Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

04:30 PM
Connect Directly

US State Dept. Shares Insider Tips to Fight Insider Threats

The insider threat is a technology, security, and personnel issue, officials said in explaining an approach that addresses all three factors.

RSA CONFERENCE 2020 - San Francisco - Every employee has the potential to become an insider threat, whether through accidental or malicious means. Organizations with the right steps in place can both prevent a person from going rogue and detect these threats before it's too late.

At the US Department of State, everyone who has virtual or physical access to its network, facilities, or information is considered an insider, said Greg Collins, a contractor policy adviser, during an RSA Conference session this week on insider threats. "Anything that they can access and attempt to misuse is an insider threat," Collins explained.

"It is not just a tech problem, it's not just a security issue, and it's not just a personnel issue," added Jackie Atiles, insider threat program director at the State Department. When an insider threat takes place, businesses can't go back and change what happened, but they can look back and see the indicators that were available to them in order to prevent future threats.

These markers can be spotted at all stages of the employee cycle, Collins said, a process that typically looks the same for organizations across industries and includes the following steps: hiring, vetting, training, inclusion, support, and security. He and Atiles took an insider threat scenario and viewed it through each step to pinpoint red flags indicating malicious activity.

In their example scenario – which was made up for this presentation but will likely sound familiar to many organizations – they used an employee who sends an email containing sensitive internal data to someone outside the organization. "This keeps me up at night," Collins said. "This is something you absolutely don't want to happen."

But it does happen, and when it does, it's important to first substitute the individual's name with a unique identifier. "One thing we really stand behind is trying to prevent reputational harm," Collins said. If insider activity has occurred but you don't know if there was malintent, it's best to keep the individual anonymous so as to not muddy the person's name. Once the case has been established, you can start to backtrack and determine where, exactly, they went wrong.

In this scenario, the threat has already happened. Instead of starting the investigation process from the hiring phase, Atiles advised starting with security mechanisms in place. "IT is the last line of defense when it comes to information leaving the network," she explained, and there are several indicators someone might do this before they hit Send. Look for trigger words: an external company name, "attachment," or "secret." Ask questions: What was the attachment? Is this something that has regularly occurred? Is there a reason they're using the word "secret"?

"While security can identify the anomalies through ones and zeroes, the human element can be used to identify what the potential threats are," Atiles explained.

Taking another step back in the cycle takes you to support, or policies and resources that are in place to ensure employees have support for professional, personal, or financial stress. If an insider accidentally breaches security rules or takes files outside the organization, it could be due to external circumstances causing them to behave differently than usual, Collins noted. By providing support to their employees, company leaders may be able to prevent this activity.

"Managers need to manage; managers need to engage," Atiles said. "Supervisors are the best defense against insider threat behavior. There is a difference between an introverted employee who wants to alone sometimes and an isolationist who exclusively keeps to themselves all day.

She emphasized the importance of making people feel included. "As people move positions … make sure you're building an environment that includes people and doesn't create an insider risk from the start." Educating managers on team building isn't just a "feel-good" activity, Atiles noted. Employees who feel included are less likely to become a future security risk.

Employee Vetting and Training  
Properly vetting and training employees can help organizations spot threats before it's too late.

Training can cover a range of different topics, said Collins, listing security awareness, data handling, diversity and equal employment opportunity, performance, and development as examples. You want to make sure employees regularly complete training, especially if they handle information like human resources data, medical records, financial records, and Social Security numbers.

If an employee sends an email with company data outside the organization, consider whether they completed their assigned trainings. Did they take the training? Were they compliant?

Prior to the training stage are the hiring and vetting stages of the employee cycle. "You need to vet your employees from the beginning," Atiles said. "It's a disservice to your own organization if you don't know who you have working for you."

The vetting process should be uniform, consistent with policies, and approved by general counsel, she said. It may include criminal records, financial reports, background verification, outside associations, open source information, and foreign travel and contacts. Bringing a new person onboard is your initial opportunity to make sure you're not hiring an insider threat.

A candidate's resume, interview, and references can be instrumental in gauging their risk. "These are huge chunks of the professional profile that makes up this individual," she added.

The insider threat can appear in any part of the employee cycle, but by the time the threat takes place, it's too late to detect it. Taking this structure and putting it around your organization is going to lower that potential of risk, Collins said.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "Wendy Nather on How to Make Security 'Democratization' a Reality."

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-12
INTELBRAS TELEFONE IP TIP200 version allows an attacker to obtain sensitive information through /cgi-bin/cgiServer.exx.
PUBLISHED: 2021-04-12
** UNSUPPORTED WHEN ASSIGNED ** An issue was discovered on D-Link DIR-802 A1 devices through 1.00b05. Universal Plug and Play (UPnP) is enabled by default on port 1900. An attacker can perform command injection by injecting a payload into the Search Target (ST) field of the SSDP M-SEARCH discover pa...
PUBLISHED: 2021-04-11
In the standard library in Rust before 1.2.0, BinaryHeap is not panic-safe. The binary heap is left in an inconsistent state when the comparison of generic elements inside sift_up or sift_down_range panics. This bug leads to a drop of zeroed memory as an arbitrary type, which can result in a memory ...
PUBLISHED: 2021-04-11
In the standard library in Rust before 1.49.0, String::retain() function has a panic safety problem. It allows creation of a non-UTF-8 Rust string when the provided closure panics. This bug could result in a memory safety violation when other string APIs assume that UTF-8 encoding is used on the sam...
PUBLISHED: 2021-04-11
In the standard library in Rust before 1.49.0, VecDeque::make_contiguous has a bug that pops the same element more than once under certain condition. This bug could result in a use-after-free or double free.