3 Tips to Mitigate the Insider Threat Facing Government Organizations
Verizon’s 2022 Data Breach Investigation Report (DBIR) was recently released and it contains both good and bad news regarding the risk of insider attacks.
First the good news, sort of. According to the DBIR, the vast majority of breaches continue to come from outside actors (80% vs. 18% from insiders). I hope we can be a little less suspicious of Bob who is sitting two desks away from you.
However, when an inside attack does occur, it can be really, really destructive.
The DBIR found that the median number of records compromised as a result of an insider breach last year was 80,000. That’s not great, but it’s getting worse. When we look at the totals, the number of records breached by insider attacks exceeded 1,000,000,000, compared to well under 250,000,000 from outside actors.
Thus, even though the percentage of breaches caused by insiders remains low, they continue to be a constant and serious concern for the private and public sectors.
Insider Threat Risks Facing the Government Sector
Basically, the concern is that someone in the organization is stealing data and harming the organization, whether you are in the private sector or the government.
The big difference is in the sensitivity and potential magnitude of damage that can result from such an incident.
An internal incident can:
- Damage national security
By stealing or leaking sensitive information, an insider can cause damage – in the most extreme examples – defense or intelligence secrets can fall into the hands of rival nations.
The most (in)famous government insider is Edward Snowden. Without providing too many details, the intelligence community said Snowden had caused significant damage to US national security.
As great power competition continues to escalate between the United States and China, we see a steady stream of current and former government employees being discovered and convicted of espionage.
- Steal tons of personal information
The government holds a lot of personally identifiable information (PII) that can be used by malicious actors for profit or to carry out additional attacks.
The Office of Personnel Management breach is a vivid example of when Chinese hackers stole 22.1 million documents, including the personal information of many government employees in sensitive intelligence positions.
While this may be an external attack, given the number of records an insider would have, the potential for personal information exposure is incredibly high.
- undermine public trust
The public trusts the government with its data and expects it to take precautions to protect it.
Failure to do so erodes confidence that the government is up to the task and can make more people reluctant to provide more data. As biometrics advance, particularly for access and service identification, many may wonder whether organizations that cannot secure social security numbers or addresses can trust the data points of faces.
These events, and the concerns behind them, have led over the years to an intensification of government efforts to deal with insider threats.
This includes publishing helpful guides from the Cybersecurity and Infrastructure Security Agency and the National Insider Threat Task Force. These organizations understand that the national security risk is not just for government organizations, but also for government contractors.
Contractors, especially those working in defense like aviation, face increased regulatory regimes such as the National Industrial Security Operating Manual (NISPOM) Change 2 to show they are taking action to defend against internal threats.
Why are insiders so harmful?
Insiders have access to your sensitive information by default in order to do their job.
We do our best to ensure that we hire trustworthy people, but there is always a risk.
For better or for worse, they know where the juicy data is. This makes them both a potentially effective employee and a security risk.
An insider may be well placed to compromise the security of your organization from each of the members of the CIA Triad which explains how we conceptualize security.
- Privacy – data leaks
- Integrity – we no longer trust the data
- Access – we cannot access the data (think ransomware)
Insider threats are embarrassing and can be corrosive to an organization’s morale. Not only is it terrible to lose trust in other members of your team, but many organizations can overcompensate for a breach by taking security measures that bring work to a screeching halt.
An insider can help outside hackers carry out a ransomware attack. This happens in the private sector more often than you might think, as it helps malicious actors save time and effort by simply spending a little money.
Why bother going through a phishing campaign to social engineer their target when they can just slip someone a few thousand dollars to leave the side door open?
Why are insiders hard to detect?
An insider can be like an Advanced Persistent Threat (APT), i.e. foreign government hackers, in that they can be inside your network for ages before being discovered.
This is often because they want to avoid the big splash of a ransomware attack which attracts a lot of attention and brings the attack to a head. They want to stay put for as long as possible, siphoning off data and squeezing their way to their target’s most valuable assets.
The challenge for defenders is that this low shudder approach is very difficult to detect and can allow them to cause significant damage.
Hopefully we do our best to segment access to sensitive information so that a single insider can’t cause too much damage on their own. Insiders can also be difficult to fight because they don’t use malware or exploits to reach their target data. As often privileged members of the organization, they have legitimate credentials to access massive amounts of data without anyone raising an eyebrow about it.
That said, as with Snowden, in a segmented organization, no employee should have enough privileges that they can access too often. Snowden had to “borrow” access from his colleagues, unwittingly dragging them into his deception.
3 Tips to Mitigate Insider Threat Risk
Similar to defending against external threat actors, we are not able to fully prevent internal attacks from occurring in some cases.
What we can do, however, is put measures in place to reduce the risk of them happening by strengthening our posture and mitigating the damage that can occur should an incident occur.
Here are some helpful tips.
Monitor user behavior for anomalies
Providing access to sensitive data is a necessity for your team to do their job, and in most cases that’s not a problem because most employees aren’t going to steal information.
But we still want to make sure that no worker can have too much access beyond their needs. Ideally, you restrict access on a need-to-know basis, on a least-privilege model.
The trick is to make sure your employees stick to their lanes and don’t access files or other resources that aren’t within their purview.
Use user behavior analysis tools to monitor if a user begins to take actions outside of their normal routine range. There may be legitimate reasons for unusual behavior, but it is always important to detect and investigate them.
Additionally, abnormal user behavior may indicate that their account has been compromised by an external threat actor without their knowledge, giving even more reason to monitor this space.
Keep your employees close and your future departures even closer
Former employees should also be factored into our thinking about insider threats.
Make sure workers about to leave take nothing with them but good memories. Monitor downloads or data transfers before they leave.
A key threat to watch out for is sitting on their keychains. USB drives can be a convenient way for an employee to download and walk away with your data. Advances in hardware have brought these nifty little hard drives to the point where they’re both cheaper and more capable of massive storage than in the past.
If possible, prevent the use of these devices by blocking the ports on your machines. Another option is to make sure your monitoring tools detect whenever a flash drive is plugged in and log it for future forensic analysis.
Implement rapid investigations and incident response
if you see something, say something.
Because of how quickly these incidents can happen, if you suspect something is wrong, call your investigation team as soon as possible.
With any luck, you can prevent a massive leak from happening, catching the thief before they can get too far. But speed here is key.
Also, be sure to engage people who are not directly connected to your system to conduct the survey and response.
Remember to balance security with usability/operational efficiency
Strong security is not the same as locking down your department’s IT like Fort Knox. The goal of a good security strategy is to allow your organization to do its job while minimizing risk.
Slowing down work by putting too much friction in place will only create frustration among your staff. Implementing measures that are too intrusive, this level depending on factors such as sensitivity levels, can even lead to resentment that can cause your employees to take another look at the private sector.
Also remember that you need to maintain a level of trust with your employees. Without it, their ability to work as a cohesive unit will impact their ability to achieve collective goals.
Hopefully, with the right combination of security monitoring and best practices, your team will be able to trust and verify, paving the way for a safe and productive work environment.