The Insider Threat
In the field of cybersecurity, there is heavy concentration on the technical controls and countermeasures that can and should be applied to protect against intrusions and attacks. We talk about devices, logging, intrusion-detection, anti-malware, detailed frameworks that identify complicated mechanisms, programming and mathematical algorithms for encryption. These are all very important pieces to a layered security posture. However, it is often the simplest, least technical or complicated measures that are employed to gain access to sensitive systems, information and assets that can lead to embarrassing or catastrophic breaches and data losses. Additionally, sometimes the less technical protections are the best and first line of defense and these are equally necessary to protect the organization and the vital assets inside the fortified walls of perimeter or application security. This article takes a close look at the insider threat, social engineering, manipulation, pretexting, and the importance of preparing and training the workforce to be prepared to identify and contend with this type of attack. After all, before any damage can be done to the internal assets of an organization, an attacker must first identify a valid and vulnerable target, get to the front door and find a way in.
Why does the insider threat matter?
The recent AT&T breach was made possible through bribery of company employees with access to unlock customer iPhones and installing keylogger malware and rogue wireless access points on the company’s network. NSA leakers, Edward Snowden and Harold Martin, were fully vetted contract employees of an intelligence agency that is at the center of excellence in the field of cybersecurity. Neither of these people could have been working in that agency without having first been subjected to a special in-depth background investigation, a scrupulous adjudication that granted them a Top Secret clearance with special access. Even after that, additional controls for that agency require a full scope polygraph, which these insiders clearly must have passed. Yet, none of that protected the agency, the government, or the country from these insiders from using social engineering skills coupled with unnecessary privileges, from accessing, storing, copying and ultimately walking out with all the sensitive and classified information they wanted. This happened in an environment where security awareness is a part of the work environment for everyone working there. Snowden reportedly used pretexting to coerce up to 25 other employees or contractors into providing their credentials, including passwords, by telling them that he needed this information to do his job.
Users are human and, therefore, are inherently the weakest link in any IT security program.
The biggest threat to security from the human component is the Insider Threat. This can especially be true of an insider with elevated privileges. Whether those privileges were granted by the organization or they were gained nefariously through social engineering or more technical means, the insider with elevated and privileged permissions can cause irreparable harm to an organization. An insider is typically a person who works for or with the organization and who has been fully vetted previous to being granted access to information and systems inside the company or organization. Insiders can be employees, full or part-time, they can be contractors, consultants or vendors.
They can also be the person who designed the system and knows all about it and has access to account information and applications. It can be the security engineer who knows where all the technical controls are and has access to auditing logs and records. This type of insider uses his or her technical skills and knowledge, coupled with the previously vetted and granted access to formulate an attack. The majority of insider attacks are carried out by IT personnel with more access privileges than may be required for their position or responsibilities.
Reasons for the insiders to perform attacks or steal information vary just as they do with those on the outside. Sometimes it’s money or some misguided attempt to share the “truth.” Often, however, it is the employee who feels as if they have been wronged by the organization in some way and uses their privileges, permissions and the trust that the company has with them to cause harm in an attempt at revenge.
A method of low-tech social engineering, called Pretexting, uses false pretenses and claim they are someone they are not. This is where an attacker will use key words, manipulation, deception, or a clever ruse to get unsuspecting users into sharing information that they normally would not. Pretexting can come from an insider or it can come from outside the organization. An insider pretexting attack can be an administrator or a user who purports to need additional information, even credentials, to complete an IT-related task. You should never have to give up your password to anyone. This includes, and often especially, an IT person. If anyone, regardless of who they are or what they claim to need it for, asks you for your password, this should be reported to your security officer or security team. Don’t be afraid to be suspicious and don’t allow yourself to be manipulated charmed. No legitimate administrator should ever ask for or be provided your passwords.
Why not make it increasingly more difficult for the attackers? By understanding the insider threat and that social engineering tactics are used and are real threats, targeted against the human element and the weakest link in any security program, the educated and aware workforce can and will provide that level of difficulty and force the attackers to have to use more technical attacks. Automated, administrator, or engineering technical controls are implemented that come with a high price tag, to combat and protect against the technical attackers. Don’t just hand over the keys, or worse, walk them to the door, escort them blindly into the lobby, sit them down at your keyboard and hand them your password.
Social engineering techniques take advantage of the natural human tendency to trust another person. Most people aren’t inherently wired for suspicion. We are more open to helping others out when faced with the choice or opportunity. The keen and crafty social engineering expert will quickly and easily take advantage of the fact that most people want to help out a fellow human being. A crafty social engineering technique may be equally, if not more, productive to an attacker than any technical or other method applied. There are technical, or computer-based, methods of social engineering, such as phishing, fake web-sites, false messages from those that claim to be technical support, and dangerous spam with imbedded viruses. In any event, information gained through more passive social engineering attacks can then be used for access, which will allow the attacker to employ the more technical methods of attack. The majority of ransomware attacks, that often cripple a company for days or longer, are perpetrated by unsuspecting and uneducated internal employees carelessly clicking on a URL link in an email or an instant message. Today, in the world of social networking, an attacker and social engineer can learn plenty of information through social network sites, such as Facebook or LinkedIn. Information learned can then be used to target the individual by claiming like interests and striking up a conversation to learn even more. An attacker may attempt to become friends with the employee and build a relationship that results in some level of trust that could lead to that employee providing information, even if unintended, that could be detrimental to the security of the organization.
Of course, no social engineering techniques can be successful without an unsuspecting user or a careless employee providing the information or the direct access for which the attacker is seeking. A comprehensive cybersecurity awareness campaign is essential to ensuring an organization’s workforce is aware of these techniques and can recognize them. Other forms of social engineering require the perpetrator to be a bit more cunning and manipulative. A great social engineer is an expert in interacting easily with people. They are clever, kind and easy to talk with. They will use what they have learned from others, social networking and dumpster diving to gain your interest and build your trust. Sometimes, they will merely appear at ease and comfortable as if they fit in a setting where they don’t really belong.
