Cybersecurity: The Insider Threat
Among the variety of information security risks that endanger businesses, organizations and government agencies, the insider role poses the most significant threat. This research addresses the insider threat from different perspectives, analyzing the reasons, possible consequences, and countermeasures related to internal security breaches. For the purposes of this paper, the potential cybercrime that involves an insider is considered as the institutional vulnerability rather than the direct threat. Consequently, the term “threat” in this work mainly refers to the organizational weaknesses that constitute such vulnerability. Following this approach, a wide range of insider positions is analyzed with regard to the potential damage. Both intentional and unintentional cybersecurity breaches are explored in depth along with the detailed description of organizational mistakes that lead to such accidents. The threat preventive measures, such as trainings and educational case studies propose to raise awareness of cybersecurity issues. Finally, the threat detection techniques are explored in detail, taking into account the best practices and cybersecurity experts’ recommendations.
An Insider Threat: The Concept Outline
The cybersecurity discipline is rather straightforward in areas that cover technical threats and vulnerabilities. There are numerous intrusion preventive and detective systems, which secure the corporate data networks from the outside threat. The viruses and computer malwares are countered effectively by the specialized applications that can sufficiently eliminate even “zero-day” exploits. The hot reserve systems can successfully oppose the Denial of Service attacks, especially in their distributed variation (DDoS). An automated spam filtering blocks the majority of emails that attempt to trick the employees into revealing the confidential data using the social engineering techniques. Generally speaking, each technical exploit has its technical opposite that neutralizes the exploit. Although, the automated countermeasures usually are introduced after the exploit is actually found, the technical defenses prevent the vast majority of the cybersecurity breaches.
In contrast with the technical vulnerabilities, the human factor can lead to the unpredictable consequences with regard to the information security threats. The major role in this process is attributed to the insider, a person, whose intentional or unintentional actions create the main cybersecurity concern. Kostopoulos (2012) sites the unclassified US government report, revealing that “the great majority of past compromises have involved insider, cleared person with authorized access who could circumvent physical security barrier, nor outsiders breaking into secure areas” (p. 24). The accidents statistics differ significantly among the sources due to the number of considerations. First, it is often impossible to separate the insider role from the technical mistakes that have allowed the security breach. Second, not every company is prepared to admit that it had a cybersecurity accident due to the possible reputational damage. Most researchers estimate the insider-driven accidents as 50% of the total number of the information security breaches. In particular, the research of Verizon has shown that 48% of all IT security accidents in 2009 occurred due to the insiders (Bayuk et. al, 2012, p. 231). The share of the insider-related incidents, which at the very least equals the combined amount of all other IT security breaches, makes the insider threat most dangerous among the cybersecurity vulnerabilities.
An Insider: The Definitions and Categories
The definition of an insider is not as obvious as it can appear at the first glance. The insiders’ ranks are not limited to the corporate staff members inside the company boundaries. According to Stolfo (2008), “some definitions of insider include people such as account holders who access their bank accounts, patients who use an electronic system to communicate with medical professionals or view or manage their medical records, students at universities, customers who use online shopping systems, and similar users” (p.12). Generally, any type of the registered account within any corporate IT system makes the person an insider. Such an account provides some information that would not be otherwise available to the person, sharing the inside knowledge of the organization. Additionally, certain friends and family members of the employees may be considered as insiders due to their subjective knowledge of the organization and its IT systems.
Both employees and non-employees differ in their knowledge and access rights that imply different levels of the vulnerability. Some formal outsiders may possess enough information to cause more damage to the organization than many of the employees. Consequently, the insiders can be categorized according to their potential impact on the organization with regard to the cybersecurity. The main concerns are related to IT professionals and top management, whose knowledge and system access rights are most significant.
