Insider Threat Demands a Proactive Approach

By: Krista M. | Cyber Threat Intelligence Analyst, NJCCIC

These days, so much attention is given to external cybersecurity threats that it is often easy to forget that insider threats can be just as damaging, especially when it comes to theft of intellectual property, trade secrets, personally identifiable information (PII), and other sensitive data. Insider threats can include current or departing employees, contractors, third party vendors, technicians, business partners, and anyone granted administrator privileges. If organizations do not have the right preventative measures in place and management is not cognizant of the indicators of an inside threat, they are putting themselves at great risk for devastating and potentially irreparable damage.

In 2007, a DuPont employee downloaded $400 million worth of proprietary information and trade secrets from the company’s database and sold them to a rival Chinese organization. This breach wasn’t discovered until after he left DuPont for a position with another company. In 2012, an employee of EnerVest, an oil and gas company, learned he was going to be fired so he took revenge by resetting the company’s network servers to factory settings, disconnecting various pieces of network equipment, and disabling cooling systems. EnerVest had to suspend business operations for 30 days and spent hundreds of thousands of dollars to remediate the damage. An insider data breach that took place in 2013 and 2014 cost AT&T a $25 million civil penalty after some of its call center employees pilfered sensitive customer data and sold it to traffickers of stolen and cloned cell phones. These are clearly extreme examples of the effects caused by insiders, but it is important to realize that damage done from these types of threats can go unnoticed for months, even years, if indicators are not recognized.

According to the 2015 Vormetric Insider Threat Report, 89% of U.S. organizations feel they are vulnerable to insider threats. Fortunately, Vormetric also found that insider threat awareness levels have increased and 93% of organizations surveyed intended to maintain or increase budgets on IT and data security. The company also noted that, within the last year, 40% of these organizations experienced a data breach or failed a compliance audit. The IBM 2015 Cyber Security Intelligence Index cites that, in 2014, 55% of all recorded cyberattacks were caused “by those who had insider access to organizations’ systems.”

In the InfoSec Institute article titled, Insider vs. Outsider Threats: Identify and Prevent, insider threats are broken down into four categories:

  • Compromised actors: insiders who have legitimate access to systems, networks, and data but who are acting in accordance with, or under the influence of, an external threat actor.
     
  • Unintentional actors: accidentally expose sensitive data (e.g., employees who lose their work-issued electronic device or use an unsecure Wi-Fi hotspot to conduct business transactions)
     
  • Emotional attackers: intentionally steal or destroy company data out of anger or for revenge (e.g., feeling unfairly treated at work, dislike of boss or coworkers, notified of an impending termination or lay-off, etc.)
     
  • Tech-savvy actors: know their way around a system or network and use this to their advantage to quietly siphon sensitive data and release it to external actors or sell it on the black market for a profit.

Symantec suggests another category in their report, What’s Yours is Mine: How Employees are Putting Your Intellectual Property at Risk: insider threats who see nothing wrong with taking sensitive data from their employer. Some employees may feel it is acceptable, and not criminal, to pilfer company data if they receive no financial compensation from doing so or there is no perceived harm to the company. Employees may also be inclined to steal data if there is little to no enforcement of security policies or data is unsecured and easily-accessible.

The following is a list of steps organizations can take in securing confidential data and protecting systems and networks from departing employees:

1.       Exit Interview: If an employee gives a traditional two-week notice upon resignation and does not appear hostile when doing so, be sure to conduct a thorough exit interview to discuss document retention and technology return policies, as well as a review of current account access and what can be expected as they prepare for departure. It would be wise to include a member of your IT security team in the meeting as well to ensure they are aware of any active accounts and company-issued devices still in use by the employee.

2.       Employee Removal: In the event the employee is terminated, gives a resignation notice that is effective immediately, or shows signs of hostility when resigning, you should remove him or her from the premises as quickly and safely as possible. Security or management should ensure that the employee does not leave with any data that violates company policy. Make sure to collect all work-issued items such as:

  • Laptop/desktop/tablet computers
  • Devices such as mobile phones or digital cameras
  • USB thumb drives or external hard drives
  • Memory cards (SD, microSD, CompactFlash, etc.)
  • CD-ROMs/DVD-ROMs/backup discs
  • GPS/navigation systems
  • Company credit cards

Especially in the case of termination, it is imperative that the employee not be notified in advance in order to prevent digital tampering or data theft that could negatively impact the organization.

