Outing the Insiders

Outing the Insiders
This is the second of our insider threat series.  Part I is available here.
The insider threat has two key characteristics which allow the insider to access sensitive information: trust and access. Yet these characteristics differ from employee to employee with various factors such as rank. What are the parameters that we use to profile the insider threat?
Parameter #1:  Access privileges

  1. Legitimate privileges. These are the legitimate privileges given to the employee in order to perform her job. The higher the rank of the employee, the more privileges this employee has. According to the 2010 Verizon Data Breach Investigations Report (VDBIR), 88% of internal breaches are caused by the regular employees, such as corporate end-users, tellers, cashiers, and waiters. The remaining 12% are mainly executives, system administrators, and developers.
  2. Excessive privileges.  This is the case where a low-ranking employee has more permissions than what is deemed necessary in order to perform her job. The employee can abuse these rights in order to access sensitive information outside of her role. As an example, let’s consider the incident where Sprint employees illegally accessed 16,000 customer records and sold them to external criminals. These employees worked in the provider’s store and so it begs to ask why, in the first place, they had access to such customer info. It might just necessarily be a clear case of excessive privileges granted to these individuals.
  3. Privilege elevation.  In this case, the malicious user is granted certain restrictive permissions. Yet, through a series of nefarious activities they are able to empower themselves with higher privileges.

Parameter #2:  Technical skills

Technical skills of the insider also play a role in defining different insider profiles here since the higher the skill, the more security controls the individuals can bypass. Furthermore, a skillful insider knows how to leave the crime scene and minimize the footprint, thus impeding a trace back to that certain individual. Technical skills of the insider vary:
  1. High:  This might be the IT administrator, a person from the security team, a database administrator or even a developer. These individuals understand how the security controls work and accordingly, their weaknesses and how to bypass them. For example, take a developer at a financial institution who is aware of a privilege elevation vulnerability in a database. This malicious developer can exploit the vulnerability, and become the database administrator. As the administrator, she can turn off auditing, create bogus accounts and transfer funds to these accounts. A similar real-life scenario actually cost Societe Generale $7.1 billion. In that case, the rogue trader was familiar the internals of the servers, and so knew how to bypass the necessary controls which would have raised a red flag on his high dealings.
  2. Medium:  This employee is not as tech-savvy as the IT admin, but does know how to bypass certain security controls. For instance, consider the case of a health institution which requires employees to access patient data on a per-record basis via a home-grown application. A healthcare administrator might not be too content to update separately each of the hundreds of patient records when a doctor is re-assigned. Thus, the administrator might be inclined to directly access the database rather than connecting through the designated application.
  3. Low:  These are the employees who are most likely to leave a trace. They know what to do in order to get their job done, yet they too might abuse this functionality that was given to them. As a scenario, take a government employee in charge of issuing passports. However, this employee might have a curiosity streak causing the worker to snoop on the passport details of different VIPs. Such was the case in 2010 where government workers were dismissed following unlawful passport checkups on Obama and Clinton.

Parameter #3:  Motivation
Motivation plays a big role when defining the insider threat since the different abuse cases profile a user’s behavior. These behavioral signs can then be used as flags in order to issue necessary warnings of problematic access. For example, a user motivated by revenge might suddenly start deleting huge volumes of pertinent information which is atypical behavior.
We summarize here the different motivations for an insider to perform unlawful activities relating to data access. The first three constitute the majority of the insider threat, while the others also are important studies which have proved to be just as costly to an organization.

  1. Accidental – unintentionally exposing sensitive information
  2. It’s mine – claiming ownership of the organization’s proprietary information
  3. Coolness – introducing personal devices and social networks into the corporation.
  4. Profit – acting separately, or on behalf of others, for monetary gains.
  5. Revenge – knowingly conducting nefarious activity in order to cause damage to the organization.
  6. Curiosity – snooping on sensitive information, such as the organization’s road-map for the simple reason of idle curiosity.
  7. Ideology– knowingly conducting harmful activities in support of the individual’s beliefs.
  8. Productivity – bypassing restrictive controls in order to enhance office productivity.

How do these individuals behind the motivations look like? In section 3 of our series, we’ll deep-dive into the separate motivations. We will list the damage they can do as well as provide some real-life examples from past breaches where these motivations have played crucial roles in the insiders’ behavior.