Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

04:30 PM
Connect Directly

US State Dept. Shares Insider Tips to Fight Insider Threats

The insider threat is a technology, security, and personnel issue, officials said in explaining an approach that addresses all three factors.

RSA CONFERENCE 2020 - San Francisco - Every employee has the potential to become an insider threat, whether through accidental or malicious means. Organizations with the right steps in place can both prevent a person from going rogue and detect these threats before it's too late.

At the US Department of State, everyone who has virtual or physical access to its network, facilities, or information is considered an insider, said Greg Collins, a contractor policy adviser, during an RSA Conference session this week on insider threats. "Anything that they can access and attempt to misuse is an insider threat," Collins explained.

"It is not just a tech problem, it's not just a security issue, and it's not just a personnel issue," added Jackie Atiles, insider threat program director at the State Department. When an insider threat takes place, businesses can't go back and change what happened, but they can look back and see the indicators that were available to them in order to prevent future threats.

These markers can be spotted at all stages of the employee cycle, Collins said, a process that typically looks the same for organizations across industries and includes the following steps: hiring, vetting, training, inclusion, support, and security. He and Atiles took an insider threat scenario and viewed it through each step to pinpoint red flags indicating malicious activity.

In their example scenario – which was made up for this presentation but will likely sound familiar to many organizations – they used an employee who sends an email containing sensitive internal data to someone outside the organization. "This keeps me up at night," Collins said. "This is something you absolutely don't want to happen."

But it does happen, and when it does, it's important to first substitute the individual's name with a unique identifier. "One thing we really stand behind is trying to prevent reputational harm," Collins said. If insider activity has occurred but you don't know if there was malintent, it's best to keep the individual anonymous so as to not muddy the person's name. Once the case has been established, you can start to backtrack and determine where, exactly, they went wrong.

In this scenario, the threat has already happened. Instead of starting the investigation process from the hiring phase, Atiles advised starting with security mechanisms in place. "IT is the last line of defense when it comes to information leaving the network," she explained, and there are several indicators someone might do this before they hit Send. Look for trigger words: an external company name, "attachment," or "secret." Ask questions: What was the attachment? Is this something that has regularly occurred? Is there a reason they're using the word "secret"?

"While security can identify the anomalies through ones and zeroes, the human element can be used to identify what the potential threats are," Atiles explained.

Taking another step back in the cycle takes you to support, or policies and resources that are in place to ensure employees have support for professional, personal, or financial stress. If an insider accidentally breaches security rules or takes files outside the organization, it could be due to external circumstances causing them to behave differently than usual, Collins noted. By providing support to their employees, company leaders may be able to prevent this activity.

"Managers need to manage; managers need to engage," Atiles said. "Supervisors are the best defense against insider threat behavior. There is a difference between an introverted employee who wants to alone sometimes and an isolationist who exclusively keeps to themselves all day.

She emphasized the importance of making people feel included. "As people move positions … make sure you're building an environment that includes people and doesn't create an insider risk from the start." Educating managers on team building isn't just a "feel-good" activity, Atiles noted. Employees who feel included are less likely to become a future security risk.

Employee Vetting and Training  
Properly vetting and training employees can help organizations spot threats before it's too late.

Training can cover a range of different topics, said Collins, listing security awareness, data handling, diversity and equal employment opportunity, performance, and development as examples. You want to make sure employees regularly complete training, especially if they handle information like human resources data, medical records, financial records, and Social Security numbers.

If an employee sends an email with company data outside the organization, consider whether they completed their assigned trainings. Did they take the training? Were they compliant?

Prior to the training stage are the hiring and vetting stages of the employee cycle. "You need to vet your employees from the beginning," Atiles said. "It's a disservice to your own organization if you don't know who you have working for you."

The vetting process should be uniform, consistent with policies, and approved by general counsel, she said. It may include criminal records, financial reports, background verification, outside associations, open source information, and foreign travel and contacts. Bringing a new person onboard is your initial opportunity to make sure you're not hiring an insider threat.

A candidate's resume, interview, and references can be instrumental in gauging their risk. "These are huge chunks of the professional profile that makes up this individual," she added.

The insider threat can appear in any part of the employee cycle, but by the time the threat takes place, it's too late to detect it. Taking this structure and putting it around your organization is going to lower that potential of risk, Collins said.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "Wendy Nather on How to Make Security 'Democratization' a Reality."

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
NSA Appoints Rob Joyce as Cyber Director
Dark Reading Staff 1/15/2021
Vulnerability Management Has a Data Problem
Tal Morgenstern, Co-Founder & Chief Product Officer, Vulcan Cyber,  1/14/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This is not what I meant by "I would like to share some desk space"
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-01-21
In Eclipse OpenJ9 up to version 0.23, there is potential for a stack-based buffer overflow when the virtual machine or JNI natives are converting from UTF-8 characters to platform encoding.
PUBLISHED: 2021-01-20
NVIDIA SHIELD TV, all versions prior to 8.2.2, contains a vulnerability in the implementation of the RPMB command status, in which an attacker can write to the Write Protect Configuration Block, which may lead to denial of service or escalation of privileges.
PUBLISHED: 2021-01-20
NVIDIA SHIELD TV, all versions prior to 8.2.2, contains a vulnerability in the NVDEC component, in which an attacker can read from or write to a memory location that is outside the intended boundary of the buffer, which may lead to denial of service or escalation of privileges.
PUBLISHED: 2021-01-20
NVIDIA SHIELD TV, all versions prior to 8.2.2, contains a vulnerability in the NVHost function, which may lead to abnormal reboot due to a null pointer reference, causing data loss.
PUBLISHED: 2021-01-20
OpenMage is a community-driven alternative to Magento CE. In OpenMage before versions 19.4.10 and 20.0.6, there is a vulnerability which enables remote code execution. In affected versions an administrator with permission to update product data to be able to store an executable file on the server ...