An attacker might have a false identity or authentication badge that is not coded for swiping through access control devices. In some cases, the perpetrator will follow close behind someone who has a valid badge, making that person feel obligated to just hold the door open for them when the perpetrator’s badge fails to work. That is called tailgating. Tailgating often happens among legitimate employees through mere laziness or trying to be polite. Another method, known as piggybacking, takes place even if the attacker has no badge at all. In this method, the social engineer claims to have left a valid badge and coaxes the unwitting valid employee in letting them through.
It is important to have a documented layered approach to your security program, with clearly defines policies to ensure the security of sensitive data and to maintain regulatory compliance under the law. An IT security policy documents the critical systems, identifies the threats and risks in those systems, and provides detailed plans and procedures of how the company will mitigate, accept or transfer those risks. Additionally, the IT security policy will document plans and procedures for incident handling, training, business continuity and disaster recovery.
Prior to being given access, users may be required to sign documents to show they understand the proper use of systems, the consent to monitoring, confidentiality and non-disclosure agreements (NDA). These procedures should be documented as required in the organization’s policy documents and signed NDAs should be kept on file for the legal protection of the company.
The policies and procedures of an organization must be in accordance with many regulating laws, depending on the business model of the company or organization. Many policies that will protect against social engineering are targeted at the user domain. The principles of least privilege and need-to-know are two very important items that should be addressed in policy, applied in role-based technical access controls and taught and practiced heavily in any organization that wants to take cybersecurity seriously and needs to remain in compliance with the laws and regulations that apply to them. No one person should have the technical permissions to gain access to information that they have no need to see, store, copy or manipulate, without documented oversight and proper credentials. Account privileges and access need to be controlled, recorded and monitored at all times. System applications should be monitored for unauthorized access or manipulation.
The problem with the insider threat we spend our time protecting our organizations from the outside, while the inside is left wide open.
How do you prevent the insider threat?
The best defense against the insider threat is a strong security awareness program. Effective training must be designed to clearly state that social engineering is a real threat from outside and from inside the organization and to continuously train the workforce in identifying the techniques and manipulation methods used by these attackers.
The Snowden and Martin cases prove that, even at the pinnacle of the cybersecurity culture, we are vulnerable to social engineering and the insider threat. As many doctrines, policies, procedures, frameworks, complicated algorithms, encryptions, and technical controls that must be employed at this and other agencies like it, all it took was one manipulating person, with two much unnecessary access, and a small group of trusting and unaware or timid employees that allowed this grand theft of sensitive national security level information to be stolen. This happened right under the noses of those who we expect to not only provide the highest degree of controls to protect information, but who also create policy and teach the rest of the intelligence community and even corporate entities how this protection should be performed. This could have been prevented with the simple application of the “least privileges” principle, proper monitoring of data storage processes and all it would have taken is for one other person to report to the proper authority that this administrator had asked for another user’s password.
The best prevention against the insider threat is awareness. This comes from training and continuous reinforcement of the existence and the reality of the threats. The goal is to create a Security-Minded workforce. All employees, contractors, and anyone who has access to internal systems, should receive formatted and specific initial computer security awareness training prior to being given credentials and access to the systems, services and applications. Training should be reiterated often in flyers, posters and products, such as paper pads, pencils and even pop-up reminders on internal websites or portals. Additionally, security awareness refresher training should be conducted annually, at the least, to educate the workforce and to update them on any additional threats or vulnerabilities.
A top-down Cybersecurity policy and program should be implemented that includes periodic training and reinforcement of security risks and policies, as well as current trends for which the employee should be watchful. Strong passwords should be required and a strict password change policy applied. Password policies are applied to every user because this is the most common place for an attack to take place. This ensures authentication of the identity of the user and authorizes that user to perform any function that is allowed by other policies. Implement multifactor account login procedures if possible. Periodic reviews should be done to ensure no individual employee has more privileges and rights to access than required to perform the duties assigned to their position, or role. An incident response plan and a disaster recovery plan can, and should, be reviewed and tested often to ensure all current employees are aware of how to recognize, report, and respond properly to a prospective attack. The processes used to show a company can handle incidents, making clients comfortable in their ability to protect sensitive data, is important for the health and reputation of the company.
Cybersecurity awareness training for the entire workforce, from the senior most person down to the all employees, regardless of role or position, is essential for a top-down security-focused culture within the organization. Cybersecurity training materials should be reviewed at least annually to ensure all threats and risks are kept updated and relevant to current trends, regulations or laws. It is helpful to have a method for assessing the workforce’s baseline understanding and knowledge of cybersecurity threats, risks and behaviors. Keep training fun, intriguing and something for which everyone can relate.
Receive Security Insights Right In Your Inbox:
- Consultant Qualifications
- CISSP (Certified Information Systems Security Professional)
- CompTIA Security+
- Certified Ethical Hacker (CEH)
- Offensive Security Certified Practitioner (OSCP)
- Industry Experience
- Federal Government
- For-Profit Enterprise
- For-Profit Small-Medium Business
Our Commitment To You
You Are Not a Number, but a Partner.
One of The Penn Group’s core values is Excellence. Our customers deserve our best, and nothing short. We are on a mission to secure our nation’s information systems, and protect our customers. We don’t take the responsibility lightly. We know that all it takes for one wrong click and reputations and lives can be ruined. We bring out best. We develop the best people, and we deliver the best results, anything less is unacceptable.
Austin Harman, President & CEO, Associate of CISSP, CAP