Insider threat

Last updated

An insider threat is a perceived threat to an organization that comes from people within the organization, such as employees, former employees, contractors or business associates, who have inside information concerning the organization's security practices, data and computer systems. The threat may involve fraud, the theft of confidential or commercially valuable information, the theft of intellectual property, or the sabotage of computer systems.

Contents

Overview

Insiders may have accounts giving them legitimate access to computer systems, with this access originally having been given to them to serve in the performance of their duties; these permissions could be abused to harm the organization. Insiders are often familiar with the organization's data and intellectual property as well as the methods that are in place to protect them. This makes it easier for the insider to circumvent any security controls of which they are aware. Physical proximity to data means that the insider does not need to hack into the organizational network through the outer perimeter by traversing firewalls; rather they are in the building already, often with direct access to the organization's internal network. Insider threats are harder to defend against than attacks from outsiders, since the insider already has legitimate access to the organization's information and assets. [1]

An insider may attempt to steal property or information for personal gain or to benefit another organization or country. [1] The threat to the organization could also be through malicious software left running on its computer systems by former employees, a so-called logic bomb.

Research

Insider threat is an active area of research in academia and government.

The CERT Coordination Center at Carnegie-Mellon University maintains the CERT Insider Threat Center, which includes a database of more than 850 cases of insider threats, including instances of fraud, theft and sabotage; the database is used for research and analysis. [2] CERT's Insider Threat Team also maintains an informational blog to help organizations and businesses defend themselves against insider crime. [3]

The Threat Lab and Defense Personnel and Security Research Center (DOD PERSEREC) has also recently emerged as a national resources within the United States of America. The Threat Lab hosts an annual conference, the SBS Summit. [4] They also maintain a website that contains resources from this conference. Complimenting these efforts, a companion podcast was created, Voices from the SBS Summit. [5] In 2022, the Threat Lab created an interdisciplinary journal, Counter Insider Threat Research and Practice (CITRAP) which publishes research on insider threat detection.[ citation needed ]

Findings

In the 2022 Data Breach Investigations Report (DBIR), Verizon found that 82% of breaches involved the human element, noting that employees continue to play a leading role in cybersecurity incidents and breaches. [6]

According to the UK Information Commissioners Office, 90% of all breaches reported to them in 2019 were the result of mistakes made by end users. This was up from 61% and 87% over the previous two years. [7]

A 2018 whitepaper [8] reported that 53% of companies surveyed had confirmed insider attacks against their organization in the previous 12 months, with 27% saying insider attacks have become more frequent.[ citation needed ]

A report published in July 2012 on the insider threat in the U.S. financial sector [9] gives some statistics on insider threat incidents: 80% of the malicious acts were committed at work during working hours; 81% of the perpetrators planned their actions beforehand; 33% of the perpetrators were described as "difficult" and 17% as being "disgruntled". The insider was identified in 74% of cases. Financial gain was a motive in 81% of cases, revenge in 23% of cases, and 27% of the people carrying out malicious acts were in financial difficulties at the time.

The US Department of Defense Personnel Security Research Center published a report [10] that describes approaches for detecting insider threats. Earlier it published ten case studies of insider attacks by information technology professionals. [11]

Cybersecurity experts believe that 38% of negligent insiders are victims of a phishing attack, whereby they receive an email that appears to come from a legitimate source such as a company. These emails normally contain malware in the form of hyperlinks. [12]

Typologies and ontologies

Multiple classification systems and ontologies have been proposed to classify insider threats. [13]

Traditional models of insider threat identify three broad categories:

Criticisms

Insider threat research has been criticized. [14]

Adopting sociotechnical approaches, researchers have also argued for the need to consider insider threat from the perspective of social systems. Jordan Schoenherr [16] said that "surveillance requires an understanding of how sanctioning systems are framed, how employees will respond to surveillance, what workplace norms are deemed relevant, and what ‘deviance’ means, e.g., deviation for a justified organization norm or failure to conform to an organizational norm that conflicts with general social values." By treating all employees as potential insider threats, organizations might create conditions that lead to insider threats.