An Insider and the CIA Principle
The ultimate goals of the cybersecurity are data confidentiality, integrity, and availability (CIA principle). The information confidentiality is the most obvious organizational concern with the insiders. In the course of various activities, the individuals operate the data of different confidentiality level. Regardless of the formal policy restrictions, the IT system must ensure that only required access is granted to the user. Unnecessary access rights often provoke the user’s curiosity and make difficult tracing the data leaks. The information integrity is more complex subject, both conceptually and with regard to the potential damage. The threat is not in leaking the information, but in its altering, either accidentally or for some type of gain. Therefore, computer systems often incorporate an automated audit mechanism that routinely checks the data integrity. In addition, no single user should have a set of access rights that would allow him to change the information and remove the traces of such changes. Finally, the data availability requirement means that IT system must provide 24/7 access to the information for which the system is responsible. All types of the accidental data removal, as well as the system bugs that result in the information unavailability, constitute the threat to the third CIA principle. Apparently, system bugs could be also associated with insiders, especially in the case of proprietary IT systems.
For the insider, there are many possibilities to cause damage to the organization. Even with the most restricted access right, the mere forwarding of the corporate email address book to the outside world could lead to the significant compromise of the confidential information. The intentional insiders’ actions can be split into two categories. The first one envisages the abuse of the properly assigned access rights, which are being used with the malicious purpose. The second category comprises the insiders’ actions that result from the “breaking into” the system beyond their usual activities. It may be achieved by the use of common hackers’ techniques, which are much more effective inside the security perimeter. Alternatively, the insider can take advantage of the colleagues’ inattentiveness or employ the social engineering tricks.
The intentional insiders’ actions have diverse backgrounds and may serve different purposes. Some cybercrimes have purely psychological origins, resulting from the insufficient HR risk management. As Kostopoulos (2012) cites, “case studies and survey research indicate that there is a subset of information technology specialists who are especially vulnerable to emotional distress, disappointment, disgruntlement and consequent failures of judgment which can lead to an increased risks of damaging acts or vulnerability to recruitment or manipulation” (p. 25). Other potential reasons include espionage (military or commercial) and financial fraud. These are usually free of mistakes that are present in the actions of psychologically unbalanced employees. Such activities are well thought-out and therefore particularly dangerous.
Often, the insiders take advantage of the ineffective organizational practices. The lack of proper audit and control leads to the excessive access permissions, which could allow the cybercrime traces removal. The researchers admit that the termination process is the most dangerous period with regard to the insider’s malicious actions. “Many insiders …used privileged system access to take technical steps to set up the attack before termination. …insiders created backdoor accounts, installed and ran password crackers, installed remote network administration tools… and took advantage of ineffective security controls in termination process” (Stolfo, 2008, p. 23).
There are also “external” insiders that pose the possibility of an intentional harm. Someone who has officially purchased the copyrighted material can share it in the Internet. The VIP clients of the Internet banking can explore some system vulnerabilities due to the fact that non-mass bank services are usually tested less thoroughly. Sometimes, the outsourcing companies are being granted with the access that is sufficient to influence other systems. Regardless of the NDA (Non-Disclosure Agreement) and consequent lawsuits, the potential damage could not be compensated.
The situations in which the insider causes the unintentional damage to the computer systems or corporate data are rather common. There are no reliable statistics on the intentional vs. unintentional cybersecurity breaches, but the later could not be outnumbered by many. This conclusion follows from the vast number of the existing exploits that are triggered with the users’ help. In addition, the refined social engineering techniques and basic human mistakes along with the systems’ bugs contribute to the scale of this particular vulnerability.
Many cases of the unintentional cybersecurity breaches result from the users’ failure to comply with the security policies. The use of the personal removable storage devices can get round the antivirus tools, making the victim’s PC to attack all computers within the corporate data network. Following the innocent-looking link on the social network webpage can successfully compromise all the passwords stored in the web browser’s cache. Sticking the note with the hard-to-remember password on the keyboard may tempt even the cleaning staff. However, some unintentional insiders’ actions with regard to the cybersecurity cannot be foreseen by any policies. The majority of such cases result from the poor exception handling within the system, as not every small deviation from the routine procedure can be tested in a complex IT environment.
