The Guru was lucky enough to get this Q&A with ex-NSA analyst and current VP of cybersecurity at Masergy David Venable – here’s what we found out.
Can you tell me a little about insider threats – how much of a problem are they?
While the entire threat landscape is changing dramatically with the increased sophistication of adversaries, nation state and state-sponsored actors, and rapidly evolving attack surfaces, one of the few things that hasn’t changed is that the insider threat is one of the most, if not the most, insidious threat in almost any environment. That’s not FUD (Fear, Uncertainty and Doubt) either, just look at the negative impact that Edward Snowden’s leak of thousands of files from the US National Security Agency [NSA] has had on the the US intelligence apparatus.
According to A Preliminary Model of Insider Theft of Intellectual Property, a paper published by Carnegie Mellon University, 75% of cases of insider IP thefts were performed by employees. Some 65% had already accepted a new job somewhere else while 35% stole to gain an immediate advantage at a new job. And 25% of cases resulted in the stolen information being given to a foreign government or company.
How widespread or common are these types of threats?
Today external attacks are almost constant and less damaging [with the exception of high-profile attacks and near-total breaches, such as those against Sony and Ashley Madison. By contrast, insider attacks are more rare, but typically far more damaging such as the damage caused by Edward Snowden’s leak of NSA documents to the government’s security infrastructure.
Are business paying enough attention to the threat posed by their employees?
From what I’m seeing in the field, the vast majority of organisations are overlooking the insider threat. Very few organisations are actively posturing against, or frankly even considering, insider threats.
How can technology help to detect and prevent insider attacks?
Behavioral analysis on internal network traffic is one of the best defenses against a ‘Edward Snowden-style’ insider attack. Users typically behave in certain ways. When that behaviour changes, it usually means something. For example, according to Wired, Snowden, who famously leaked thousands of NSA documents, spent a great deal of time scouring the private classified NSA network for documents and downloading them to his workstation, memory sticks and CDs — a dramatic shift from typical behaviour of someone in his role. This would have easily been detected with behavioral analysis.
Data Loss Prevention (DLP), which typically scans outbound data for known sensitive information, can also help, although it’s not a replacement for good physical security. DLP wouldn’t have prevented either Snowden or Chelsea Manning from walking out with secrets burned onto CDs labeled “Lady Gaga.”
Another good prevention technique is to ensure that sensitive documents are properly protected and only accessible by people who have a business ‘need-to-know.’
Unfortunately, none of these will detect or prevent the most dangerous insider threat: when an employee takes sensitive information they have been entrusted with to do their jobs. Unfortunately, this is less preventable via technology and requires insight into employees’ changing behaviors and attitudes.
How do these types of attacks happen, what are the main weaknesses that are being exploited?
One of the most common mechanisms is not a technical one: it’s asking a friend. In fact, according to a Carnegie Mellon University paper, A Preliminary Model of Insider Theft of Intellectual Property, 19% of intellectual property theft cases involved colluding with another insider. In the case of malicious collusion, not much can be done. However, good security awareness training can be invaluable in preventing social engineering attacks – where an employee tricks another employee into providing sensitive information.
Another common technique is improper sharing permissions on drives, folders, and documents.
Finally, and this seems to be rarer, is the use of technological exploitation techniques against internal systems.
Do insider attacks need to be treated differently to external attacks?
First and foremost, CISOs and CIOs need to stop treating the internal network like it’s a safe or trusted zone. It’s not. BYOD environments realise this, but the more important lesson here is that non-BYOD networks aren’t safe either.
Regular internal vulnerability assessments and penetration testing are key to finding and remediating internal weaknesses. Remediation is the key. I can’t even tell you how many internal assessments we’ve performed to check a compliance box that it was done — but the results were never acted upon. The addition of Behavioral IDS (intrusion detection system) sensors on the internal network will improve the situation dramatically, as will regular evaluation of access rights and sharing permissions.
Will insider attacks get better or worse?
It gets worse every day. As Willie Sutton, the infamous American bank robber said, when asked why he robbed banks, “That’s where the money is.” The insider threat is getting worse because that’s where the valuable information is — but there’s an additional component here: that’s also where the weakest controls often are.
We lock down the external. As an industry, we’ve become better at that over the years. However, as long as there’s valuable information, someone’s willing to get access via the HVAC network like the case with retailer Target, recruit an unscrupulous employee, or in some of the worst cases – get a job at a company to gain access to information in order to steal it.