Lesson 1 Part 2.pdf

Full Transcript

Lesson 1 Part 2
Insider threats are a complex issue that organisations across the globe face in both the
public and the private sector. A crucial first step in understanding insider threats is
defining what an insider threat is. There is an important distinction to be made when
discussing this topic, the insider versus the insider threat.

So what is an insider? According to the Cybersecurity and Infrastructure Security Agency
or CISA in the USA, an insider is any person who has or had authorised access to or
knowledge of an organisation's resources, including personnel, facilities, information,
equipment, networks and systems. Examples of an insider may include a person the
organisation trusts, including employees, organisation members and those to whom the
organisation has given sensitive information and access. A person given a badge or
access device identifying them as someone with regular or continuous access, for
example, an employee or a member of an organisation, a contractor, a vendor, a
custodian or even a repair person.

A person to whom the organisation has supplied a computer and or network access or a
person who develops the organisation's products and services. This group includes those
who know the secrets of the products that provide value to the organisation or their IP,
intellectual property. Or a person who is knowledgeable about the organisation's
fundamentals, including things like pricing, costs and an organisation's strengths and
weaknesses.

It also includes a person who is knowledgeable about the organisation's business
strategy and goals, entrusted with future plans or the means to sustain the organisation
and provide for the welfare of its employees. And in the context of government
functions, the insider can be a person with access to protected information, which if
compromised could cause damage to national security and public safety. So CISA defines
an insider threat as a potential for an insider to use those accesses or an understanding
of the organisation's harm.

And motivations behind insider threats are as varied as the individuals themselves who
carry them out. They can range from things like financial gain, personal vendettas,
ideological beliefs, or simple human error or negligence. And understanding these
motivations is key to detecting and preventing insider threats.

Insider threats can be categorised into intentional threats, where the insider has a
deliberate motive to harm the organisation, and unintentional threats, which result from
things like carelessness, a lack of awareness or accidental actions that lead to security
breaches. So unintentional threats stem from the actions or inactions of employees or
insiders who, without malicious intent, cause harm or potential harm to the
organisation's security or integrity. Now these types of threats typically stem from
ignorance, oversight, or negligence.

And the key subcategories include negligence, and this is the most common form of
unintentional insider threat, where employees fail to follow security policies or practices,
leading to potential security breaches. And examples include using weak passwords,
leaving sensitive information unsecured, or falling prey to things like phishing attacks or
business email compromise. Accidental disclosures, they occur when an insider
accidentally leaks confidential information.

Now this could be through sending an email to the wrong recipient, misplacing
documents, or unintentionally sharing sensitive information in public or insecure forums.
And then we have the misuse of resources, and this refers to situations where
employees use the organisation's resources inappropriately, but without malicious
intent. And this includes things like using company devices for personal use in a manner
that compromises security.

For example, they might be doing their online shopping using their work email and the
merchant that they shop at gets compromised. And they can also be guilty of
downloading unauthorised software that could contain malware as well. Now when it
comes to the intentional insider, these are acts committed by employees or insiders with
the deliberate intent to cause harm to the organisation's information or systems.

These threats are often motivated by personal gain, revenge, ideological beliefs, or
coercion. I recall when I was at Interpol that we had an insider who had been fired, and
he actually left a logical bomb on the system of the company, which obviously detonated
at some future point and destroyed their data and their backup systems as well. Now the
subcategories of an intentional insider are things like data exfiltration or data theft.

This often occurs when somebody gets a new job in another company and they want to
take the methodologies of their current company with them. So they conduct an
unauthorised transfer or removal of an organisation's sensitive or proprietary
information. And they may exfiltrate data for personal gain, competitive advantage, or to
expose information to harmful entities.

Now in some instances, an individual will remove data that they believe they claim
ownership of because they wrote it whilst they were employed by that organisation. And
an example of this might be things like a document, source code, or a project they
created or worked on. But they don't realise that anything that was created when they
were working for that company is the intellectual property of that company.

