USA +1 855 726 4878  |  BR +55 11 3069 3925 

Insiders Threats

by | Nov 29, 2019 | BLOG

Imagine yourself in a dining room at your company with colleagues and friends enjoying a meal. Suddenly, the lights flash and everyone’s belongings mysteriously disappear. The only suspects are those in the environment, including you. But how to find the culprit?

As much as the introduction of this text sounds a bit dramatic and the plot seems taken from an Agatha Christie book or a Sherlock Holmes tale, the feeling of having a threat within the company is very similar. An insider attack happens when least expected, while everyone involved in that compromised environment goes from innocent workers to suspects in a moment, and identifying the culprit is a difficult task. 

These insider threats can be represented by careless or inexperienced employees, unhappy employees, third parties, partners, and undercover spies, or any inside component that exploits or intends to exploit their legitimate access to assets with the intention of doing something unauthorized.

According to a study by Verizon (2019), 57% of information leaks involve insider threats, and 15% of leaks are a consequence of misuse of privileges.  

As with detective cases, in which a thief or a neighbor who does not live in the house is the main suspect in crimes, many companies focus on threats outside the organization, such as hacking and malware, while a dishonest employee may be working among others for a long time without being identified, stealing information and damaging business. 

By having legitimate access and often unrestricted permission, these inside agents, whether malicious or not, are able to cause incidents within the organization without drawing attention, as they somehow are trusted by others while doing their jobs. 

Disclosing sensitive information, facilitating third-party access, and breaking down vital equipment for a system are some incidents these bad employees may have.  Also, the immature, inside agents who lack knowledge about the company and its processes are also insider threats, as they can cause errors when deleting important information or downloading infected files, for example, just because they are unprepared. 

Who are the suspects?

These insider threats can come from registered employees, contractors, and even partners or third parties who have access to the system: 

  • Registered Employees: they are above suspicion, are considered part of the organization and are the last to be suspected of.  
  • Contractors: Contractors’ skills are underestimated, and they can take advantage of their access.  
  • Partners and third parties: They are always under contracts, and because of that, they are granted access with high privileges, so the contract offers false security for the company.  

Former employees are also a threat. According to Deloitte (2016) 59% of employees who leave a company voluntarily or involuntarily take data with them.

But what are the motivations?

In most cases, what motivates these malicious inside agents to cause an incident are financial, ideological issues, as well as the desire for recognition, loyalty to family, friends or country, and even for revenge.  In its research, Verizon (2019) includes motivations for fun, fear, and convenience to the list. 

Regardless of the motivations, malicious inside agents seek to leak confidential data and disrupt processes, as these are the events that can most harm an organization  (CNPI, 2013)This fact is clearly supported by cases made public in the media, such as: 

  1. Edward Snowden Case: Snowden leaked nearly two million NSA files in 2013.
  2. Ricky Mitchell: After finding out that he would be fired, he restarted EnerVest’s servers to factory settings and discontinued operations for a month.
  3. Zhangyi Liu: Chinese programmer working for Litton/PRC Inc. who accessed confidential Air Force data. The contractor copied credential passwords that were allowed to create, change, and delete any file on the network, and posted them on the Internet. 
  4. Christopher Grupe: After being fired from the Canadian Pacific Railway, he accessed the system again to delete files and change passwords, preventing administrators from authenticating themselves.
  5. Paige Thompson: Former software engineer at Amazon Web Service, she accessed credit card information from more than 100 million Capital One’s customers. The configuration of Amazon’s cloud environment was not secure. Paige was aware of this misconfiguration and abused her privileges to access data and share methods in online chats.

Preventing an inside agent from stealing information may be more difficult than preventing an outside agent from gaining access to assets, as inside ones have unrestricted access to endpoints and the network, and are the components that correspond respectively to the means used to perform attacks to an organization. 

Other assets used to cause incidents internally are BYOD devices, which are increasingly accepted within companies today, even though their use is often uncontrolled. 

Through these assets, attackers reach their real targets – databases and file servers, as these keep the most valuable information for both inside and outside attackers, such as customer data, financial data, intellectual property, and privileged account data (credentials and passwords, for example). 

This type of attack increases due to insufficient strategies or solutions to protect data, as well as a lack of training, employee expertise, and risk awareness at the administrative level of the organization. 

What should be done to avoid it?

Of course, this type of attack is the hardest to predict and prevent. These are malicious agents who may be working by your side right now. 

However, some steps can be taken to make it more difficult for a new insider attack to happen:

  • Checking employee background before hiring 
  • Applying Mandatory Vacations and Job Rotation. 
  • Monitoring employee behavior.
  • Educating and training employees. 
  • Controlling third-party access. 
  • Encouraging employees to notify abnormal activities and strange behaviors by their colleagues if they notice.

In another study by Haystax (2017) or organizations, 60% of IT privileged users/administrators pose the highest risk. They have large permissions within a system to execute infinite commands and view a large amount of information.

Privileged users are like stewards in suspense stories. They are the ones who have unrestricted access to various rooms in the house, perform important tasks and are extremely trustworthy to members of the house, so it is no surprise when they are revealed as the guilty ones. 

Even with the risk this type of user poses, they are necessary for the system. So, how to control them? 

Privileged Access Management – or simply PAM -, the technology and processes that control privileged access, store all access records for auditing purposes and analyze the actions taken by users in real-time, generating alerts about unusual activities. Using this technology can make the identification and mitigation of insider attacks much faster and more efficient. 

senhasegura is a PAM solution that has granular access controls, credential management, detailed logging and session recording, and the ability to analyze user behavior. Request a demo now and discover hands-on the benefits of senhasegura to limit the damage caused by insider threats. 

$13 million growth investment drives senhasegura’s expansion in North America and the Middle East

Written by Priscilla Silva São Paulo, March 10, 2023 - senhasegura, an award-winning Privileged Access Management (PAM) solution provider that protects corporate IT environments and critical resources from cyber threats, announces a $13 million funding round from...

senhasegura wins CyberSecured 2022 award as best PAM solution in the USA

Written by Priscilla Silva SÃO PAULO, February 28 of 2023 - The 2022 edition of the CyberSecured awards, promoted by Security Today magazine, a brand of 1105 Media's Infrastructure Solutions Group, elected senhasegura as the winner in the Privileged Access Management...

How User and Entity Behavior Analytics Helps Cybersecurity

Cyberattacks are increasingly sophisticated, making traditional digital security tools insufficient to protect organizations from malicious actors. In 2015, Gartner defined a category of solutions called User and Entity Behavior Analytics (UEBA).Its big advantage is...

Best Practices for Consolidating Active Directory

This article was developed especially for you, who have questions about the best practices for consolidating Active Directory. First of all, you need to understand that directory services have the role of organizing important information for companies in a centralized...

senhasegura introduces the “Jiu-JitCISO” concept to show the power of Brazilian cybersecurity

Written by Priscilla Silva São Paulo, January 13, 2023 - "Like Jiu-Jitsu senhasegura is about self-defense. Every company must know how to protect itself and its clients". This is the aim based on the philosophy of the Japanese martial art, but made popular and...