Lesson 1 Part 2 PDF
Document Details
Uploaded by CooperativeJacksonville
Nanyang Technological University
Tags
Summary
This document discusses insider threats, which are a complex issue for organizations. It defines an insider and an insider threat, categorizing them into intentional and unintentional threats. The document also discusses the motivations behind insider threats and examples of various types of insider threats, such as negligence, misuse of resources, data exfiltration, and espionage.
Full Transcript
Lesson 1 Part 2 Insider threats are a complex issue that organisations across the globe face in both the public and the private sector. A crucial first step in understanding insider threats is defining what an insider threat is. There is an important distinction to be made when discussing this topic...
Lesson 1 Part 2 Insider threats are a complex issue that organisations across the globe face in both the public and the private sector. A crucial first step in understanding insider threats is defining what an insider threat is. There is an important distinction to be made when discussing this topic, the insider versus the insider threat. So what is an insider? According to the Cybersecurity and Infrastructure Security Agency or CISA in the USA, an insider is any person who has or had authorised access to or knowledge of an organisation's resources, including personnel, facilities, information, equipment, networks and systems. Examples of an insider may include a person the organisation trusts, including employees, organisation members and those to whom the organisation has given sensitive information and access. A person given a badge or access device identifying them as someone with regular or continuous access, for example, an employee or a member of an organisation, a contractor, a vendor, a custodian or even a repair person. A person to whom the organisation has supplied a computer and or network access or a person who develops the organisation's products and services. This group includes those who know the secrets of the products that provide value to the organisation or their IP, intellectual property. Or a person who is knowledgeable about the organisation's fundamentals, including things like pricing, costs and an organisation's strengths and weaknesses. It also includes a person who is knowledgeable about the organisation's business strategy and goals, entrusted with future plans or the means to sustain the organisation and provide for the welfare of its employees. And in the context of government functions, the insider can be a person with access to protected information, which if compromised could cause damage to national security and public safety. So CISA defines an insider threat as a potential for an insider to use those accesses or an understanding of the organisation's harm. And motivations behind insider threats are as varied as the individuals themselves who carry them out. They can range from things like financial gain, personal vendettas, ideological beliefs, or simple human error or negligence. And understanding these motivations is key to detecting and preventing insider threats. Insider threats can be categorised into intentional threats, where the insider has a deliberate motive to harm the organisation, and unintentional threats, which result from things like carelessness, a lack of awareness or accidental actions that lead to security breaches. So unintentional threats stem from the actions or inactions of employees or insiders who, without malicious intent, cause harm or potential harm to the organisation's security or integrity. Now these types of threats typically stem from ignorance, oversight, or negligence. And the key subcategories include negligence, and this is the most common form of unintentional insider threat, where employees fail to follow security policies or practices, leading to potential security breaches. And examples include using weak passwords, leaving sensitive information unsecured, or falling prey to things like phishing attacks or business email compromise. Accidental disclosures, they occur when an insider accidentally leaks confidential information. Now this could be through sending an email to the wrong recipient, misplacing documents, or unintentionally sharing sensitive information in public or insecure forums. And then we have the misuse of resources, and this refers to situations where employees use the organisation's resources inappropriately, but without malicious intent. And this includes things like using company devices for personal use in a manner that compromises security. For example, they might be doing their online shopping using their work email and the merchant that they shop at gets compromised. And they can also be guilty of downloading unauthorised software that could contain malware as well. Now when it comes to the intentional insider, these are acts committed by employees or insiders with the deliberate intent to cause harm to the organisation's information or systems. These threats are often motivated by personal gain, revenge, ideological beliefs, or coercion. I recall when I was at Interpol that we had an insider who had been fired, and he actually left a logical bomb on the system of the company, which obviously detonated at some future point and destroyed their data and their backup systems as well. Now the subcategories of an intentional insider are things like data exfiltration or data theft. This often occurs when somebody gets a new job in another company and they want to take the methodologies of their current company with them. So they conduct an unauthorised transfer or removal of an organisation's