Understanding the various levels of insider threat can assist companies in their efforts to implement the proper security controls within the organization. There are four levels of insider threat, and they all depend upon the levels of access someone has to the information within your organization.
In this week’s blog on insider threat we will learn about two of these threat levels—pure insider threat and insider associate. In next week’s blog, we will learn about the two other levels—insider affiliate and outside affiliate.
Pure Insider Threat
The first level of insider threat is the pure insider, which is an employee who has all the rights and access associated with being an employee. This employee usually has keys or a badge that allow them into the organization and user IDs and passwords that allow them access to the company’s network. This is known as authorized ‘privileged’ access. The pure insider is the most dangerous type as they can cause the most damage to the organization based on their access.
There is an even more dangerous level of pure insider. This is the elevated pure insider. This person is considered ‘elevated’ because they have additional privileges to access the company’s systems. This category includes such people as system administrators, who have root, or administrator access, on the network. They have and maintain this additional access in order to do their jobs. The problem is that in many cases they are given too much access; more than they actually need to conduct their duties.
When trying to detect the pure insider threat, there are three things you can do:
1. One solution to the pure insider threat is the principle of least privilege, which means giving this employee, the pure insider, access to the least amount of information needed to do their job.
2. A second solution is to monitor employee behavior. Based on my years as an investigator of insider threat I can assure you that in almost every case there was some behavioral change that if noticed, could have tipped off this insider threat behavior. If a certain employee has been complaining about financial challenges and a few months later is driving a new Mercedes, you may want to pay closer attention. The person either inherited money, won the lottery, or could be selling your secrets.
3. The third, money, continues to build upon the example in solution 2. Many people who perpetrate insider threat crimes have financial problems. An average employee would not commit insider threat, but if you add in stress from financial issues and someone offers enough money, there is a chance that the person may be tempted.
Insider associates are people such as contractors, the cleaning crew, or security guards who have limited authorized access to your facility or network. They are not company employees and don’t need full access to your network. While these folks do not have access to the company’s network, they often have limited access that will give them contact with important company information. Many of these people have access to your facility at night and could actually read – or worse – copy, sensitive information that employees often leave out on their desk or unlocked computers. Even if you left this information on your desk and then locked your doors, the security guards and cleaning crew often have a master key that will get them through most locked doors. Employees have to remember that there are other people who can gain access to their offices and therefore, sensitive information should always be secured.
In order to minimize damage that could be caused by an insider associate, companies need to increase user awareness and control access to information. Raising awareness will assist in changing behavior and controlling access will prevent the unauthorized from obtaining the data.
Read next week’s blog to find out about the other two categories of insider threat facing us today—insider affiliate and outside affiliate
Cole, E., and Ring, S. (2006). Insider threat, protecting the enterprise from sabotage, spying and theft. Rockland: Syngress.