There are two types of insider threats: the intentional and the unintentional. The intentional is your disgruntled employee: he or she is the one who was fired or neglected for a raise or promotion. Worse yet, this could be someone who is just malicious for no reason. They could be driven by pride or money. These are your Judas Iscariots. Before he was a “disgruntled employee” who betrayed his Master, he was a thief stealing from the innocent (John 12:6). On the other hand, the unintentional has no nefarious goal, but rather is careless or accidentally commits an act that causes some manner of breach.
So, which is worse?
Some argue that the malicious insider is the worse threat. I used to think this. The one aiming at a target with a bow and arrow will likely hit the bull’s eye than someone who is shooting at random. This logic is flawed, however.
A malicious outsider, through social engineering, can elicit information from an innocent yet careless person. A phishing expedition could send an official-looking email to the insider. An outsider can also befriend an insider to get information over a period of time. A fake IT specialist calls the ignorant user to “help” him or her and successfully secures his password for nefarious purposes.
The unintentional insider could also accidentally release official, private information to the wrong recipient. A government, company, or organization could also release information on a public website intentionally, not thinking there could be any breach as a result.
How about a CD or thumb drive left out by a malicious person? The unintentional insider could plug it into his system, and his or her computer is infected. Your air-gapped system might be safe from networked attacks, but the unlearned innocent user can take it down with such a device!
The unintentional insider may also be a savvy, cybersecurity-astute individual. Such an individual with a heavy workload, stress, or fatigue could also fall victim to social engineering if he or she does not remain vigilant.
Software development teams could also create backdoors in their software, only to forget to remove them. The malicious user could discover the vulnerability and compromise the system.
Given these cases, we can see that the unintentional insider is the greater threat. If we return to our bull’s eye analogy, though the unintentional insider is not focused on the target, the malicious outsider is focused on the target. The nefarious take months or years planning on how to get the prize, be it financial reward, personally identifiable information (PII), protected health information (PHI), or notoriety as a hacker.
How can we stop the unintentional insider?
First, education is important. This includes regular training opportunities that include yearly formal sessions in any organization. Regular updates of lessons learned from real life scenarios should be sent to an organization’s users to help them visualize how they can stop breaches and the consequences thereof.
Second, precautionary measures could be taken. If a computer or system does not need to use USB drives, why allow them at all? Disabling USB ports and CD drives when possible can help.
Third, have policies in place. Even if an unintentional insider falls prey to a malicious actor, there should be consequences. This causes vigilance automatically. The user must begin to think that his or her actions not only affect the organization at large, but also him or her personally.
Fourth, penetration testing teams should be testing any software created. This team must be distinct from the development team. If “temporary” backdoors were created by developers, the testing team could find them and save the company from a breach.
Fifth, do you really need to put all that information on your organization’s website? An enemy can aggregate the information from many sources, including your own web presence, and create a profile to compromise your organization’s assets.
The Bible tells us to “be sober, be vigilant; because your adversary the devil, as a roaring lion, walketh about, seeking whom he may devour” (1 Peter 5:8). There is an enemy out there, and he can overcome the weak and anyone who lets his or her guard down.