The Insider Threat Prevention and Detection
The success of the insider threat prevention and detection depends upon the combined taskforce of the Information Security Officer and his team, HR, IT department, and the top management. Their first duty is to establish the formal control over the potential cybersecurity issues. According to Shoemaker and Conklin (2011), such controls “are intended to detect and prevent employee-caused breaches such as theft, fraud, misuse of information and noncompliance” (p. 124). One of the most important organizational aspects (which is often overlooked by the top management) implies the separation of the IT department from the cybersecurity group.
Information security policies are important tools that regulate the use of the corporate information system. These policies should explicitly define the security mechanisms, which “… need to be in place so that no member in the organization can single-handedly cause major damage. Equally important is that no member in the organization can affect data access or changes without leaving a trace” (Kostopoulos, 2012, p.25). However, the information security policies should not be overcomplicated in order not to be neglected.
Another important practice within the scope of the insider threat prevention is the cybersecurity awareness training. The responsible personnel should communicate the fundamental concepts of IT security to all employees and non-employees who in some way use the corporate information system. The cybersecurity staff also requires the regular training: “The training function is responsible for making certain that the individuals who perform specific information security tasks have all of the requisite knowledge, skills, and abilities to carry out their designated duties” (Shoemaker & Conklin, 2011, p. 240).
No matter how unpopular the employees’ behaviour monitoring is, it helps to prevent the majority of the cybercrimes. Company’s rights prevail over the individual privacy rights of an employee while at work, as was proven in a number of court cases. As long as the basic civil and human rights are not violated the monitoring of the employees’ interactions with IT systems is fully justifiable. In addition, some counter-intelligence practices can determine the source of the confidential information leaks. For example, the “canary trap” technique implies the slight alterations to every copy of the file that presumably would be leaked out. Then the eventual data leak can be traced back to the single person who had access to this particular copy.
There is a number of considerations that can enhance the organizational cybersecurity from the IT department perspective. One of the approaches implies that the “segregation of technology services and system change controls are safeguards against insider threats and accidental changes as well as external threats” (Bayuk et. al, 2012, p. 33). It means that independent IT services should be isolated from each other within the IT system in order to restrict the possible unauthorized access. Additionally, the change control along with the audit function must ensure the data integrity. Another important part of the cybersecurity is related to the structure of the corporate IT system. It should comply with the ISO 27001 and ISO 27032 IT security standards, providing the information confidentiality, integrity, and accessibility. Particular attention should be paid to the front office IT environment. As the front office employees are usually the subject of the most significant turnover, the majority of the personnel mistakes occur within their field of responsibility. In order to mitigate such mistakes, the front office activities should become system-driven rather than user-driven. In an ideal scenario, the front office staff should operate a single application, preferably in the client-server mode. All types of user inputs should be automatically checked for the correctness, and progress through the system must be allowed based on the strict rules.
As opposed to the threat prevention practices, the detection systems often can only state that the security breach has occurred. An automated system that can detect the cybersecurity threats usually employs the artificial intelligence features. According to Probst (2010), “A Fraud Detection System usually stores and processes information about the behavior of customers and insiders of an institution” (p. 154). Based on the empirical mechanisms behind the threat detection algorithm, different systems generate the anomaly detection, misuse detection, or specification based warnings to the cybersecurity personnel (Probst, 2010, p. 77). Despite the number of false warnings, sometimes the threat detection systems help to initiate the timely actions that prevent the worst part of the exploit.
As shown in this research, the insider threat to the organizational cybersecurity varies in form and quality. The extent to which the issue is spread and the diverse scale of the possible damage make the insider threat the most dangerous institutional vulnerability within the organizations, businesses, and government agencies. As the vulnerability itself results from the highly unpredictable human behavior, it cannot be fought effectively by any automated means. The combined value of the users’ training and organizational control can minimize the vulnerability and possible consequences of its exploits.