See also

Related Research Articles

<span class="mw-page-title-main">Computer security</span> Protection of computer systems from information disclosure, theft or damage

Computer security, cybersecurity, digital security, or information technology security is the protection of computer systems and networks from attacks by malicious actors that may result in unauthorized information disclosure, theft of, or damage to hardware, software, or data, as well as from the disruption or misdirection of the services they provide.

<span class="mw-page-title-main">Cybercrime</span> Type of crime based in computer networks

Cybercrime encompasses a wide range of criminal activities that are carried out using digital devices and/or networks. These crimes involve the use of technology to commit fraud, identity theft, data breaches, computer viruses, scams, and expanded upon in other malicious acts. Cybercriminals exploit vulnerabilities in computer systems and networks to gain unauthorized access, steal sensitive information, disrupt services, and cause financial or reputational harm to individuals, organizations, and governments.

The United States Computer Emergency Readiness Team (US-CERT) is an organization within the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA). Specifically, US-CERT is a branch of the Office of Cybersecurity and Communications' (CS&C) National Cybersecurity and Communications Integration Center (NCCIC).

A data breach, also known as data leakage, is "the unauthorized exposure, disclosure, or loss of personal information".

Computer security software or cybersecurity software is any computer program designed to influence information security. This is often taken in the context of defending computer systems or data, yet can incorporate programs designed specifically for subverting computer systems due to their significant overlap, and the adage that the best defense is a good offense.

A supply chain attack is a cyber-attack that seeks to damage an organization by targeting less secure elements in the supply chain. A supply chain attack can occur in any industry, from the financial sector, oil industry, to a government sector. A supply chain attack can happen in software or hardware. Cybercriminals typically tamper with the manufacturing or distribution of a product by installing malware or hardware-based spying components. Symantec's 2019 Internet Security Threat Report states that supply chain attacks increased by 78 percent in 2018.

Trellix is a privately held cybersecurity company that was founded in 2022. It has been involved in the detection and prevention of major cybersecurity attacks. It provides hardware, software, and services to investigate cybersecurity attacks, protect against malicious software, and analyze IT security risks.

Cyberwarfare is the use of computer technology to disrupt the activities of a state or organization, especially the deliberate attacking of information systems for strategic or military purposes. As a major developed economy, the United States is highly dependent on the Internet and therefore greatly exposed to cyber attacks. At the same time, the United States has substantial capabilities in both defense and power projection thanks to comparatively advanced technology and a large military budget. Cyber warfare presents a growing threat to physical systems and infrastructures that are linked to the internet. Malicious hacking from domestic or foreign enemies remains a constant threat to the United States. In response to these growing threats, the United States has developed significant cyber capabilities.

In computer security, a threat is a potential negative action or event facilitated by a vulnerability that results in an unwanted impact to a computer system or application.

Cyber crime, or computer crime, refers to any crime that involves a computer and a network. The computer may have been used in the commission of a crime, or it may be the target. Netcrime refers, more precisely, to criminal exploitation of the Internet. Issues surrounding this type of crime have become high-profile, particularly those surrounding hacking, copyright infringement, identity theft, child pornography, and child grooming. There are also problems of privacy when confidential information is lost or intercepted, lawfully or otherwise.

Cyber Insider Threat, or CINDER, is a digital threat method. In 2010, DARPA initiated a program under the same name to develop novel approaches to the detection of activities within military-interest networks that are consistent with the activities of cyber espionage.