sensitive or proprietary information. And they may exfiltrate data for personal gain, competitive advantage, or to expose information to harmful entities. Now in some instances, an individual will remove data that they believe they claim ownership of because they wrote it whilst they were employed by that organisation. And an example of this might be things like a document, source code, or a project they created or worked on. But they don't realise that anything that was created when they were working for that company is the intellectual property of that company. The individual does not own it. Now the unintentional insider may also commit fraud, and that involves deceitful activities conducted for personal or financial gain, such as manipulating financial records or conducting unauthorised transactions, which can lead to significant financial and reputational damage. It might be that they are amending invoices so that they can take some payment from those invoices or things like that. And then there's IT sabotage, and that's the deliberate act of damaging or disrupting the organisation's IT infrastructure systems or data. Now IT sabotage can cause operational disruptions, loss of data integrity, and the compromise of the network security of the organisation. And then we have security compromise. So any action by an insider that weakens the organisation's security posture intentionally or unintentionally. Now this could be because they shared passwords or they disabled security software or they installed unauthorised software that introduced vulnerabilities. And then you have things like workplace violence, which comes under insider threat. And while these are often associated with physical acts, workplace violence in the context of insider threats can also include actions that intimidate, harass, or threaten other employees and potentially lead to a toxic work environment and affect overall morale and productivity. And then we have abusive privileges. So this occurs when insiders misuse authorised access to systems, data, or resources exceeding their intended use. This information could involve accessing confidential information without a business need, modifying critical system settings, or granting unauthorised access to others. An example of this would be when Princess Catherine was in hospital in London and an employee tried to access her health records to find out what she was being treated for. So thank you for listening to this slide. Okay, so let's talk about the types of insider threats. So the landscape of insider threats is very diverse, with various types of insiders, as you're learning, that pose different levels of risk to organisations. And understanding these types is crucial for developing targeted strategies to mitigate potential threats effectively. And this section categorises insider threats into three primary types. So you have malicious insiders, negligent insiders, and infiltrators. And each have their own unique characteristics, motivations, and psychology. So malicious insiders are individuals with authorised access who intentionally exploit their position to inflict harm on the organisation. Their characteristics are that they would cause deliberate intent to harm the organisation. They have use and knowledge and access to exploit vulnerabilities. And also, they may be able to collude with external adversaries. So examples of this might be selling sensitive information to competitors, or sabotaging data or systems, or facilitating external breaches. As we learned in the previous criminal profiling module, a large number of internal employees sell data on the dark web to the highest bidder. Then we have negligent insiders. So they're defined as those whose actions unintentionally compromise security. And this can be from a point of ignorance, oversight, or failure to comply with security policies. So things like leaving your laptop in your car and your car gets broken into and stolen, or leaving your laptop on a train. The characteristics of this type of insider are lack of awareness or disregard for safety protocols, accidental mishandling of sensitive information, vulnerability to phishing and social engineering attacks, which we know is a major issue. Now, examples of this type of insider might come from misdirected emails containing sensitive data. When email addresses are pre-populated, there is a chance that if somebody has a similar name, that the data may get sent out to the wrong person. Also, they have unsecured storage of confidential information. So they just haven't stored the information appropriately and according to policy. Or they're falling victim to phishing scams that lead to data breaches or ransomware attacks, or business email compromise, where they're actually paying for invoices that are fraudulent. The final category is infiltrators. So infiltrators are external actors who obtain insider access without authorization, often through social engineering or by exploiting weaknesses in identity and access management systems. There was a case a number of years ago where there was an experiment done with a very pretty looking woman who reached out to people on LinkedIn to gain access to their organizations and she was actually able to get credentials and a password because a number of males in the organization fell victim to this fake profile. So characteristics of this type of insider are that they are external to the organization, but they mimic insider access. They exploit weaknesses in physical or digital access controls. It might be that someone holds a door open for them and they're able to access the physical building. Or they engage in