There are different categories of insider threats, based on the level of access the employee has. There are four types: pure insider, insider associate, insider affiliate, and outside affiliate. Each of these categories also has different motives. Understanding each is a key to building proper preventive and detective defenses.A pure insider is an employee with all the rights and access associated with being employed by the company. With pure insiders, the key areas to focus in on to detect or prevent damage are access, behavior, and money. Typically, pure insiders have keys or a badge to get access to the facility, a logon to get access to the network, and can walk around the building unescorted. They can cause the most damage because they already have most of the access they need. Pure insiders can be further classified as an elevated pure insider. An elevated pure insider is an insider who has additional privileged access. This usually includes system administrators who have root or administrator access on the network. These people were given the additional access to do their jobs; however, in many cases, they are given more access than what they need.
The second factor that comes into play is behavior. In many cases, when someone commits an insider attack, there have usually been personal behavior patterns that were predictive of such behavior. Usually they openly talked bad about the company or management. They tended to be unhappy and angry at work and might even have stated that one of these days they were going to get back at the company.
A third driving factor with the pure insider is money. Many of the people who perform these attacks have financial issues. A normal employee would not commit insider threat. However, an employee who is under a high level of stress and is having financial issues may jump at the opportunity to eliminate their problems.
The insider associate is someone with limited authorized access. Contractors, guards, and cleaning and plant services all fit under this category. They are not employees of the company and do not need full access, but they need limited access. Limited access usually takes the form of having physical access to the facility but not access to the network. Organizations commonly think that because sensitive information is locked away in an office means it is protected. What many people forget is that others have access to that office for various reasons such as cleaning or maintenance. It is imperative that all sensitive data be properly secured.
Employees must be educated about security issues in order to prevent these types of insider threats. Employees should be taught to properly secure sensitive data and to log out of critical systems before walking away from them.
The insider affiliate is a spouse, friend, or even client of an employee who uses the employee's credentials to gain access. This can be as simple as a friend coming to visit you, so you get them a badge for the building. When you take a phone call they go to use the restroom and on the way back they wander around looking at what is on people's computers and on their desks. The more damaging insider affiliate is someone who directly acts as an employee using the employee's credentials.
The most common is remote access. Your spouse wants to sit on the couch and surf the Web and wants to borrow your laptop. You give them your user ID and password so they can log on and access the Internet. While the intent was for the spouse to only access the Internet, what other information does the spouse now have access to?
While this can cause some problems, it can usually be controlled. Organizations should have clearly written policies and procedures, they should be explained to all employees, and require that the employee signs off that they understand them. Then, any deviation from the policy can be taken as a deliberate action on the part of an employee.
The final category of insider threat is the outside affiliate. Outside affiliates are non-trusted outsiders who use open access to gain access to an organization's resources. A great example of this is an outsider gaining unauthorized access to wireless access points. It is imperative that organizations secure all wireless access points just as they must secure the front door after daily business hours. Although the outside affiliate seems obvious, it is often overlooked by many companies. Protecting against the outside affiliate requires proper access controls in place for all types of access, including virtual and physical access.
Dr. Eric Cole, Ph.D., is a security expert with more than 15 years of hands-on experience. Cole has experience in information technology with a focus on perimeter defense, secure network design, vulnerability discovery, penetration testing, and intrusion detection systems. He is the author of several books, including Hackers Beware, Hiding in Plain Site, Network Security Bible, and Insider Threat. He is the inventor of more than 20 patents, and is a researcher, writer, and speaker. Cole is a member of the Commission on Cyber Security for the 44th President and several executive advisory boards, and is CTO of the Americas for McAfee. Cole is involved with the SANS Technology Institute (STI) and SANS working with students, teaching, and maintaining and developing courseware. He is a SANS fellow, instructor, and course author. Dr. Cole has 20 years of hands-on experience in information technology with a focus on building out dynamic defense solutions that protect organizations from advanced threats. He has a Master's degree in computer science from NYIT and a Doctorate from Pace University, with a ... View Full Bio