The individual does not own it. Now the unintentional insider may also commit fraud, and
that involves deceitful activities conducted for personal or financial gain, such as
manipulating financial records or conducting unauthorised transactions, which can lead
to significant financial and reputational damage. It might be that they are amending
invoices so that they can take some payment from those invoices or things like that.

And then there's IT sabotage, and that's the deliberate act of damaging or disrupting the
organisation's IT infrastructure systems or data. Now IT sabotage can cause operational
disruptions, loss of data integrity, and the compromise of the network security of the
organisation. And then we have security compromise.

So any action by an insider that weakens the organisation's security posture intentionally
or unintentionally. Now this could be because they shared passwords or they disabled
security software or they installed unauthorised software that introduced vulnerabilities.
And then you have things like workplace violence, which comes under insider threat.

And while these are often associated with physical acts, workplace violence in the
context of insider threats can also include actions that intimidate, harass, or threaten
other employees and potentially lead to a toxic work environment and affect overall
morale and productivity. And then we have abusive privileges. So this occurs when
insiders misuse authorised access to systems, data, or resources exceeding their
intended use.

This information could involve accessing confidential information without a business
need, modifying critical system settings, or granting unauthorised access to others. An
example of this would be when Princess Catherine was in hospital in London and an
employee tried to access her health records to find out what she was being treated for.
So thank you for listening to this slide.

Okay, so let's talk about the types of insider threats. So the landscape of insider threats
is very diverse, with various types of insiders, as you're learning, that pose different
levels of risk to organisations. And understanding these types is crucial for developing
targeted strategies to mitigate potential threats effectively.

And this section categorises insider threats into three primary types. So you have
malicious insiders, negligent insiders, and infiltrators. And each have their own unique
characteristics, motivations, and psychology.

So malicious insiders are individuals with authorised access who intentionally exploit
their position to inflict harm on the organisation. Their characteristics are that they
would cause deliberate intent to harm the organisation. They have use and knowledge
and access to exploit vulnerabilities.

And also, they may be able to collude with external adversaries. So examples of this
might be selling sensitive information to competitors, or sabotaging data or systems, or
facilitating external breaches. As we learned in the previous criminal profiling module, a
large number of internal employees sell data on the dark web to the highest bidder.

Then we have negligent insiders. So they're defined as those whose actions
unintentionally compromise security. And this can be from a point of ignorance,
oversight, or failure to comply with security policies.

So things like leaving your laptop in your car and your car gets broken into and stolen, or
leaving your laptop on a train. The characteristics of this type of insider are lack of
awareness or disregard for safety protocols, accidental mishandling of sensitive
information, vulnerability to phishing and social engineering attacks, which we know is a
major issue. Now, examples of this type of insider might come from misdirected emails
containing sensitive data.

When email addresses are pre-populated, there is a chance that if somebody has a
similar name, that the data may get sent out to the wrong person. Also, they have
unsecured storage of confidential information. So they just haven't stored the
information appropriately and according to policy.

Or they're falling victim to phishing scams that lead to data breaches or ransomware
attacks, or business email compromise, where they're actually paying for invoices that
are fraudulent. The final category is infiltrators. So infiltrators are external actors who
obtain insider access without authorization, often through social engineering or by
exploiting weaknesses in identity and access management systems.

There was a case a number of years ago where there was an experiment done with a
very pretty looking woman who reached out to people on LinkedIn to gain access to their
organizations and she was actually able to get credentials and a password because a
number of males in the organization fell victim to this fake profile. So characteristics of
this type of insider are that they are external to the organization, but they mimic insider
access. They exploit weaknesses in physical or digital access controls.

It might be that someone holds a door open for them and they're able to access the
physical building. Or they engage in espionage or theft of intellectual property. And we
know that this is a big problem with organizations like Boeing and Airbus that actually
develop military aircrafts and are infiltrated by the Chinese trying to obtain the
blueprints for such technological innovations.

