The Threat from Within
By Carlos F. Parter, FCC/C10F Office of the Navy Authorizing Official
When we consider cybersecurity threats and vulnerabilities, we often think of external actors. Indeed, external actors work hard to get into our information technology infrastructure. Surprisingly, they are not our primary threat. When external actors successfully exploit a vulnerability, you must consider how and why. More often than not, the exploit was because of failures from within.
One of the biggest threats to the security of our information systems and networks is the insider threat. Internal actors are responsible for 75% of security breach incidents. Do the math. Three-quarters of successful attacks on our information systems come from within our infrastructure. The bad guys are working hard to get in, but the internal actors already have the keys to the kingdom.
What is an insider threat? The 2017 National Defense Authorization Act defined an insider threat as, with respect to the Department of Defense, a threat presented by a person who has, or once had, authorized access to information, a facility, a network, a person, or a resource of the Department; and wittingly, or unwittingly, commits an act in contravention of law or policy that resulted in, or might result in, harm through the loss or degradation of government or company information, resources, or capabilities; or a destructive act, which may include physical harm to another in the workplace.
Simply put, an insider threat can be characterized as a malicious threat to an organization that comes from people within the organization, such as employees, former employees, contractors or business associates, who have inside information concerning the organization’s security practices, data and computer systems.
The insider threat is like a cancer that keeps eating away at our cybersecurity controls. The central purpose of cybersecurity is to ensure the confidentiality, integrity, and availability of our information. In other words, only authorized users should have access to the information, the information should be unaltered, and the information should be available to authorized personnel on request. The threat from within circumvents our ability to effectively secure our information resources from unauthorized access.
So, who is the insider? The insider could be anybody. Some examples of insiders are disgruntled employees, careless users or system administrators, those who are seeking financial gain (cyber/industrial espionage), untrained users, untrained system administrators, an employee with an internal sense of loyalty to a cause, etc. Any of us, or those who we work alongside (we are all “insiders”), could be the malicious insider at any given time if we do not take cybersecurity seriously. It only takes one person to open the door and allow bad actors unauthorized access.
People are the weakest link to any robust cybersecurity program. In contrast, people are also our greatest asset and our first line of defense. We are the eyes and ears of information security. If you see something, say something. Vigilance is essential to ensure that our sensitive information is protected from unauthorized access. We have to familiarize ourselves with the indicators of the insider threat and act accordingly.
Indicators of an Insider Threat
What are some indicators of the insider threat? The following is a list of some possible indicators of which we should be mindful:
- Poor performance reviews. An employee may take a poor performance review personally and seek to get even with the company or organization.
- Strong disagreements over policies and standards. An employee may circumvent a policy that he or she does not support.
- Financial distress. Employees may feel overwhelmed regarding their financial status and make a rash decision to share sensitive information with external actors for personal gain.
- Financial windfall. A shipmate has a new car, new house, or other tangible assets that are unexplained/unusual for his or her household income.
- Unreasonable disagreements with co-workers/senior management. Violent behavior should be observed and reported to the chain of command.
- Seeking information about projects or information to which they are not assigned or have access. Be cautious of individuals who are overly interested in sensitive projects in which they do not have a need-to-know.
- Unusual/unreported overseas travel. Foreign travel to spots that are not frequented by tourists, not required for work, or have no personal ties to the individual could be an indicator of espionage. Also any routine but unreported travel outside the United States.
- Secrecy. We should be careful with the sensitive information we are responsible for safeguarding, but we are not the owners of the information. Be aware of personnel who are overly secretive about their job.
- Odd working hours. Be mindful of personnel who do not have a need to work outside of normal working hours and have access to sensitive information.
- Inattentive work habits. Careless or inattentive work habits could result in an inadvertent spillage of sensitive information.
Fighting the Threat
We must create a culture of acceptable user behavior. The culture begins at home. Be cognizant of what you post to social media. Think twice before posting information about work. If the information is regarding a sensitive project or could lead to aggregated information that could become sensitive, do not post it to your social media accounts. Better yet, do not share sensitive information (part or whole) outside of work. Keep your operating systems updated, secure your Wi-Fi, monitor your browsing habits, avoid clickbait, do not install software from unverified sources, and keep your antivirus up to date.
Some of the mitigations to minimize the insider threat in the work place are as follows:
- Company/Organization Policy. Users should be informed of expected behavior and the consequences of failure to comply.
- User Awareness Training. We cannot overemphasize the need and importance of an effective user training program. Include spot checks, bulletin board postings, and other ongoing awareness activities to ensure insider threat awareness is ingrained as a central part of an organization’s culture. Include our individual responsibilities to report suspicious activity.
- Network Monitoring. Monitor and baseline normal behavior and set alerts on deviations from normal behavior.
- Separation of Duties. This requires dividing functions among multiple personnel to make it difficult for one individual to cause damage to an organization without a co-conspirator. It should take two to tango.
- Job Rotation. When possible, create a work culture that fosters the sharing of ideas, but relies on the basics of cybersecurity to ensure you have a means to identify possible unusual user behavior. Job rotation is a great countermeasure to the insider threat. Job rotation improves your workforce skills and minimizes complacency from repeating the same tasks day in and day out.
- Onboarding/Offboarding. An effective tool in defending against the insider is a command’s Onboarding/Offboarding process. When you onboard a new hire, you have the opportunity to share the organization’s vision, mission, and expected behavior. When using offboarding, you can see what the organization is doing right, ensure a smooth transition, and ensure that the former employee no longer has access to vital information technology resources.
Fight the Good Fight
There is no guarantee to rid our networks of the insider threat, but we can minimize the damage. We can all work together and do our part to ensure the damage done by the insider does not result in grave harm to our information systems and networks. Take user awareness training seriously, do not be afraid to speak up, govern your network hygiene, and be a part of the solution. The insider threat not only affects our cybersecurity posture, but the malicious insider degrades our operations security and counter intelligence activities. Our network depends on you — the users and administrators. For news and information from Commander, U.S. Fleet Cyber Command/U.S. 10th Fleet, visit www.navy.mil/local/FCCC10F/ or follow us on twitter @USFLEETCYBERCOM.