If you work in security or are just interested in the general area of cybersecurity you will no doubt have heard of the dreaded insider threat. In the context of cybersecurity threats, the word “insider” covers a spectrum of people, from a simple accident that leads to data exposure to a state-employed spy who steals corporate secrets.
Insider threats are a special kind of cybersecurity issue as they can be the most difficult to detect. The figures and the level of attacks over recent years show how true this is.
The National Insider Threat Awareness Month (NIATM), which happens during September, has been designed to help raise awareness of insider threats. As part of NIATM, this post will look at some of the shocking levels of insider threats that industry has to deal with and some of the real-life stories behind them.
Figures that reveal the level and breadth of insider threat
An insider threat is multi-faceted, affecting the entire ecosystem of work, employees and non-employees. As more of us join the remote working revolution, it is also likely that accidental or non-malicious insider-based threats will continue to compound the problem.
Insider threats are complicated in their sensitivity and detection. They can stem from several sources such as simple mistakes in configuring a database securely to sharing passwords with colleagues to malicious and proactive theft and attacks on IT resources and information. But pointing the finger at a workmate requires evidence, and this evidence can be difficult to find without the correct tools and analysis.
The figures for insider threats speak for themselves. Here are some of the latest findings:
- The 2020 Insider Threat Report found that in 68% of organizations, insider attacks are increasing
- According to a 2020 survey from encryption vendor, Apricorn, 57% of companies believe remote workers increase risk of data exposure
- A report on remote working found that 69% of company devices are misplaced with 31% being stolen from home or cars
- The Ponemon Institute identified malicious insider threats as lower than accidental ones, but still significant at 23% of all cyberattacks
- According to the Verizon Data Breach Investigations Report (DBIR), malicious insiders are motivated primarily by money. However, other factors such as grievances and retaliation also play a role
The figures are concerning, to say the least. But how is this being reflected in real-life cyberattacks?
Some of the big ones: When insiders go rogue
A flavor of some of the impact on an organization and its customers when an insider threat happens.
What happened? July 2020 saw Twitter make the news for a probable insider attack. High-profile accounts on Twitter were hacked and used for illicit bitcoin transactions. Losses accrued are estimated to be $250 million.
How did it happen? The cause was identified as being account takeovers of high-profile Twitter users, including Barack Obama and Elon Musk. Fraudsters used the accounts to promote a bitcoin scam. A Twitter investigation into the attack found the attacks originated via social engineering and phone spearphishing. The spearphishing attacks focused on Twitter’s admin team, who had privileged access to account admin tools.
The investigation is still continuing, but the belief is that the hackers were able to get into the Twitter admin Slack channel. From there, lack of care in credential hygiene led the hackers to gain access to administration tools, allowing user Twitter accounts to be accessed.
2. Capital One
What happened? In March 2019, Capital One bank experienced a massive data breach. The result was the exposure of data records (including financial information) of 106 million customers.
How did it happen? Two connected causes are likely behind the breach. Privileged access misuse and misconfiguration of a Web Application Firewall. OWASP has placed security misconfiguration in their top 10 security issue list. A Threat Stack survey found that 73% of organizations identified at least one critical security misconfiguration. Whilst misconfiguration is often accidental or due to lack of security awareness, the end result is the same, a security breach. Accidental insider threats are as damaging as purposeful insider attacks.
What happened? In 2019, a MongoDB vulnerability exposed the data of 275 million Indian citizens. The data included name, sex, date of birth, email, mobile phone number, education details, salary, and more.
How did it happen? A scraping operation on an insecure instance of a MongoDB database allowed the exposure to happen. This is an example of not only an accidental insider threat but one where security awareness training focusing on administrators could have prevented this occurring.
What happened? In 2019, the Canadian credit union Desjardins saw the exposure of the data of 2.9 million customers. The data included first and last name, date of birth, social insurance number, address and banking habit information.
How did it happen? According to a statement by Desjardins, an employee deliberately set out to obtain the data of customers with the intent of exposing them publicly. Yet again, another case of unauthorized access with a malicious cause by an insider.
