In Cover Your Assets!, I introduced one of the most basic tenets of cybersecurity: if there’s something of value to you (an asset), then it’s of value to someone else. In my business, those “someone else”s are referred to as threats. To get a handle on your specific situation, you’ll need to perform some threat assessments. That may sound like an intimidating term, but it’s fairly straightforward. Threat assessments help you answer two of the most important questions in cybersecurity: who might be coming after your assets, and how might that occur?
But before you start, there are some concepts you need to understand right away: threat agent, attack, vector, and payload.
- Threat agent refers to the potential of an agent to cause adverse effects on an asset.
- Attack is the realization of a threat.
- Vector is the pathway that a threat takes to compromise an asset.
- Payload is the actual way that the compromise is effected. In short: you got hacked!
Remember, anything that is of value to you is also of value to someone else. If it is your PII that is of value, then someone else will also want it. If your corporate data is of higher value, then they’re after that. The higher the value, the more attractive the target.
In the broad sense there are two, and only two, kinds of threats: external and internal. An external threat originates outside your organization—that could mean competitors, foreign agents, cyber criminals, or a snotty teenager in his parents’ basement. We’ll talk in more detail about external threats in Kill Bill(ions) of Threats, Part II: External.
But what’s an internal threat? Well, are you familiar with the 1979 classic horror film, When a Stranger Calls? That’s a perfect example of an internal threat: “The call is coming from inside the house!” Not surprisingly though, both external and internal threats can and do share the same motives, which include ideology, ego, and money.
What makes an internal threat particularly dangerous is that it has already bypassed your perimeter defense. The attacker is already in the system and needs only to bypass the internal controls in order to wreak havoc! Internal attackers also know where all the bodies are hidden: in other words, they know what’s of value and what’s not. They can be employees, either full-time or part-time. They can be contractors. They may be vendors that require temporary access to your system (e.g., a telephone system vendor). And God help you if they are “power users” or some sort of “administrators” of systems. Anyone who has access, whether on-site or remote, presents the possibility of an internal threat.
Their means can be many. They can physically exfiltrate the data by removing printouts of sensitive information, even taking pictures of screens with their mobile phones. If they have the right (or wrong!) privileges, they can copy data onto USB drives or transmit data to cloud storage. There have even been cases where “administrators” removed terabytes of data on removable hard disks!
Motives are equally varied. Many are motivated by money. Indeed, they may have a pressing need for money for any number of reasons (family emergency, debt, drugs, gambling, etc.). Others may be motivated by ideology (disagreeing with company or state policies, a sense of “right versus wrong,” self-righteousness, etc.). Others may have more personal motivations (disgruntled employees, various psychopathologies, just “the thrill of it,” etc.). They may be recruited by the competition, a nation-state, or any other “organization.” Or they themselves may be the victims of a crime, such as blackmail. No matter the motive, they will always find a way to rationalize their actions—be it to save the world, to save a loved one, to save themselves, or because “they deserve it.”
It’s even possible that your internal threat has no conscious motivation at all! Consider the accidental insider who sincerely “didn’t know any better” and copied half the database to his private cloud so he could work from home! Or the one who fell for a phishing scam and clicked a link he shouldn’t have or answered the fake call from “Microsoft” when that big-bad-red-alert sign popped up, and so on.
Regardless of whether the breach was deliberate or accidental, the damage is very real. But that doesn’t mean you should allocate blame in precisely the same way. Yes, you can trace the data exfiltration to accidental credential leakage, but is it really the victim’s fault? Is someone whose wallet was stolen responsible for the thief who used the access card? To be sure, a stolen card should be reported in a timely way—but in the cyberworld, access is instantaneous. There is no “timely reporting” when you are a victim of social engineering and you click that link! Moreover, shouldn’t you be looking closely at your own policies and procedures, your own training protocols, and your data loss prevention systems? I would!
This brings us to the final requirement: opportunity. Internal threat actors, whether intentional or not, require opportunity. How do they get it? If the organization has poor internal controls, that’s all the opportunity they’ll ever need. What do I mean by “poor internal controls?” The list is long! For example, if the employer has poor on-boarding procedures or lax physical security, the employee may well be able to access data that they shouldn’t. Similarly, there may be poor implementation of technical access controls, poor segregation of duties, or non-existent data classification. Or the employer may have poorly trained or inexperienced managers in human resource–related matters (such as performance reviews, employee behavior monitoring and support, and confidential employee help resources) or the firm may lack a sophisticated human resource function altogether.
Who fits that last profile? The majority of small and mid-sized businesses who are focused—day in, day out—on simple survival. Unfortunately, it is these same businesses that frequently cannot even afford to retain cybersecurity expertise, much less roll out a data-loss prevention system (DLP). And yet they are the firms that need it most. Fortunately, there are sets of controls that can be deployed against insider threats, accidental or not. For example, you can train your people to be sensitive to employee behavior around data. If, say, John is suddenly interested in accessing the client master file although his job is in product development, that should raise a flag and it should be reported up the food chain.
For now, we need to focus on the threat itself. How does it manifest? What are the things we need to know about the threat going in? These are similar questions that we need to ask about all threats, but the human element of the insider threat makes this analysis unique.
The first question to ask is how can someone turn an employee into an insider threat? As it goes in the spy novels, so it goes with cybercrime: Nefarious agents turn your employees into assets. How are these employees identified and compromised? What are the signs you need to watch for?
Well, Mr. Bond, you need to think like a criminal to catch one! How would you go about it? You’d identify the weakest links. Employees who are having problems would be on the top of the list, followed by disgruntled ones. Employee divorces, debts, catastrophic illnesses—all these factors and more have the potential to lead to security risks for the company.
As we continue to think like our enemy, consider that you must pick your targets wisely. Targeting the marketing associate because he just happened to be going through a nasty breakup will not do! Would-be invaders will be looking for someone who has enough privileges to get them what they need. Again, think like the bad guys: find the privilege, work the motive, ensure the opportunity.
Now reverse this strategy to protect yourself. Sensitize your employees to “abnormal behavior.” Is someone who never worked late spending endless nights in the office? Or surfing the file server in areas outside their work scope? Is somebody constantly “making backups” on USBs or accessing cloud storage? Perhaps somebody with no history of working at home is suddenly accessing the site remotely all the time?
What about an employee who jumped ship from your competitor? Is the person still a bit too close with ex-colleagues? Could he or she be a “plant”? Does an employee seem stressed out of his mind, or exceedingly paranoid of the boss or others? Is someone “living large” on an associate’s salary?
These are just a sampling of behaviors that may be signs of impending trouble. Some of these you can turn into controls by institutionalizing them, for example access controls, segregation of duties, multi-factor authentication, geolocation sensitivity, behavioral patterning. Others are a matter of proper training and sensitivity towards your environment. All are important in managing the insider threat.
Cybersecurity experts have estimated that around 40 percent of the threats you may face will be internal. In other words, following these tips will help you address a lot of your risk… but not all of it. In Kill Bill(ions) of Threats, Part II: External, I’ll talk about that 60 percent of threats that are coming from the outside.
“The difference between theft and destruction is often a few keystrokes.”