HOME

TheInfoList



OR:

An insider threat is a malicious threat to an organization that comes from people within the organization, such as employees, former employees, contractors or business associates, who have inside information concerning the organization's security practices, data and computer systems. The threat may involve fraud, the theft of confidential or commercially valuable information, the theft of intellectual property, or the sabotage of computer systems.


Overview

Insiders may have accounts giving them legitimate access to computer systems, with this access originally having been given to them to serve in the performance of their duties; these permissions could be abused to harm the organization. Insiders are often familiar with the organization's data and intellectual property as well as the methods that are in place to protect them. This makes it easier for the insider to circumvent any security controls of which they are aware. Physical proximity to data means that the insider does not need to hack into the organizational network through the outer perimeter by traversing firewalls; rather they are in the building already, often with direct access to the organization's internal network. Insider threats are harder to defend against than attacks from outsiders, since the insider already has legitimate access to the organization's information and assets. An insider may attempt to steal property or information for personal gain or to benefit another organization or country. The threat to the organization could also be through malicious software left running on its computer systems by former employees, a so-called
logic bomb A logic bomb is a piece of code intentionally inserted into a software system that will set off a malicious function when specified conditions are met. For example, a programmer may hide a piece of code that starts deleting files (such as a sala ...
.


Research

Insider threat is an active area of research in academia and government. The
CERT Coordination Center The CERT Coordination Center (CERT/CC) is the coordination center of the computer emergency response team (CERT) for the Software Engineering Institute (SEI), a non-profit United States federally funded research and development center. The CERT/ ...
at
Carnegie-Mellon University Carnegie Mellon University (CMU) is a private research university in Pittsburgh, Pennsylvania. One of its predecessors was established in 1900 by Andrew Carnegie as the Carnegie Technical Schools; it became the Carnegie Institute of Technology ...
maintains the CERT Insider Threat Center, which includes a database of more than 850 cases of insider threats, including instances of fraud, theft and sabotage; the database is used for research and analysis. CERT's Insider Threat Team also maintains an informational blog to help organizations and businesses defend themselves against insider crime. The Threat Lab and Defense Personnel and Security Research Center (DOD PERSEREC) has also recently emerged as a national resources within the United States of America. The Threat Lab hosts an annual conference, the SBS Summit. They also maintain a website that contains resources from this conference. Complimenting these efforts, a companion podcast was created, Voices from the SBS Summit. In 2022, the Threat Lab created an interdisciplinary journal, Counter Insider Threat Research and Practice (CITRAP) which publishes research on insider threat detection.


Findings

According to the UK Information Commissioners Office, 90% of all breaches reported to them in 2019 were the result of mistakes made by end users. This was up from 61% and 87% over the previous two years. A 2018
whitepaper A white paper is a report or guide that informs readers concisely about a complex issue and presents the issuing body's philosophy on the matter. It is meant to help readers understand an issue, solve a problem, or make a decision. A white paper ...
reported that 53% of companies surveyed had confirmed insider attacks against their organization in the previous 12 months, with 27% saying insider attacks have become more frequent. A report published in July 2012 on the insider threat in the U.S.
financial sector Financial services are the economic services provided by the finance industry, which encompasses a broad range of businesses that manage money, including credit unions, banks, credit-card companies, insurance companies, accountancy companies, ...
gives some statistics on insider threat incidents: 80% of the malicious acts were committed at work during working hours; 81% of the perpetrators planned their actions beforehand; 33% of the perpetrators were described as "difficult" and 17% as being "disgruntled". The insider was identified in 74% of cases. Financial gain was a motive in 81% of cases, revenge in 23% of cases, and 27% of the people carrying out malicious acts were in financial difficulties at the time. The US Department of Defense Personnel Security Research Center published a report that describes approaches for detecting insider threats. Earlier it published ten case studies of insider attacks by information technology professionals. Cybersecurity experts believe that 38% of negligent insiders are victims of a
phishing Phishing is a type of social engineering where an attacker sends a fraudulent (e.g., spoofed, fake, or otherwise deceptive) message designed to trick a person into revealing sensitive information to the attacker or to deploy malicious softwar ...
attack, whereby they receive an email that appears to come from a legitimate source such as a company. These emails normally contain
malware Malware (a portmanteau for ''malicious software'') is any software intentionally designed to cause disruption to a computer, server, client, or computer network, leak private information, gain unauthorized access to information or systems, dep ...
in the form of
hyperlink In computing, a hyperlink, or simply a link, is a digital reference to data that the user can follow or be guided by clicking or tapping. A hyperlink points to a whole document or to a specific element within a document. Hypertext is text wi ...
s