A cyberattack is any offensive maneuver that targets computer information systems, computer networks, infrastructures, personal computer devices, or smartphones. An attacker is a person or process that attempts to access data, functions, or other restricted areas of the system without authorization, potentially with malicious intent. Depending on the context, cyberattacks can be part of cyber warfare or cyberterrorism. A cyberattack can be employed by sovereign states, individuals, groups, societies or organizations and it may originate from an anonymous source. A product that facilitates a cyberattack is sometimes called a cyber weapon. Cyberattacks have increased over the last few years. A well-known example of a cyberattack is a distributed denial of service attack.

The following outline is provided as an overview of and topical guide to computer security:

Information security awareness is an evolving part of information security that focuses on raising consciousness regarding potential risks of the rapidly evolving forms of information and the rapidly evolving threats to that information which target human behavior. As threats have matured and information has increased in value, attackers have increased their capabilities and expanded to broader intentions, developed more attack methods and methodologies and are acting on more diverse motives. As information security controls and processes have matured, attacks have matured to circumvent controls and processes. Attackers have targeted and successfully exploited individuals human behavior to breach corporate networks and critical infrastructure systems. Targeted individuals who are unaware of information and threats may unknowingly circumvent traditional security controls and processes and enable a breach of the organization. In response, information security awareness is maturing. Cybersecurity as a business problem has dominated the agenda of most chief information officers (CIO)s, exposing a need for countermeasures to today's cyber threat landscape. The goal of Information security awareness is to make everyone aware that they are susceptible to the opportunities and challenges in today's threat landscape, change human risk behaviors and create or enhance a secure organizational culture.

Lazarus Group is a hacker group made up of an unknown number of individuals, alleged to be run by the government of North Korea. While not much is known about the Lazarus Group, researchers have attributed many cyberattacks to them since 2010. Originally a criminal group, the group has now been designated as an advanced persistent threat due to intended nature, threat, and wide array of methods used when conducting an operation. Names given by cybersecurity organizations include Hidden Cobra and ZINC or Diamond Sleet. According to North Korean defector Kim Kuk-song, the unit is internally known in North Korea as 414 Liaison Office.

<span class="mw-page-title-main">Point-of-sale malware</span>

Point-of-sale malware is usually a type of malicious software (malware) that is used by cybercriminals to target point of sale (POS) and payment terminals with the intent to obtain credit card and debit card information, a card's track 1 or track 2 data and even the CVV code, by various man-in-the-middle attacks, that is the interception of the processing at the retail checkout point of sale system. The simplest, or most evasive, approach is RAM-scraping, accessing the system's memory and exporting the copied information via a remote access trojan (RAT) as this minimizes any software or hardware tampering, potentially leaving no footprints. POS attacks may also include the use of various bits of hardware: dongles, trojan card readers, (wireless) data transmitters and receivers. Being at the gateway of transactions, POS malware enables hackers to process and steal thousands, even millions, of transaction payment data, depending upon the target, the number of devices affected, and how long the attack goes undetected. This is done before or outside of the card information being (usually) encrypted and sent to the payment processor for authorization.

A threat actor, bad actor or malicious actor is either a person or a group of people that take part in an action that is intended to cause harm to the cyber realm including: computers, devices, systems, or networks. The term is typically used to describe individuals or groups that perform malicious acts against a person or an organization of any type or size. Threat actors engage in cyber related offenses to exploit open vulnerabilities and disrupt operations. Threat actors have different educational backgrounds, skills, and resources. The frequency and classification of cyber attacks changes rapidly. The background of threat actors helps dictate who they target, how they attack, and what information they seek. There are a number of threat actors including: cyber criminals, nation-state actors, ideologues, thrill seekers/trolls, insiders, and competitors. These threat actors all have distinct motivations, techniques, targets, and uses of stolen data. See Advanced persistent threats for a list of identified threat actors.

In cybersecurity, cyber self-defense refers to self-defense against cyberattack. While it generally emphasizes active cybersecurity measures by computer users themselves, cyber self-defense is sometimes used to refer to the self-defense of organizations as a whole, such as corporate entities or entire nations. Surveillance self-defense is a variant of cyber self-defense and largely overlaps with it. Active and passive cybersecurity measures provide defenders with higher levels of cybersecurity, intrusion detection, incident handling and remediation capabilities. Various sectors and organizations are legally obligated to adhere to cyber security standards.

