If most people were asked what the biggest cybersecurity threat is, the typical answer would involve the Russians, the Chinese, competitors, and foreign adversaries. Essentially the answers would focus on external threats and would be partially correct. To get the real answer to this question we need to differentiate between the source of the threat and the cause of damage. The source of most threats are absolutely external, but the cause of damage in almost all cases is the internal threat. Someone inside the organization did something to allow the adversary in or make it easier for them to cause damage. If you spend a few minutes thinking about this, you would be hard pressed to find a breach in which an insider did not play some role in not only causing it to occur, but in the overall damage.
Types of Insider Threats
When most people think of insider threat, they think of Robert Hanson or Edward Snowden as examples. Essentially you think of malicious insiders who wanted to cause harm or damage. While malicious or intentional insiders will always be a threat, the bigger issue for most organizations is the accidental or unintentional insider. Someone who was tricked or manipulated into doing harm without even realizing it.
With the WannaCry malware, entire hospitals were paralyzed and taken off line because one person clicked on a link which allowed the malicious software to spread throughout the organization. That one person did not want to hurt the organization and was not trying to cause damage, but they did! One click is all it takes to be the major cause of damage. Another example is many of the major data breaches were caused by someone receiving an email that they thought came from a customer or their boss, it turned out it was spoofed and when they opened the attachment, it allowed the adversary into the organization.
While organizations should always be careful of the malicious insider, it is often the accidental insider that causes most of the damage.
It is All About the Data
The problem with both the malicious insider and the accidental insider is that it really highlights the problem with data management and data classification. The fact that an accidental insider clicked on a link and compromised their system is not really the problem. It is the damage they can cause based on the amount of information they have access to.
In the previous ransomware example, if the person who clicked on the link did not have access to the hospitals data store or proper isolation was in place, the adversary would still have gotten in, but the damage would have been greatly reduced. In addition, in this example it also highlights the importance of having proper offline backups so critical data can be recovered in a timely manner.
Insider threat is a huge problem in organizations because it is the most common way an adversary gains access and is causing significant damage. However, the real cause of damage is that organizations are not properly protecting and controlling access to critical information.
Dealing with the Insider Threat
It is important to remember in dealing with insider threat that 100{eb2dd144dc077676a5023eacca2d01ef9c3f02c22330f35001e7063f427f969c} security does not exist, if you have any functionality. Therefore, these efforts will never be perfect, but by focusing attention on raising awareness within an organization and minimizing or controlling access, can go a long way.
User Awareness – make users aware that they are a target. Many people do not believe they are a target, because they think that they are not important or critical enough to be targeted. Not only is this false, but very dangerous because attackers know this and will purposely target the people who have let their guard down, because they do not believe they are a target. Anyone who has any access to any information, can and will be targeted. All an adversary wants to do is setup a pivot point into the organization.
Phishing Campaigns – during the duration of most people’s careers and life, they have been programmed that emails are trusted and that it is perfectly OK to open attachments and click on links. Even though we tell people that was bad advice and it is very dangerous, it takes awhile to change habits and change one’s programming. Therefore, phishing campaigns are a great way to remind them to always be careful and think twice before you click. The problem with phishing campaigns is that they become more of a nuisance to the user because they continuous click on links they shouldn’t and there really are not any repercussions. Yes, they might have to take some training or get a nasty email from security, but they still get paid and promoted, so from their perspective there is not real impact to them. The trick for getting phishing campaign (and really any security to be effective) is to make them a KPI (key performance indicator). A KPI is how your performance is measured and ties into bonuses, promotions and raises. When you do this, now when someone clicks on a link they are not supposed to it not only directly impacts them, but it impacts all of their bosses. All of a sudden when security starts becoming a financial impact to individuals, people start to take it seriously.
Marking External Emails – there are many ways that insiders can be targeted, but a very common method is to send an email from outside the company that looks like it came from an employee or your boss. The interesting component of this is if the email was actually from a co-worker or your boss, it would have originated internally and not have come from outside the company. Therefore, an easy but effective trick is to have every email that comes from outside the company always have {EXTERNA} added to the beginning of the subject line. If you regularly received emails from you boss and today you received one that is now marked {EXTERNAL}, this should raise some concerns and be visible. Always remember two things: 1) nothing is fool proof; and 2) employees can bypass any solution.
(Warning – blocking embedded links and attachments in emails is always highly debated, but should be based on cost benefit analysis – future blogs will cover this in more detail)
Removing Embedded Links – FROM THE INTERNET embedded links are very dangerous. Of course, when I recommend blocking this someone will always find a legitimate reason why they are needed; however, the trick is to look at both sides – if 90{eb2dd144dc077676a5023eacca2d01ef9c3f02c22330f35001e7063f427f969c} of the time they are bad what is the better option and more importantly what is the cost to the organization of blocking vs not blocking. The problem I find with most organizations is that they never do the analysis. They will identify one isolated case in which it is needed and use that to justify allowing all attachments. This approach is very dangerous. Carefully look at both sides and find the proper balance of security and functionality. All functionality with no security is dangerous but all security and no functionality is equally dangerous.
Controlling Attachments – While mot of the analysis for removing embedded links apply for email attachments, there is some additional analysis. Who decided that email should be a file transfer mechanism. Email was never created or meant to transfer attachments. There are many secure, verified methods for transferring attachments other than emails. Of course, if your business has become dependent on transferring files externally using emails, this could take time to transition everyone to a new platform, but before you say no remember that just because something was done a certain way does not make it right and at some point, bad habits need to be changed. If your immediate reaction is to fight this and justify that attachments in email should be allowed, you probably have developed a bad habit and did not realize it.
Conclusion
The most important thing to remember in cyber security and specifically with regards to the insider threat is that employees can either be part of the problem or part of the solution. Make them part of the solution.
Cyber security can either be a business enabler or a business disabler. Make it an enabler.
Your cyber security can either be offensive friendly or defense friendly. It can either help the adversary or help you employees. Always focus on helping your employees and hurting the adversary.