The Threat from Within
By Carlos F. Parter, FCC/C10F Office of the Navy Authorizing Official
we consider cybersecurity threats and vulnerabilities, we often think of
external actors. Indeed, external actors work hard to get into our information
technology infrastructure. Surprisingly, they are not our primary threat. When
external actors successfully exploit a vulnerability, you must consider how and
why. More often than not, the exploit was because of failures from within.
of the biggest threats to the security of our information systems and networks
is the insider threat. Internal actors are responsible for 75% of security
breach incidents. Do the math. Three-quarters of successful attacks on our
information systems come from within our infrastructure. The bad guys are
working hard to get in, but the internal actors already have the keys to the
is an insider threat? The 2017 National Defense Authorization Act defined an insider
threat as, with respect to the Department of Defense, a threat presented by a
person who has, or once had, authorized access to information, a facility, a
network, a person, or a resource of the Department; and wittingly, or unwittingly,
commits an act in contravention of law or policy that resulted in, or might
result in, harm through the loss or degradation of government or company
information, resources, or capabilities; or a destructive act, which may
include physical harm to another in the workplace.
put, an insider threat can be characterized as a malicious threat to an
organization that comes from people within the organization, such as employees,
former employees, contractors or business associates, who have inside
information concerning the organization’s security practices, data and computer
insider threat is like a cancer that keeps eating away at our cybersecurity
controls. The central purpose of cybersecurity is to ensure the
confidentiality, integrity, and availability of our information. In other
words, only authorized users should have access to the information, the
information should be unaltered, and the information should be available to
authorized personnel on request. The threat from within circumvents our ability
to effectively secure our information resources from unauthorized access.
who is the insider? The insider could be anybody. Some examples of insiders are
disgruntled employees, careless users or system administrators, those who are
seeking financial gain (cyber/industrial espionage), untrained users, untrained
system administrators, an employee with an internal sense of loyalty to a
cause, etc. Any of us, or those who we work alongside (we are all “insiders”),
could be the malicious insider at any given time if we do not take
cybersecurity seriously. It only takes one person to open the door and allow
bad actors unauthorized access.
are the weakest link to any robust cybersecurity program. In contrast, people
are also our greatest asset and our first line of defense. We are the eyes and
ears of information security. If you see something, say something. Vigilance is
essential to ensure that our sensitive information is protected from
unauthorized access. We have to familiarize ourselves with the indicators of
the insider threat and act accordingly.
Indicators of an
are some indicators of the insider threat? The following is a list of some
possible indicators of which we should be mindful:
performance reviews. An employee may take a poor performance review personally
and seek to get even with the company or organization.
disagreements over policies and standards. An employee may circumvent a policy
that he or she does not support.
distress. Employees may feel overwhelmed regarding their financial status and
make a rash decision to share sensitive information with external actors for
windfall. A shipmate has a new car, new house, or other tangible assets that
are unexplained/unusual for his or her household income.
disagreements with co-workers/senior management. Violent behavior should be
observed and reported to the chain of command.
information about projects or information to which they are not assigned or
have access. Be cautious of individuals who are overly interested in sensitive
projects in which they do not have a need-to-know.
overseas travel. Foreign travel to spots that are not frequented by tourists,
not required for work, or have no personal ties to the individual could be an
indicator of espionage. Also any routine but unreported travel outside the
We should be careful with the sensitive information we are responsible for safeguarding,
but we are not the owners of the information. Be aware of personnel who are
overly secretive about their job.
working hours. Be mindful of personnel who do not have a need to work outside
of normal working hours and have access to sensitive information.
work habits. Careless or inattentive work habits could result in an inadvertent
spillage of sensitive information.
must create a culture of acceptable user behavior. The culture begins at home.
Be cognizant of what you post to social media. Think twice before posting
information about work. If the information is regarding a sensitive project or
could lead to aggregated information that could become sensitive, do not post
it to your social media accounts. Better yet, do not share sensitive
information (part or whole) outside of work. Keep your operating systems
updated, secure your Wi-Fi, monitor your browsing habits, avoid clickbait, do
not install software from unverified sources, and keep your antivirus up to date.
of the mitigations to minimize the insider threat in the work place are as
Policy. Users should be informed of expected behavior and the consequences of
failure to comply.
Awareness Training. We cannot overemphasize the need and importance of an
effective user training program. Include spot checks, bulletin board postings,
and other ongoing awareness activities to ensure insider threat awareness is
ingrained as a central part of an organization’s culture. Include our individual
responsibilities to report suspicious activity.
Monitoring. Monitor and baseline normal behavior and set alerts on deviations
from normal behavior.
of Duties. This requires dividing functions among multiple personnel to make it
difficult for one individual to cause damage to an organization without a
co-conspirator. It should take two to tango.
Rotation. When possible, create a work culture that fosters the sharing of
ideas, but relies on the basics of cybersecurity to ensure you have a means to
identify possible unusual user behavior. Job rotation is a great countermeasure
to the insider threat. Job rotation improves your workforce skills and
minimizes complacency from repeating the same tasks day in and day out.
An effective tool in defending against the insider is a command’s
Onboarding/Offboarding process. When you onboard a new hire, you have the
opportunity to share the organization’s vision, mission, and expected behavior.
When using offboarding, you can see what the organization is doing right,
ensure a smooth transition, and ensure that the former employee no longer has
access to vital information technology resources.
Fight the Good
There is no guarantee to rid our networks of the insider threat, but we can minimize the damage. We can all work together and do our part to ensure the damage done by the insider does not result in grave harm to our information systems and networks. Take user awareness training seriously, do not be afraid to speak up, govern your network hygiene, and be a part of the solution. The insider threat not only affects our cybersecurity posture, but the malicious insider degrades our operations security and counter intelligence activities. Our network depends on you — the users and administrators. For news and information from Commander, U.S. Fleet Cyber Command/U.S. 10th Fleet, visit www.navy.mil/local/FCCC10F/ or follow us on twitter @USFLEETCYBERCOM.