Spy chiefs call them assets, but they are operatives on the inside. Some do it for money, some have other motivations, but they are positioned to betray one organization for another. The tradecraft is proven, capable of bypassing all the protections that organizations spend money and time putting into place. In the movies, it’s usually nations that are playing the spygames, jockeying for a strategic advantage, leveraging spies that risk it all for their country. In reality these techniques are just as capable of taking down corporations as nations. Today, more than ever, our corporations depend on the flow of vast quantities of information, that enables workflow, and provides decision makers their capacity to compete within their fast moving industries. Protecting that data, as many of these corporations know, has become a priority. So they hire vast armies of IT, contract security guards, build access control, screen employees for criminal history, all with the hope that these concentric borders of security will protect them from the worst. The problem is, almost all of these defenses face outward and do little to thwart an insider who has turned into your adversary.
There are some corporate insider threats that are familiar; the associate who takes home some merchandise, the disgruntled employee who moves proprietary information into a competitors hands, employees that embezzle funds, and other forms of corruption probably come to mind. But what happens when an insider works with tech savvy interests to compromise your company’s information security? Social engineering, the methods of soliciting protected information from unassuming employees and staff, has long been an easy means of acquiring access to internal networks. By manipulating insiders to violate security regulations, to give up passwords, or to otherwise unwittingly let the bad guys in, they can create a vulnerability where there had seemed to be none. You can play on the human desire to be helpful to elicit what you need. However, these are often one time exchanges, either targeted, or randomly chosen in hope of getting something useful. Certainly, this is a threat to be concerned about, and training can help employees resist this sort of attack. But training only helps when the employees are still on your side. It should be understood, that employees may be recruited by an adversary, and can provide backdoor access to those that desire it. Just like in the spy stories, money could change hands, and a company could be the target of the next major intrusion. Good IT can play a role in preventing substantial damage from internally introduced malware. But a number of things make this a particularly difficult situation. Once you have an insider that is a willing participant, the chances that vulnerabilities can be identified by a potential attacker rises exponentially. Insider access takes away numerous layers of protection and can provide direct access to equipment. Most experts will tell you that once you have direct access, all bets are off.
Recently, ransomware has made headlines. The Hollywood Presbyterian Medical Center was taken down by a virus that made their data inaccessible and crashed their networks. This attack ultimately convinced their executives to pay the $17,000 ransom to decrypt their files and restore their systems. This has become a common cyber-attack, utilizing malware that encrypts files with a private key, and using that key to elicit funds out of victims that need to restore their system. This usually occurs when someone is convinced to click a link to an infected website, or an attachment finds someone who is willing to launch the malware. Though, these viruses have become progressively more sophisticated, acting like worms that self-replicate and spread through networks. Consider the worth of an insider that could get one of these worms into a vulnerable corporate network? What would they be willing to pay for a little help? Understanding these risks will help organizations create assessments and develop methods for mitigating some of the potential damage. Organizations may be able to refine their training to help employees identify potential insider threats, and create a culture of reporting suspicious activity. While some organizations hire “red-teams” to do penetration testing, not all look at what damage can be done from within. This will certainly have to change, as threats continue to adapt, so will our defenses.