern for both the private and public sectors.
Insider Threat Risks Facing the Government Sector
The fundamental concern is that members of an organization, whether in private industry or in government, can steal data and harm the organization.
The main difference is the sensitivity and the potential magnitude of the damage that such an event can cause.
Internal events can:
- national security damage
Insiders can do harm by stealing or leaking sensitive information. In the most extreme cases, defenses or information confidentiality can fall into the hands of competing nations.
The most famous insider in the government is Edward Snowden. The intelligence community did not provide too many details and said that Snowden caused significant damage to US national security.
As competition between the United States and China continues to heat up, we steady flow Number of current and former civil servants found and convicted on espionage charges.
- steal personal information
Governments hold a lot of personally identifiable information (PII) that malicious actors can use for profit or to carry out further attacks.
The Office of Personnel Management breach is a strong example of Chinese hackers stealing 22.1 million records, including the personal information of many government officials in sensitive intelligence positions.
It could have been an external attack, but given the number of records that internal actors will have, the potential for personal information disclosure is prohibitive.
- undermine public trust
The public expects governments to trust their data and take precautions to protect it.
Failure to do so can undermine trust in governments to do their job and more people may be reluctant to provide more data. As biometrics advances, especially for access and service identification, many people ask if organizations that cannot keep their social security numbers or addresses secure can trust them with facial data.
These incidents and the concerns behind them have forced governments to step up their efforts over the years to address internal threats.
This includes useful releases. guide in both Cybersecurity and Infrastructure Security Agency and National Insider Threat Task Force. These organizations understand that risks to national security face not only government organizations, but also government contractors.
Contractors, particularly those working in defense sectors such as aviation, face tougher regulatory frameworks, such as change 2 to the National Industrial Security Operating Manual (NISPOM) to show that they are taking steps to defend themselves from internal threats.
Why do insiders suffer so much?
Insiders can essentially access sensitive information to do their job.
We do our best to hire people we can trust, but there is always risk.
For better or worse, they know where their important data is. This is a potentially capable employee and a security risk.
Insiders may be well positioned to compromise an organization’s security from each of the CIA triads that undermine the way we conceptualize security.
- Confidentiality – Data Breach
- Integrity – we no longer trust our data
- Access – no access to data (think ransomware)
Insider threats can be embarrassing and demoralize your organization. Losing trust in other members of your team is not only horrendous, but many organizations crack down on security measures that take them down and can overcompensate after breaches.
Insiders can help external hackers: ransomware attack. This means that malicious actors simply spend some money.
If you could get away with $2,000 to keep the side door open, why would a phishing campaign hinder you from socially engineering your target?
Why is it difficult to detect insiders?
Insiders can be like Advanced Persistent Threats (APTs), also known as foreign government hackers. The reason is that they can be inside the network for a long time before they are discovered.
This is because they want to avoid large-scale ransomware attacks that get a lot of attention and bring their attacks to the fore. They want to stay in place for as long as possible, stealing data and moving it to the most valuable part of their goal.
The challenge for defenders is that these low-light approaches are very difficult to detect and can inflict serious damage.
I hope we do our best to partition access to sensitive information so that no single insider can do too much harm to himself. Insiders can be difficult to deal with as they are not using malware or exploits to reach their target data. Because they are often privileged members of organizations, they have legitimate credentials to access significant amounts of data without anyone paying much attention to it.
This means that in a fine-grained organization like Snowden’s, a single employee shouldn’t have enough privileges to access too much. Snowden had to “borrow” access from his peers, and he unknowingly tricked them into tricking them.
3 Tips to Mitigate Your Insider Threat Risk
As with defenses against external threat actors, it is not possible to completely prevent internal attacks from occurring in some cases.
What we can do, however, is to take steps to reduce the risk of accidents by strengthening our posture and mitigating the damage that can occur if an accident occurs.
Here are some useful tips.
Monitoring user behavior for anomalies
Providing access to sensitive data is not an issue in most cases because it is essential for teams to do their job and most employees will not steal information.
However, we do not want our employees to have too much access than necessary. Ideally you’re restricting access based on what you need to know along the least privilege line.
The trick is to ensure that employees stick to their lanes and do not access files or other resources outside of their territories.
Utilize user behavior analysis tools to monitor if users initiate actions outside of their normal scope. There may be legitimate reasons for non-characteristic behaviors, but it is still important to detect and investigate them.
Also, there are many more reasons to look at this space, as anomalous user behavior can indicate that your account has been compromised by an external threat actor without your knowledge.
Keep your employees close, and those who will be leaving sooner rather than later.
Thinking about internal threats should include all employees.
Don’t let the soon-to-be departing employee take anything with you but good memories. Monitor the download or transfer of data until you leave.
One of the main threats to watch out for is sitting on a keychain. Flash drives are a convenient way for employees to download data and get out. Advances in hardware have made these cool little hard drives cheaper and more capable of large storage capacity than in the past.
If possible, block the ports on your computer to prevent the use of these devices. Another option is to have the monitoring tool detect whenever a flash drive is plugged in and log it for future forensic analysis.
Implement rapid investigation and incident response
If you see something, tell me.
If you suspect there is a problem with the speed at which these events can occur, call the investigation team as soon as possible.
If you’re lucky, you can prevent a mass leak and catch the thief before it goes too far. But speed is key here.
They also need to bring in people who are not directly connected to the system for investigation and response.
Avoid overreacting
Don’t forget to balance usability/operational efficiency with security.
Strong security isn’t the same as locking down IT in a department like Fort Knox. The purpose of a good security strategy is to enable an organization to perform its work with minimal risk.
Creating too much friction that slows down work will only frustrate your employees. Depending on factors such as sensitivity, implementing measures that are too intrusive at that level may lead to resentment and cause people to reconsider the private sector.
Also, remember to maintain a level of trust with your employees. Without it, your ability to work as a cohesive unit will affect your ability to achieve collective goals.
We want the right mix of security monitoring and best practices to be trusted and verified by our team.