The rise in cyberattacks by criminal groups, primarily Russia and China in recent years, has allowed the US government to step up its defenses against these malicious actors.
While much of the focus has been on external actors, there have also been ongoing efforts to protect government organizations from internal threat actors.
Insiders pose a significant risk because they have been granted access to the insides of the organization. If you do not have access, you cannot perform any action.
However, such an approach also comes with risks. These insiders already know where all sensitive information is and how to access it. Balancing organizations with sufficient access to function effectively without exposing them to unreasonable risks is an important challenge.
To understand this risk and how to mitigate it, let’s look at why government agencies are targeted, who the insiders are, and some steps you can take to reduce the risk.
Why Government is the Goal of Delivering High Value to Insiders
When targeting private organizations, insider motives almost always revolve around financial interests, often mixed with anger towards the organization.
Greed can be a powerful motivator for insiders targeting governments, but the stakes often outweigh the scale and sensitivity of the data they hold.
Here are some reasons why government agencies can be important targets:
theft of confidential information
Espionage is one of the oldest security concerns, and governments have several important secrets. Everything from defense and diplomacy to the economy is critical to national security.
And there are many other governments who are willing to pay top dollar for secrets or other information that will benefit them.
In many modern examples we see, the target is often government contractors working for companies like Lockheed Martin, and insiders are trying to steal technology from foreign governments.
One well-known example is former CIA case officer Jerry Chun Shing Lee. sold defense secrets Hundreds of thousands of dollars to the Chinese government. After being caught by the FBI, he was arrested and convicted of sending sensitive information on a thumb drive to the Chinese intelligence service. Lee is just one example of a former CIA agent recently cited by the US Justice Department in a conspiracy with China, which is likely to continue as tensions between the two countries escalate.
The government has access to a lot of people’s information.
Whether the purpose is espionage or simply stealing huge amounts of information for profit, governments are a repository of personal data.
From addresses to social security numbers, governments have everything fraudsters need to do illegal things.
ideological motives or personal greed
Edward Snowden is perhaps the most famous example of insider threats. reality winner and Chelsea Manning People who stole information from the government for ideological motives.
In both cases, Daniel Ellsberg agreed to influence public opinion and leak information he believes could influence policy, hoping to imitate the Pentagon Papers case that helped change public perception of the Vietnam War. I decided. However, they both found themselves serving sentences in prison for making the mistake of sending stolen information to publishers, Intercept and Wikileaks, who did little to protect their identities.
Even though these two had the ideal purpose behind their illegal activities, there are still plenty of people trying to steal standard corruption/crime that are likely to be much more common.
One example that comes to mind is former actor Charles K. Edwards. Homeland Security Inspector General He pleaded guilty to stealing government software and data for use in his products. He worked with a former employee of the agency to assist in his efforts, but in the end both were caught.
Who is an Insider?
Motivation aside, not all insiders are created equal.
- malicious insider
These people know what they are doing to harm the organization. They pose a high level of risk because they are likely to try to covertly covert and inflict significant damage with theft or destruction.
- human error
The Verizon Data Breach Investigations Report refers to these people as making other errors. You may have sent the file to the wrong person, misconfigured your access policy, or did something else that compromises your security.
The decisive factor here is that the move was unintentional. But it can still be destructive.
- Corrupted Credentials
The best way for an external attacker to surf your network is to use the legitimate credentials of one of your unsuspecting and authorized users.
It should always be taken into account that one of the users could be stolen or simply brute force could compromise their credentials, and there could be wolves in sheep’s clothing on the network.
Use multi-factor authentication to make it more difficult for your account to be compromised.
How to mitigate risk
It is not possible to prevent 100% of these insider risks from outside actors. Thankfully, there are steps you can take to reduce risk and allow your team to respond more quickly to cybersecurity incidents.
minimal access restrictions
Malicious actors cannot access resources to which they do not have access.
Organizations must fight the temptation to give everyone broad access to improve efficiency. Of course, asking for access can be a friction-filled frustration, but restricting everyone’s access to a minimum level plays a key role in strengthening our stance against exploitation.
The principle of least privilege calls for granting people the lowest level of privilege they need to complete a task. There’s no reason developers on your team need ongoing admin access to their financial records, and vice versa.
Behavioral monitoring for anomalous activity
Observing and understanding your users’ behavior is essential to keeping your organization safe.
The first step here is to know the baseline of normal user activity. That way, you can judge when someone deviates from normal behavior.
A factor to consider here is the user’s role in the organization. Does it make sense that someone who would normally never touch personally identifiable information (PII) suddenly searches a file listing people’s social security numbers and addresses?
Another suspicious behavior that may appear is why Sally is downloading a lot of files and working at odd times. Many organizations appreciate their employees taking extra time out of work, but don’t want to go out with sensitive information.
Use the tool to monitor for anomalous behavior that could indicate unauthorized activity and quickly investigate for overzealous employees or potential security incidents.
Contractor monitoring
looking up Verizon Data Breach Investigation Report 62% of system breaches this year were the result of supply chain attacks.
If you work with a contractor who supplies your organization through some kind of access or by providing software, that contractor’s security is your responsibility.
This problem actually has two components.
The first is that you need to monitor their behavior as they interact with the system, like employees. The relationship with the department/organization makes the environment more accessible and familiar than outsiders. This raises the level of potential threats and deserves extra attention.
The second is that they must be able to prove to you that they hold the same high standards that your organization has. Think about CMMC, NIST, etc. If compromised, an attacker could gain access to the user through a worm, as seen in many other attacks such as SolarWind.
So if they want to do business with you, they have to follow your standards.
Separation of access between roles
Cooperation colleague Snowden was essential to Snowden’s success as he didn’t have the access needed to steal everything with his credentials. In this case, the system that maintains the wall between the employee and the department has collapsed from human error, but the concept is still correct.
Think of it like not putting too many eggs in one basket. If one person decides to become an insider threat or if their account is compromised, you need to make sure they can only do limited damage.
Train your staff to be friendly and friendly team players, but your help should end with credential sharing.
session record
Similar to how activity logs are tracked for monitoring and forensics in the event of an incident, session recording can play an important role in both breach investigation and potential deterrence against insiders.
Effective use of this tool requires knowledge of where to look because spending hours/weeks/months of one person playing instantly doesn’t make good use of other people’s time. This is why using recordings in conjunction with other monitoring and detection tools helps to provide the necessary context to your story when an incident occurs.
You should also choose from a privacy standpoint so that everyone knows you are being recorded. Especially when communication is involved. Check your state’s laws as they may vary by region.
A strong culture as a defense against malicious insiders
Greed is often a motivating factor that makes insiders malicious, but dissatisfaction with the organization is clearly at the top of that list. If your people feel disconnected, disillusioned, and generally dissatisfied, you will have less restraint against turning your back on your peers.
It’s true that it’s difficult to create a truly positive mentality during remote and multi-tasking, but building a sense of community is paramount during this time.
This is a common mistake companies make when they call themselves family. The family obviously doesn’t. We can’t fire families as much as we would like. However, creating an atmosphere where people feel appreciated and close can be a powerful factor in resisting the temptation to defect. Perhaps more than one security solution.