The Threat from Within

By Carlos F. Parter, FCC/C10F Office of the Navy Authorizing Official

When
we consider cybersecurity threats and vulnerabilities, we often think of
external actors. Indeed, external actors work hard to get into our information
technology infrastructure. Surprisingly, they are not our primary threat. When
external actors successfully exploit a vulnerability, you must consider how and
why. More often than not, the exploit was because of failures from within.

One
of the biggest threats to the security of our information systems and networks
is the insider threat. Internal actors are responsible for 75% of security
breach incidents. Do the math. Three-quarters of successful attacks on our
information systems come from within our infrastructure. The bad guys are
working hard to get in, but the internal actors already have the keys to the
kingdom.

What
is an insider threat? The 2017 National Defense Authorization Act defined an insider
threat as, with respect to the Department of Defense, a threat presented by a
person who has, or once had, authorized access to information, a facility, a
network, a person, or a resource of the Department; and wittingly, or unwittingly,
commits an act in contravention of law or policy that resulted in, or might
result in, harm through the loss or degradation of government or company
information, resources, or capabilities; or a destructive act, which may
include physical harm to another in the workplace. 

Simply
put, an insider threat can be characterized as a malicious threat to an
organization that comes from people within the organization, such as employees,
former employees, contractors or business associates, who have inside
information concerning the organization’s security practices, data and computer
systems.

The
insider threat is like a cancer that keeps eating away at our cybersecurity
controls. The central purpose of cybersecurity is to ensure the
confidentiality, integrity, and availability of our information. In other
words, only authorized users should have access to the information, the
information should be unaltered, and the information should be available to
authorized personnel on request. The threat from within circumvents our ability
to effectively secure our information resources from unauthorized access.

So,
who is the insider? The insider could be anybody. Some examples of insiders are
disgruntled employees, careless users or system administrators, those who are
seeking financial gain (cyber/industrial espionage), untrained users, untrained
system administrators, an employee with an internal sense of loyalty to a
cause, etc. Any of us, or those who we work alongside (we are all “insiders”),
could be the malicious insider at any given time if we do not take
cybersecurity seriously. It only takes one person to open the door and allow
bad actors unauthorized access.

People
are the weakest link to any robust cybersecurity program. In contrast, people
are also our greatest asset and our first line of defense. We are the eyes and
ears of information security. If you see something, say something. Vigilance is
essential to ensure that our sensitive information is protected from
unauthorized access. We have to familiarize ourselves with the indicators of
the insider threat and act accordingly.

Indicators of an
Insider Threat

What
are some indicators of the insider threat? The following is a list of some
possible indicators of which we should be mindful:

  • Poor
    performance reviews. An employee may take a poor performance review personally
    and seek to get even with the company or organization.
  • Strong
    disagreements over policies and standards. An employee may circumvent a policy
    that he or she does not support.
  • Financial
    distress. Employees may feel overwhelmed regarding their financial status and
    make a rash decision to share sensitive information with external actors for
    personal gain.
  • Financial
    windfall. A shipmate has a new car, new house, or other tangible assets that
    are unexplained/unusual for his or her household income.
  • Unreasonable
    disagreements with co-workers/senior management. Violent behavior should be
    observed and reported to the chain of command.
  • Seeking
    information about projects or information to which they are not assigned or
    have access. Be cautious of individuals who are overly interested in sensitive
    projects in which they do not have a need-to-know.
  • Unusual/unreported
    overseas travel. Foreign travel to spots that are not frequented by tourists,
    not required for work, or have no personal ties to the individual could be an
    indicator of espionage. Also any routine but unreported travel outside the
    United States.
  • Secrecy.
    We should be careful with the sensitive information we are responsible for safeguarding,
    but we are not the owners of the information. Be aware of personnel who are
    overly secretive about their job.
  • Odd
    working hours. Be mindful of personnel who do not have a need to work outside
    of normal working hours and have access to sensitive information.
  • Inattentive
    work habits. Careless or inattentive work habits could result in an inadvertent
    spillage of sensitive information.

Fighting the
Threat

We
must create a culture of acceptable user behavior. The culture begins at home.
Be cognizant of what you post to social media. Think twice before posting
information about work. If the information is regarding a sensitive project or
could lead to aggregated information that could become sensitive, do not post
it to your social media accounts. Better yet, do not share sensitive
information (part or whole) outside of work. Keep your operating systems
updated, secure your Wi-Fi, monitor your browsing habits, avoid clickbait, do
not install software from unverified sources, and keep your antivirus up to date.

Some
of the mitigations to minimize the insider threat in the work place are as
follows:

  • Company/Organization
    Policy. Users should be informed of expected behavior and the consequences of
    failure to comply.
  • User
    Awareness Training. We cannot overemphasize the need and importance of an
    effective user training program. Include spot checks, bulletin board postings,
    and other ongoing awareness activities to ensure insider threat awareness is
    ingrained as a central part of an organization’s culture. Include our individual
    responsibilities to report suspicious activity.
  • Network
    Monitoring. Monitor and baseline normal behavior and set alerts on deviations
    from normal behavior.
  • Separation
    of Duties. This requires dividing functions among multiple personnel to make it
    difficult for one individual to cause damage to an organization without a
    co-conspirator. It should take two to tango.
  • Job
    Rotation. When possible, create a work culture that fosters the sharing of
    ideas, but relies on the basics of cybersecurity to ensure you have a means to
    identify possible unusual user behavior. Job rotation is a great countermeasure
    to the insider threat. Job rotation improves your workforce skills and
    minimizes complacency from repeating the same tasks day in and day out.
  • Onboarding/Offboarding.
    An effective tool in defending against the insider is a command’s
    Onboarding/Offboarding process. When you onboard a new hire, you have the
    opportunity to share the organization’s vision, mission, and expected behavior.
    When using offboarding, you can see what the organization is doing right,
    ensure a smooth transition, and ensure that the former employee no longer has
    access to vital information technology resources.

Fight the Good
Fight

There is no guarantee to rid our networks of the insider threat, but we can minimize the damage. We can all work together and do our part to ensure the damage done by the insider does not result in grave harm to our information systems and networks. Take user awareness training seriously, do not be afraid to speak up, govern your network hygiene, and be a part of the solution. The insider threat not only affects our cybersecurity posture, but the malicious insider degrades our operations security and counter intelligence activities. Our network depends on you — the users and administrators. For news and information from Commander, U.S. Fleet Cyber Command/U.S. 10th Fleet, visit www.navy.mil/local/FCCC10F/ or follow us on twitter @USFLEETCYBERCOM.


Graphic illustration by Defense Media Activity

Link: 

The Threat from Within