phone number

The Enemy within – Securing the business against the internal threat

Posted on: November 27th, 2014 by webprese

By ASM

The news archives are littered with stories of organisations betrayed by trusted colleagues, including the most innocuous-looking workers. The trust that organisations place in their workforce can leave them vulnerable to malicious employees, who often use clever methods to hide their illicit activities. Attacks from the inside carry the potential for significant damage that can rival or even exceed the damage caused by external forces. Internal attacks that continue undetected can cause serious harm to an organisation. Perhaps most significantly, they can expose the personal information of customers or employees. A breach of this kind — whether it is identity theft, inappropriate use of data or the sale of sensitive information — can leave an organisation legally liable for associated damages and subject to regulatory fines. In addition, a company’s competitive position could suffer if an insider uses intellectual property or trade secrets for unauthorised purposes.

Insider threats in particular present a unique problem for a physical protection system. Insiders could take advantage of their access rights, complemented by their authority and knowledge of a facility, to bypass dedicated physical protection elements or other provisions such as measures for safety, material control and accountancy, and operating measures and procedures. Further, as personnel with access in positions of trust, insiders are capable of carrying out ‘defeat’ methods not available to outsiders due to protective measures such as intruder detection and and access controls. Insiders have more opportunities to select the most vulnerable target and the best time to execute a malicious act.

Therefore, securing the business against the insider threat requires firstly an assessment to understand what those threats might be. Insiders may have different motivations and may be passive or active, non-violent or violent. The term ‘motivation’ is used to describe the motive forces that compel an adversary to perform or attempt to perform a malicious act. Motivation may include ideological, personal, financial and psychological factors and other forces such as coercion. Insiders could act independently or in collusion with others. They could become malicious on a single impulse, or act in
a premeditated and well prepared manner, depending upon their motivation.

Anybody can pose a threat

Insiders may hold any position in an organisation from security guards through to maintenance staff or even senior management. Others not directly employed by the operator but who also have access such as vendors, emergency personnel, including firefighters and first responders, contractors, subcontractors and inspectors from regulatory organisations should also be considered. It is vital that organisations understand normal employee baseline behaviours and also ensure employees understand how they may be used as a conduit for others to obtain information.

Thus, one of the first steps must involve policy making — the definition of parameters for acceptable behaviour within a peer group. These parameters will serve as the baseline for comparative analysis, so it is important to establish user profiles based on historical data or concrete experience — not just business expectations that may or may not be realistic. Building a baseline understanding of the personalities and behavioural norms of those previously defined as ‘insiders’ will make detecting deviations in these norms easier. Some general behavioural characteristics of insiders at risk of becoming a threat include:

  • Greed/ financial need
  • Vulnerability to blackmail
  • Compulsive and destructive behaviour
  • Rebellious, passive aggressive
  • Intolerance of criticism
  • Self-perceived value exceeds performance
  • Lack of empathy
  • Predisposition towards law enforcement

Obviously, these characteristics alone do not mean that your organisation is at threat, and nor is it an exhaustive list, but it is important to realise that individuals that exhibit these characteristics may reach a point at which they carry out malicious activity. One of the best prevention measures is to train employees to recognise and report behavioural indicators exhibited by peers or business partners.

Who should have access?

Another common-sense recommendation for preventing security breaches is to restrict privileged access to as few people as possible and keep watch over those who do. Insiders may indeed have access to some or all areas of a facility, systems, equipment or tools, or possess intimate knowledge of the facility layout, transport arrangements and/or processes, physical protection, safety systems and other sensitive information. Too often, organisations give employees more access to systems and data than they really need to do their jobs. They also fail to monitor or disable accounts for third- party contractors when their work is done, or delete access privileges for ex-employees.

Integrated Security Systems

Most organisations will have at least some of the security elements needed to protect against malicious internal attacks: authentication systems, asset tracking software, device and Internet usage monitoring capabilities, to name a few. However, it is critical for these pieces to interact as seamlessly as possible. One of the difficulties in detecting insider attacks is the time it takes to analyse a vast amount of data coming from a wide array of devices, entry points and user accounts.

Through the integration of a wide range of security components, both physical and cyber, systems can communicate in real time, enabling a faster response before data can be used for illegitimate purposes — and potentially even predict and prevent malicious attacks. Administrators should be able to access a central console that compiles messages and events from systems that monitor everything from door alarms through to network devices and application usage. This removes much of the effort normally required when trying to manually review historical logs and searching for complex relationships across systems. Integration enables events to be correlated across the Enterprise, for example, providing the ability to identify if an employee remotely logs on to an application without having passed through physical access points, such as a badge reader or an onsite workstation, can immediately identify the behaviour as unusual and potentially harmful. Without this automatic, real-time correlation, the remote access may not be detected quickly enough. A delay of even …read more

Source: Australian Security Magazine

  

Comments are closed.