Blog Archives

Insider Threat Research

You’ve read the reports, seen the stats, and probably heard the hype: XX% of Security Breaches are done by insider threats.

Insider threat boils down to a problem of trust. Employees are implicitly trusted, in most organizations, to perform the duties they are assigned, in the manner they were instructed. The consequences for not doing so, are theoretically termination, which happens to be one of the more prevalent sources of insider incidents according to several sources. The Insider Threat Study research concluded:

[I]nsider attacks have occurred across all organizational sectors, often causing significant damage to the affected organizations. These acts have ranged from low-tech attacks, such as fraud or theft of proprietary information, to technically sophisticated crimes that sabotage the organization’s data, systems, or network. Damages are not only financial; widespread public reporting of the event can also severely damage the organization’s reputation.

I would argue that insiders have ALWAYS been more likely to create, cause, or influence a security incident than outsiders by a comfortable majority. The reasoning being, back in the “good ole days” when there were 56K frame relay lines tying offices to branch offices and the Internet was just catching on, most security incidents occurred because someone brought in an infected floppy disk from home or take home a zip drive full of company information. It was practically impossible, short of a physical break-in, to have an outsider security threat for most organizations. There was no email server to send spam to or Internet-facing web server to hijack and there certainly wasn’t some outsourcing effort in India to be concerned with.

CERT has an entire section devoted to understanding Insider Threats from the behavioral aspects to implications for various industries obtained through joint research with the US Secret Service. They also clarified insider, for purposes of their research and case investigations: 

The definition of an insider for this study includes current, former, or contract employees of an organization. USSS NTAC

Their research suggests that most insider incidents were performed by less technical personnel, it wasn’t always an administrator level individual. The research also suggests that most of the insider incidents “did not rely on extremely sophisticated attacks“. This might be comforting to companies with multiple highly talented network, system, or security administrators that have detailed knowledge of key systems. There are a number of websites that discuss prevention and detection methods for dealing with and responding to insider threats / incidents, in addition to the CERT/USSS research:

It is also important to note this threat is not limited to organizations but extends to government agencies as well. Here is an interesting article, entitled Losing Secrets I came across that emphasises the relevance of insider threats and national security.