From Within: Tackling Insider Threats (Part 2)
This post is a continuation of our previous discussion on tackling insider threats from within. If you haven't read it yet, you can find it here. In that post, we delved into the nuances of insider threats and their impact on organizational security.
In this post, I want to discuss some stats and realities about insider threats that often are overlooked or ignored by organizations. Insider threats are some of the hardest challenges anyone can face, because after all, the threat are people we know, trust and have personally vetted.
Stats and Case Studies
According to the 2023 Insider Threat Report by Cybersecurity Insiders, 74% of organizations feel at least moderately vulnerable to insider threats. This heightened vulnerability is reflected in the rising costs associated with these incidents, which average $15.38 million per incident in 2023, including costs related to tarnished reputations, legal expenses, and data losses (The Tech Report) (Security Boulevard).
The Ponemon Institute's studies reveal a stark increase in the frequency of insider attacks, which surged by 44% from 2020 to 2022. This escalation is attributed to factors like the boom in cloud computing, the proliferation of mobile devices, and the widespread use of social media platforms (PrivacySavvy). Notably, a significant portion of insider threat incidents results from employee negligence, which accounts for over two-thirds of these incidents. Simple errors such as sending sensitive data to the wrong recipient or misconfiguring security settings can have severe repercussions (Security Boulevard) (Ekran System).
The increasing frequency of insider threats is evident, with many organizations experiencing between 21 to 40 incidents annually. The complexity of detecting and mitigating these threats is compounded by insiders' legitimate access to critical systems, the use of personal devices, and widespread adoption of SaaS applications (PrivacySavvy) (ASIS International). This growing trend underscores the need for organizations to enhance their insider threat detection and prevention strategies continuously.
Case Study 1: Edward Snowden and the NSA
One of the most infamous cases of insider threats involves Edward Snowden, a former National Security Agency (NSA) contractor. In 2013, Snowden used his authorized access to gather and leak a vast amount of classified information. While primarily a digital breach, Snowden's case underscores the potential for insiders to misuse physical access to sensitive environments, such as secure government facilities.
Case Study 2: Reality Winner and the NSA Document Leak
Reality Winner, a former NSA contractor, was sentenced to prison in 2018 for leaking a classified intelligence report on Russian interference in the 2016 U.S. elections. Winner smuggled the document out of a secure facility and mailed it to a news outlet.
Case Study 3: TDC, Ericsson, and Hawaii in Denmark
A significant insider threat incident occurred in Denmark involving TDC, the largest telecommunications company in the country. Several employees were found to have leaked sensitive information about TDC's operations and strategies to competitors Ericsson and Huawei. This insider breach compromised TDC's competitive edge and exposed critical business information.
Case Study 4: The UBS PaineWebber Sabotage
In 2002, Roger Duronio, a disgruntled UBS PaineWebber employee, planted a malicious logic bomb within the company's network after becoming dissatisfied with his job. The bomb caused significant disruptions and financial losses.
Case Study 5: Tesla's Insider Sabotage Incident
In 2020, Tesla faced an insider threat when an employee was caught attempting to sabotage the company's manufacturing operations. The employee made unauthorized changes to Tesla's Manufacturing Operating System and shared sensitive information with outsiders.
The Fiduciary Mandate
Those at the top of an organization will have an obligation to do everything within reason to prevent anything from catastrophically compromising their business. This is why they will spend millions of dollars on software, salaries and technologies to prevent cyber attacks, which will be updated regularly.
But when it comes to physical security, we are still using the mindset of “we have alarms and cameras” which is similar to saying “Our cyber security doesn’t need updating because we have firewalls and anti virus”.
The Flat Security Network Dilemma
In many organizations, physical security operates on what can be termed a flat security network. This means that once someone gains entry to a building, their access to various parts of the facility is relatively unrestricted. For instance, a low-level employee or even a contractor with basic access can potentially wander into sensitive areas without much resistance. This lack of tiered security creates a scenario where the physical boundaries that should protect critical assets are alarmingly porous.
I have broken into many facilities over the last 20 years and the concept of front heavy security is real at every level and in every country. Once someone gets beyond the security check points, everyone assumes they have authorization to be there and no longer questions their presence.
The Multi-Faceted Risks of Physical Security Breaches
The push back I often get regarding physical security is something like
“ Our physical security is fine because only XXX has access to the server room “
Firstly, this usually has never been tested to determine if someone can actually breach the server room and secondly, unlike cyber security, physical security risks encompass a broader and potentially more damaging range of threats. These risks are not limited to the stereotypical image of an intruder trying to access a server room. The reality is far more complex and includes:
Eavesdropping and Surveillance: An insider with basic access could install listening devices in a corporate boardroom. These bugs can capture confidential conversations, strategic plans, and other sensitive information that could be invaluable to competitors or malicious actors.
Theft of Sensitive Documents: Many organizations still rely on physical documents for critical operations. An insider could easily access filing cabinets or desks to steal proprietary information, financial records, or personal data, often without needing high-level clearance.
Sabotage and Vandalism: Physical access allows an insider to tamper with equipment, damage property, or disrupt operations. This type of threat can lead to significant financial losses and operational downtime.
Social Engineering: Insiders with low-level access can facilitate more significant breaches through social engineering tactics. They can impersonate higher-level employees, manipulate security protocols, or collude with external actors to orchestrate complex security breaches.
What Could an Insider Threat Do to Your Organization?
Have you ever considered what might happen if an employee decided to harm your organization? What if someone on the inside, motivated by financial gain, personal grievances, or coercion by external actors, turned against you? A malicious insider could steal confidential data, including intellectual property, financial records, customer information, or strategic plans. How would your organization handle the fallout if this information was sold to competitors or leaked publicly, causing significant reputational and financial damage? Beyond theft, imagine the chaos an insider could cause by tampering with equipment, introducing malicious software, or deliberately causing system failures, leading to operational downtime and damage to critical infrastructure.
What if an insider decided to gather unauthorized surveillance? Could they place hidden cameras or listening devices in your boardrooms, capturing confidential information from meetings and private conversations? How damaging would it be if this data were used for corporate espionage or other malicious purposes? Physical theft or vandalism is another potential risk. Do you have measures in place to prevent an insider with access to physical premises from stealing valuable assets or equipment, or engaging in acts of vandalism that damage property and disrupt normal business functions? Additionally, could your organization detect if an insider was facilitating external attacks, providing entry points for cyber attackers, or collaborating with external entities to orchestrate complex breaches?
And this hasn’t even started the ransomware discussion. An employee with access will bypass all cyber security protections and has the ability to inject ransomware directly into parts of the network where they will do the most damage.
Conclusion
Have you ever considered the risk of insider threats to your organization? If so, what protections have you put in place to prevent or resolve it? Unfortunately, most organizations have done neither and as such they are effectively at the mercy of their employees and anyone who has physical access.
Training Resources:
For individuals looking for a hands on training that includes all of the above topics, Covert Access Team (covertaccessteam.com) provides training courses focused on physical penetration testing, lockpicking, bypassing techniques, social engineering and other essential skills.
Covert Access Training - 5 day hands on course designed to train individuals and groups to become Covert Entry Specialists
Physical Audit Training - 2 day course on how to setup and run a physical security audit
Elicitation Toolbox Course - 2 day course of that primarily focuses on elicitation and social engineering as critical aspects of Black Teaming
Counter Elicitation - 2 day course on how to recognize and prevent elicitation attempts, and safegaurd your secrets.
Cyber Bootcamp for Black Teams - 2 day course designed explicitly for physical penetration testers who need vital cyber skills to add to their toolbox.
Private Instruction - Focused learning & training based on your needs .