Data center security is the set of policies, precautions and practices adopted at a data center to avoid unauthorized access and manipulation of its resources. The data center houses the enterprise applications and data, hence why providing a proper security system is critical. Denial of service (DoS), theft of confidential information, data alteration, and data loss are some of the common security problems afflicting data center environments.

Internet security awareness or Cyber security awareness refers to how much end-users know about the cyber security threats their networks face, the risks they introduce and mitigating security best practices to guide their behavior. End users are considered the weakest link and the primary vulnerability within a network. Since end-users are a major vulnerability, technical means to improve security are not enough. Organizations could also seek to reduce the risk of the human element. This could be accomplished by providing security best practice guidance for end users' awareness of cyber security. Employees could be taught about common threats and how to avoid or mitigate them.

References

  1. 1 2 "FBI Counterintelligence: The Insider Threat. An introduction to detecting and deterring an insider spy". Fbi.gov. Archived from the original on 10 February 2014. Retrieved 8 March 2014.
  2. "The CERT Insider Threat Center". Cert.org. Retrieved 8 March 2014.
  3. "Insider Threat Blog". CERT. Retrieved 10 August 2012.
  4. "Insider Threat Blog". ThreatLab. Retrieved 17 July 2022.
  5. "Voices from the SBS Summit". ThreatLab. Retrieved 17 July 2022.
  6. "Verizon 2022 Data Breach Investigations Report (DBIR)" (PDF). Retrieved 23 May 2024.
  7. "The fight for your data: mitigating ransomware and insider threats". Information Age. 10 May 2021. Retrieved 20 June 2021.
  8. "Insider Threat 2018 Report". Cybersecurity Insiders. Retrieved 13 December 2018.
  9. Cummings, Adam; Lewellen, Todd; McIntire, David; Moore, Andrew; Trzeciak, Randall (2012), Insider Threat Study: Illicit Cyber Activity Involving Fraud in the U.S. Financial Services Sector, Software Engineering Institute, Carnegie Mellon University, (CMU/SEI-2012-SR-004)
  10. Shaw, Eric; Fischer, Lynn; Rose, Andrée (2009), Insider Risk Evaluation and Audit (PDF), Department of Defense Personnel Security Research Center, TR 09-02
  11. Shaw, Eric; Fischer, Lynn (2005), Ten Tales of Betrayal: The Threat to Corporate Infrastructures by Information Technology Insiders Analysis and Observations (PDF), archived from the original (PDF) on 14 October 2012, retrieved 18 March 2013
  12. Insider threat report fortinet.com
  13. Schoenherr, Jordan Richard; Lilja-Lolax, Kristoffer; Gioe, David (2022), "Multiple Approach Paths to Insider Threat (MAP-IT): Intentional, Ambivalent, and Unintentional Pathways to Insider Threats", Counter Insider Threat Research and Practice
  14. Schoenherr, Jordan; Thommson; Robert (2020), "Insider Threat Detection: A Solution in Search of a Problem", 2020 International Conference on Cyber Security and Protection of Digital Services (Cyber Security), 2020 International Conference on Cyber Security and Protection of Digital Services (Cyber Security), pp. 1–7, doi:10.1109/CyberSecurity49315.2020.9138862, ISBN   978-1-7281-6428-1, S2CID   220606121
  15. Coles-Kemp, Lizzie; Theoharidou, Marianthi (2010), Insider threat and information security management. In Insider threats in cyber security (pp. 45-71), Springer, Boston
  16. Schoenherr, Jordan (2020), Understanding Surveillance Societies: Social Cognition and the Adoption of Surveillance Technologies, IEEE ISTAS 2020
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.