espionage or theft of intellectual property. And we know that this is a big problem with organizations like Boeing and Airbus that actually develop military aircrafts and are infiltrated by the Chinese trying to obtain the blueprints for such technological innovations. And examples of this are using stolen credentials to access internal networks. Very often you'll see on the dark web employee credentials up for sale. Or it might be a competitor planting a mole within an organization. And finally social engineering attacks might lead to unauthorized access because somebody clicks on a malicious link in an email and the offender is then able to drop ransomware on the system. Okay so let's talk about impacts on organizational security. So insider threats pose significant complex risks to organizational security. We know that. But the unique position of insiders with their access to sensitive information and critical infrastructure in particular allows them to inflict damage that can be devastating and long lasting. So we're going to discuss what delineates the various impacts of insider threat on organizational integrity. So number one you've got direct financial impacts. Now these include losses from theft of intellectual property, fraud, sabotage. Now direct costs can escalate into millions depending on the scale of the incident. If you look at some of the recent hacks that have occurred through the supply chain where third parties had access to major organizations and their credentials were compromised it has cost these companies millions of dollars to rectify the issues that have resulted from this. There's also indirect financial impact. So indirect costs encompass the expenses related to investigating the breach, implementing remedial measures, potential legal fees and fines. So for example if you look at the British Airways hack that occurred a number of years ago just after GDPR came out British Airways were actually on the hook for a huge amount of regulatory fines because they were breached through a third party who had access to their main system. So you've also got confidential information exposure. So insiders can expose trade secrets, customer data and proprietary technologies which leads to a competitive disadvantage and loss of trust by consumers. And there's a long-term impact on innovation as well. The theft of intellectual property can stifle an organization's innovative capabilities and affect its competitiveness and market position. And then you've got reputational damage. So public trust is a huge thing when it comes to a company's reputation. And an insider incident can erode public trust in a second in an organization's ability to protect sensitive data and it impacts their customer loyalty and partner relationships as well. There's also the market value of the company. So it's negatively affected by publicity following an insider threat and it can lead to a decline in stock prices and market value. If you look at what's happened recently to CrowdStrike, obviously there were issues inside with quality assurance and their stock price was detrimentally impacted because of what happened. There's also operational disruption. So things like system downtime and productivity loss. So insiders can cause critical systems to go offline. In the case of ransomware, they could be struggling to get backups for their data and it disrupts their business operations and leads to significant productivity losses. So if you look at what happened to Colonial Pipeline, an employee was obviously clicked on a malicious link which allowed re-evil into their systems, the organized crime group. And they paid significantly in downtime plus they paid the ransomware as well because of what happened. Then you've got resource diversion. So responding to insider threats often requires diverting resources from productive activities to enable you to investigate and remediate efforts. So your security operations center is not doing their day-to-day duties because they're firefighting. And then you've got legal and regulatory consequences. So you've got compliance violations, specifically now things like GDPR and the Digital Operational Resiliency Act has come into Europe. And I fully believe that the DORA Act will be replicated in Singapore. And insider threats can result in violations of these requirements. And they can lead to sanctions, to fines and mandated changes to business practices, which are all very expensive. Then you have litigation. So in the case of CrowdStrike, they are going to face lawsuits from affected parties. They're going to have increased legal costs and they're going to have further damage to their reputation and their bottom financial line. And then finally, you've got mitigation and response challenges. So you've got the complexity of actually detecting what went wrong, particularly if the legitimate access has made it challenging to detect the malicious activity. And you've got to think about adaptive threats for that reason, because people need to be aware of the organization's security practices to avoid detection and complicate that. And that actually complicates mitigation efforts. So the impact of insider threats comes from the knowledge and access they have. And it's difficult to quantify because of massive underreporting and variations in cost estimation. Now, the National Insider Threat Task Force, or the NITTF, which we talked about earlier, they have reported that incidents of insider threat are on the rise, especially in the technology sector and from technology threats. But because of massive underreporting, they cannot actually quantify what this is going to look like.