Typologies and ontologies

Multiple classification systems and ontologies have been proposed to classify insider threats. Traditional models of insider threat identify three broad categories: * Malicious insiders, which are people who take advantage of their access to inflict harm on an organization; * Negligent insiders, which are people who make errors and disregard policies, which place their organizations at risk; and * Infiltrators, who are external actors that obtain legitimate access credentials without authorization.


Criticisms

Insider threat research has been criticized. * Critics have argued that insider threat is a poorly defined concept. * Forensically investigating insider
data theft Data theft is a growing phenomenon primarily caused by system administrators and office workers with access to technology such as database servers, desktop computers and a growing list of hand-held devices capable of storing digital information, su ...
is notoriously difficult, and requires novel techniques such as
stochastic forensics Stochastic forensics is a method to forensically reconstruct digital activity lacking artifacts, by analyzing emergent properties resulting from the stochastic nature of modern computers.Grier, Jonathan (2011)"Detecting data theft using stochastic ...
. * Data supporting insider threat is generally proprietary (i.e., encrypted data). * Theoretical/conceptual models of insider threat are often based on loose interpretations of research in the behavioral and social sciences, using "deductive principles and intuitions of subject matter expert." Adopting sociotechnical approaches, research have also argued for the need to consider insider threat from the perspective of a social system. Schoenherr has gone on to argue that "surveillance requires an understanding of how sanctioning systems are framed, how employees will respond to surveillance, what workplace norms are deemed relevant, and what ‘deviance’ means, e.g., deviation for a justified organization norm or failure to conform to an organizational norm that conflicts with general social values." By treating all employees as potential insider threats, organizations might create conditions that create insider threats.


See also

* Computer security *
Mole (espionage) In espionage jargon, a mole (also called a "penetration agent", "deep cover agent", or "sleeper agent") is a long-term spy (espionage agent) who is recruited before having access to secret intelligence, subsequently managing to get into the target ...
*
Naval Criminal Investigative Service The United States Naval Criminal Investigative Service (NCIS) is the primary law enforcement agency of the U.S. Department of the Navy. Its primary function is to investigate criminal activities involving the Navy and Marine Corps, though its ...
*
Threat (computer) In computer security, a threat is a potential negative action or event facilitated by a vulnerability that results in an unwanted impact to a computer system or application. A threat can be either a negative "intentional" event (i.e. hacking: ...
*
Confidence trick A confidence trick is an attempt to defraud a person or group after first gaining their trust. Confidence tricks exploit victims using their credulity, naïveté, compassion, vanity, confidence, irresponsibility, and greed. Researchers have ...
*
Graft (politics) Graft, as understood in American English, is a form of political corruption defined as the unscrupulous use of a politician's authority for personal gain. Political graft occurs when funds intended for public projects are intentionally misdirect ...
*
Shrinkage (accounting) In accounting, inventory shrinkage (sometimes shortened to shrinkage or shrink) occurs when a retailer has fewer items in stock than in the inventory list due to clerical error, goods being damaged, lost, or stolen between the point of manufac ...


References

{{Reflist


External links


What do insider threats look like this decade?
hadowSightbr>Naval Espionage - Stopping a Dangerous Insider Threat
FBI The Federal Bureau of Investigation (FBI) is the domestic intelligence and security service of the United States and its principal federal law enforcement agency. Operating under the jurisdiction of the United States Department of Justice, t ...

Ponemon Institute Cost of an Insider Threat Report2020 Insider Threat Report - Gurucul
Computer security Security breaches