Posted in News

The Insider Threat Level: Prime Insider Threat Examples, and the Blame Game

Your people are your biggest asset, but also your biggest risk. Do you have the ability to detect, investigate, and prevent a costly insider threat incident, or know how to recognize one when it occurs?

The Insider Threat Level series is here to keep you up-to-speed on the numerous examples of insider threat incidents, trends, and best practices caught in the news, so you can be better prepared for anything coming your way.

If you missed the last Insider Threat Level news recap, we covered: mental health and insider threats, the data leaks at Tesla, how to build an insider threat Dream Team, and the pains associated with human error in cybersecurity.

This week, we’re taking a look at: Amazon’s data leak investigations, why insider threats are blamed for U.K.-based university incidents, productivity as an excuse for bypassing cybersecurity policy, industrial sector network threats, and an insider threat incident related criminal conviction.

What are you waiting for? It’s time to find out…

What’s Happening:

Amazon Data Leak Investigations a Prime Example of Financially Motivated Insider Threats

Source: ObserveIT

According to a report by The Wall Street Journal, employees of Amazon in China and other nations are being accused of receiving personal payments for the act of misusing proprietary Amazon systems and data. The report also states that these acts go against Amazon’s own cybersecurity and use policies. As such, the company is performing an in-depth investigation into the nature of, and stopping, these insider threat-based incidents.

Hot Take:

What is particularly interesting about this report, is that Amazon understands that there is not one isolated incident of system and data misuse from within their ranks, but a regular and ongoing practice. So why has it taken so long to obtain the visibility they need to detect an insider threat problem, and kick off investigations?

It has become common knowledge that the longer a potential insider threat incident takes to be detected, and then responded to, the more extensive (and costly) the damage can be.

Our take? It is possible that the teams at Amazon were unaware of the extent of the problem, and when they were made aware from internal reporting of suspicious or risky activities, they didn’t have the evidence that they needed to take appropriate action – and quickly.

U.K. University Students and Staff Blamed for Majority of Cyberattacks

Source: SC Magazine

A report released by a government funded agency in the U.K. found that out of the 850 reported cyber-attacks that took place between 2017 and 2018, a majority of them took place during the school year. These attacks were also found to be primarily sustained attacks on the network, not ones that targeted individual users’ systems through phishing, ransomware or malware attacks.

The indication: that students and faculty may be the main perpetrators of these attacks.

Hot Take:

The data that was released suggested that attacks took place during the school year, during regular working hours, and were non-present during holiday seasons. It seems appropriate to consider that students and faculty may be in part responsible, but there is also a key piece of logic missing: if students and faculty are not present, it may be difficult to obscure the origin of an attack. In other words, there is more anonymity in a crowd.

If this agency, or the universities in question, want to know more about what is taking place in and around their networks, enhancing visibility into potential insider threat user activity is key. The trick is making sure that it is part of a comprehensive and holistic strategy that balances the needs of people, process, and technology, and is built on a culture of trust across the board.

Productivity No Excuse for Potential Insider Threats Bypassing Cybersecurity Policy

Source: The Register

Many accidental or negligent insider threat incidents occur due to a laissez faire attitude regarding organizational cybersecurity policies, according to a story published by The Register.

They state that “People, under pressure to be productive, rarely view themselves as “threats” to the organisation when they actively circumvent security policies, but probably think they’re taking the initiative.” This is particularly interesting when combined with cited Ponemon Institute “Cost of Insider Threats” study data that suggests that employee or contractor negligence is more expensive than credential theft on an annual basis.

Hot Take:

The article likens the attitude that potential insider threats (employees, third-party contractors) have towards their own follow-through of cybersecurity best-practices to motorists breaking the speed limit despite knowing that the limit itself is a good idea.

While a very good breakdown, it doesn’t quite have the punchiness that it should to be most effective. So we’ll say it: people who think they’re above the law often break the law, particularly with cybersecurity best-practices.

The only way to prevent this attitude may be to obtain visibility into user activity that can hold people accountable for their actions, while establishing a culture of trust that encourages good behavior. 

Insider Threats Named in Top 5 Security Issues for Industrial Networks

Source: Dark Reading

Dark Reading recently shared their “Top 5 Security Threats & Mitigations for Industrial Networks,” which listed the potential for insider threats as number five.

They state that malicious insider threats, particularly disgruntled employees or those seeking financial gain (a la the Amazon incidents) are of particular note due to the nature of the work performed. It was suggested that regular risk assessments, as well as monitoring attack vectors may be the best way to minimize the potential for an incident to occur.

Hot Take:

It’s great to see that different sectors like the industrial sector are taking note of the high cost and risk potential of insider threat incidents. You can only know what you know, and it can be difficult to know what your employees and third-party contractors are doing without visibility into user and file activity. This visibility should also deliver actionable insights into potentially risky activity, and historical data points for context.

Insider Threat Incident Perpetrator Convicted of Sabotage

Source: ClearanceJobs

A U.S. Army contractor was convicted of having perpetrated an insider threat-based incident in late 2014 through the use of a “Logic Bomb,” and has been sentenced to 24 months in prison, 3 years of supervised release, and a fine of $1.5 million in restitution.

Hot Take:

The possibility of an insider threat incident occurring isn’t limited to just commercial organizations, despite the frequent high-profile coverage of such incidents. Misuse of system and file access can happen anytime and anyplace by employees or third-party contractors, and the effects can be far reaching.

Do You Have a Hot Take of Your Own?

Did you find this insider threat news recap particularly interesting? Want to see additional coverage? Let us know by tweeting @ObserveIT.