And examples of this are using stolen credentials to access internal networks. Very often
you'll see on the dark web employee credentials up for sale. Or it might be a competitor
planting a mole within an organization.

And finally social engineering attacks might lead to unauthorized access because
somebody clicks on a malicious link in an email and the offender is then able to drop
ransomware on the system. Okay so let's talk about impacts on organizational security.
So insider threats pose significant complex risks to organizational security.

We know that. But the unique position of insiders with their access to sensitive
information and critical infrastructure in particular allows them to inflict damage that can
be devastating and long lasting. So we're going to discuss what delineates the various
impacts of insider threat on organizational integrity.

So number one you've got direct financial impacts. Now these include losses from theft
of intellectual property, fraud, sabotage. Now direct costs can escalate into millions
depending on the scale of the incident.

If you look at some of the recent hacks that have occurred through the supply chain
where third parties had access to major organizations and their credentials were
compromised it has cost these companies millions of dollars to rectify the issues that
have resulted from this. There's also indirect financial impact. So indirect costs
encompass the expenses related to investigating the breach, implementing remedial
measures, potential legal fees and fines.

So for example if you look at the British Airways hack that occurred a number of years
ago just after GDPR came out British Airways were actually on the hook for a huge
amount of regulatory fines because they were breached through a third party who had
access to their main system. So you've also got confidential information exposure. So
insiders can expose trade secrets, customer data and proprietary technologies which
leads to a competitive disadvantage and loss of trust by consumers.

And there's a long-term impact on innovation as well. The theft of intellectual property
can stifle an organization's innovative capabilities and affect its competitiveness and
market position. And then you've got reputational damage.

So public trust is a huge thing when it comes to a company's reputation. And an insider
incident can erode public trust in a second in an organization's ability to protect sensitive
data and it impacts their customer loyalty and partner relationships as well. There's also
the market value of the company.

So it's negatively affected by publicity following an insider threat and it can lead to a
decline in stock prices and market value. If you look at what's happened recently to
CrowdStrike, obviously there were issues inside with quality assurance and their stock
price was detrimentally impacted because of what happened. There's also operational
disruption.

So things like system downtime and productivity loss. So insiders can cause critical
systems to go offline. In the case of ransomware, they could be struggling to get
backups for their data and it disrupts their business operations and leads to significant
productivity losses.

So if you look at what happened to Colonial Pipeline, an employee was obviously clicked
on a malicious link which allowed re-evil into their systems, the organized crime group.
And they paid significantly in downtime plus they paid the ransomware as well because
of what happened. Then you've got resource diversion.

So responding to insider threats often requires diverting resources from productive
activities to enable you to investigate and remediate efforts. So your security operations
center is not doing their day-to-day duties because they're firefighting. And then you've
got legal and regulatory consequences.

So you've got compliance violations, specifically now things like GDPR and the Digital
Operational Resiliency Act has come into Europe. And I fully believe that the DORA Act
will be replicated in Singapore. And insider threats can result in violations of these
requirements.

And they can lead to sanctions, to fines and mandated changes to business practices,
which are all very expensive. Then you have litigation. So in the case of CrowdStrike,
they are going to face lawsuits from affected parties.

They're going to have increased legal costs and they're going to have further damage to
their reputation and their bottom financial line. And then finally, you've got mitigation
and response challenges. So you've got the complexity of actually detecting what went
wrong, particularly if the legitimate access has made it challenging to detect the
malicious activity.

And you've got to think about adaptive threats for that reason, because people need to
be aware of the organization's security practices to avoid detection and complicate that.
And that actually complicates mitigation efforts. So the impact of insider threats comes
from the knowledge and access they have.

And it's difficult to quantify because of massive underreporting and variations in cost
estimation. Now, the National Insider Threat Task Force, or the NITTF, which we talked
about earlier, they have reported that incidents of insider threat are on the rise,
especially in the technology sector and from technology threats. But because of massive
underreporting, they cannot actually quantify what this is going to look like.