3.       Immediately Limit Physical and Electronic Access: Before the employee permanently leaves the premises, make sure to immediately deactivate, disable, or delete the following for physical and network security:

  • Building and parking lot access cards
  • Security codes
  • ID authentication tokens
  • Email accounts
  • Network accounts (local and remote access)
  •  Voicemail account

Also, Change PINs and passwords to any previously accessed organization-managed accounts such as social media pages, website administration, bank accounts, etc.

Departing employees are not the only threat. Current employees, contractors, and third party vendors can be an even bigger threat because the exfiltration of data may occur slowly over time and without notice. The following is a list of steps that organizations should consider taking in securing confidential data and protecting systems and networks from new and current employees, contractors, and vendors:

1.       Security Policy: Have a clear and accessible security policy in place that establishes consistent standards for what is and is not permitted within the organization. Incorporate security policy review and acknowledgement into the onboarding process for all new employees and ensure that current employees review the policy regularly. All employees should be immediately notified of any changes made to the policy.

2.       Non-Disclosure Agreement (NDA): Ensure the organization has a clear and documented NDA and all employees receive a copy and sign an acknowledgement form upon receipt. Include what departing employees can and cannot take when leaving the organization.

3.       Provide Awareness Training & Establish a Reporting Process: Provide training to employees about how to identify potential insider threat activity and how to report it to management or the organization’s security team.

4.       Apply the Principle of Least Privilege: Control and regularly audit who has access to what data and outline the specifics in a written policy that is given to, and acknowledged by, every employee, contractor, and vendor.

5.       Use Encryption: Make sure any and all data that is taken offsite is encrypted to reduce the chance that it could be accessed by unauthorized parties in the event of loss or theft.

6.       Restrict the Use of Removable Media: Since media such as USB drives, CD-ROMs, and memory cards are some of the easiest and most popular ways of removing and transporting data, it may be worth removing or disabling USB ports, CD/DVD writers, and memory card slots if they are not needed to perform critical job functions.

7.       Monitor Endpoint Activity:  According to a 2015 survey done by SpectorSoft, endpoints are the most common launch point for insider attacks. This certainly emphasizes the importance of having robust endpoint security solutions and policies in place.

8.       Monitor Outbound Network Traffic: In addition to monitoring firewalls for malicious inbound traffic, it is crucial to monitor and control outbound traffic by setting content rules and blocking certain ports and outbound protocols, like those used by file sharing applications.

9.       Block Access to File Sharing Websites: File sharing websites are accessed from a browser through ports 80 and 443, so in this case, it is more convenient to block access to these individual sites than the ports. A good starter list can be found here, but make sure to keep up with new and active online file sharing services.

10.   Prevent the Use of Tor, Anonymizers, and Proxies: Prevent employees from using the organization’s systems and networks to browse the Internet anonymously by not allowing them administrator privileges and by blocking access to online proxy services.

11.   Monitor and Protect Wireless Devices: Make sure to implement a data protection solution for any and all mobile devices that connect to the organization’s network or contain and handle sensitive data. For instance, make sure that devices are password-protected and can be remotely wiped by the IT administrator if the device is ever lost.

12.   Use Data Loss Prevention (DLP) Software: Consider adopting one of the various DLP software solutions available to protect and monitor the transmission of sensitive data while enforcing security policy compliance.

13.   Watch for Early Warning Indicators: Detecting abnormal behaviors of people operating within your organization can go a long way in preventing data theft. Possible indicators include:

  • Suddenly working excessively late hours
  • Working unscheduled on weekends or during other shifts
  • Remotely accessing the network during off-hours
  • Never taking a vacation
  • Accessing parts of a system or network that is unnecessary for the person’s job
  • Exporting large amounts of data to external drives or via email to a personal account
  • Mass deletion of items or activities to attempt to cover one’s digital tracks
  • Switching screens away from current computer activity when approached by others
  • Continuously exhibiting signs of anger or hostility towards coworkers, the job, or the organization. 
  • Suddenly complaining about financial difficulties or legal troubles
  • Possesses knowledge of confidential company information before it’s made public

It is important to note that although much of the responsibility for protecting an organization’s sensitive information rests on the shoulders of its IT department, it is ultimately up to everybody within the organization to do as much as they can to prevent data theft from insider threats. Last week’s ruling by the U.S. Third Circuit Court of Appeals in Philadelphia that gave the Federal Trade Commission (FTC) permission to hold organizations accountable for data breaches signifies a drastic shift in how courts will view and respond to future data theft incidents. The time is now to ensure the future success of your organization by putting sensible practices in place and staying ahead of the technological curve when it comes to data security.