What happened? Cisco has an online video conference portal, WebEx, used by business clients to carry out demos, meetings and so on. In 2018, a Cisco engineer deleted hundreds of virtual machines, which resulted in around 16,000 clients’ WebEx accounts being unusable for weeks. The attack cost Cisco around $1.4 million in damages.
How did it happen? Unauthorized access was behind the Cisco insider threat. An employee deployed code from his own Google Cloud Project, the result of which was the deletion of 456 Virtual Machines. Privileged access to IT resources is where the buck stops. If you have access you have control of resources and data, it should be given rarely and monitored. This is in line with the 2020 Insider Threat Report, which found that 63% of firms believe that privileged IT users are the biggest insider security risk.
What happened? In 2018, Apple’s IOS source code was leaked in a non-malicious way. An Apple intern working on the code thought he would share it with friends on an IOS jailbreaking community to find ways to unlock an IOS phone.
How did it happen? The code did not stay on that community forum, instead, someone leaked it to a public GitHub repository. Apple put a Digital Millennium Copyright Act (DMCA) takedown notice on GitHub, who quickly removed the code — but not before it was copied. This is another case of accidental insiders opening up a security gap.
7. Google and the Waymo self-driving car
What happened? In 2015 or 2016, an employee stole top-secret information concerning Google’s Waymo self-driving car. The leaked intellectual property (IP) ended up on Uber’s desk. The IP included radar and Light Identification Detection and Ranging (LIDAR) technologies, source code and PDFs marked as confidential.
How did it happen? The employee was “disgruntled” working at Google. He planned to form his own self-driving car start-up. A month before he was due to leave, he began to download around 14,000 sensitive files on the Waymo project to an external drive. Again, this was a case of privileged access abuse by a malicious insider.
8. Target Corp.
What happened: Possibly the most famous of insider threats in the last ten years is the Target Corp. breach of 2013. The cyberattack affected the records of 60 million customers. The company only recently settled an $18.5 million lawsuit over the breach.
How did it happen? This was an externally instigated insider threat; privileged credentials of a Target Corp subcontractor were stolen and used to get to the prime target.
Can insider threats be prevented?
There are several key technologies and measures that can help in the prevention of cyberthreats by insiders:
- Train employees, including administrators and other technicians in security
- Secure installation of servers and databases must abide by industry specifications
- Apply the principles of zero-trust security, which adheres to least privilege and “never trust, always verify”
- Use robust authentication, at least two-factor where possible
- Have an enforceable update and patch management policy
- Use security tools such as User and Entity Behavior Analytics (UEBA), antivirus, spam filters and other endpoint security tools
- Pentest your systems and services
What is Threat Awareness Month?
A final word on Threat Awareness Month and what that entails.
The National Insider Threat Awareness Month (NIATM) is a cross-government department initiative to focus on the importance of cybersecurity across industry every September. The NIATM aims to improve the detection and mitigation of insider threats through security awareness and by encouraging reporting. The initiative offers many ways to get involved, including online games and posters to put up at work, and provides common scenarios for employee awareness training.
- Apricorn UK IT Security Survey Results 2020, Apricorn
- Mobile Theft & Loss Report 2018, Prey
- 2020 Cost of Insider Threats: Global Report, Proofpoint
- 2020 Data Breach Investigations Report, Verizon
- 2020 INSIDER THREAT REPORT, Cybersecurity Insiders
- An update on our security incident, Twitter
- Hackers Tell the Story of the Twitter Attack from the Inside, The New York Times
- San Jose Man Pleads Guilty To Damaging Cisco’s Network, United States Department of Justice
- 2018-02-07-Apple.md, GitHub
- Case No. MJ19-0344, United States Department of Justice
- 73% of Companies Have Critical AWS Security Misconfigurations, Threat Stack
- Desjardins statement concerning unauthorized access to some member information, Desjardins
- National Insider Threat Awareness Month 2020, cdse.edu