“The most lethal threat is from inside the agency” – Joseph Kinder, retired US Cyber Command
In July 2016, the Digital Guardian asked 77 security experts the question: “Insider vs. outsider data security: which is the greater threat?” Overwhelmingly the response was—insider. Many rationalized that external threat actors must use tools to infiltrate impenetrable barriers, while insiders simply had to copy the data and abscond with it.
Just because something might be true doesn’t mean it is. In fact, greater than 90% of insiders are loyal, hard-working, conscientious employees that do NOT steal agency data. Data from the ID Theft Center confirms that over nine years, insider theft remains at a median of 11.7%
Every year across multiple vendor-sponsored opinion surveys 70% or more respondents state that they believe insider threat is the greatest security threat. Here we have a clear example of cognitive bias. People tend to overweight the degree of perceived risk to things they find scarier. For example, most people are more afraid of dying in a plane crash than they are of a heart attack. Yet the probability of dying in a plane crash is 1:5000 while dying of a heart attack is 1:4. Cognitive bias is subtle but pervasive. The odds of dying at the hands of a terrorist in the US is 1:20,000,000. The CDC points out that it is more likely that you could be killed by a cow. The fear that someone sitting next to you could be a threat actor is irrational given the odds.
The Unintentional Insider Threat
In a special report for DHS, CERT analyzed thousands of cases studies to provide a new understanding of insider threat. They define the human factors at work as: human error, fatigue/sleepiness, subjective mental work load, situational awareness and mind wandering.
For example, the National Institutes of Health have an extensive body of knowledge documenting effects of fatigue on worker performance. Fatigue from inadequate rest, loss of sleep or non-standard work schedules has been demonstrated to slow reflexes, cause lapses of attention and compromise problem solving. Many organizations like the FAA and Nuclear Regulatory Commission have strict guidelines on how much rest operators must have in a 24-hour period. There are no such requirements in IT, and many administrators work with less rest than any other industry.
How is that we can entrust our mission critical systems to our loyal insiders if we don’t ensure they have the proper rest? Furthermore, how can we turn around and blame them for their actions or inactions, when NIH specifically states they are more likely to make those mistakes?
Insiders are unfairly blamed for another type of threat. UIT-HACK is classified as an outside attack on an insider using social engineering, phishing, malware, spyware or any other means. The fact is that most insiders are highly trained IT professionals. If an external attacker compromises our security, and with a pre-meditated plan uses sophisticated technology or social engineer to steal an insider’s password, is that their fault? If someone breaks into your home, thwarting your alarm system to steal your valuables, should the police arrest you for negligence? The fact is that most phishing attacks are completed against end users, not insiders.
Privileged User Management
The end goal of every data breach is to gain elevated privileges. Attackers start by gaining low-level access to a device. Maybe on the perimeter, or maybe inside through a malware attack. They continue their upward journey until they have gained access to “root”, “admin” or “administrator.” Once a threat actor has “superuser” privileges, they have full control and can abscond with whatever data they wish.
Insiders did not create the superuser problem. It started with Dennis Ritchie; and perpetuated by Bill Gates, and Linus Torvalds. Today, every open system we have relies on a superuser password. The problem is compounded by the open systems’ micro kernel architecture, which allows anyone with that “god” password unfettered access to the entire system.
There are three solutions to overcoming the superuser problem:
- Every computer needs a Trusted Platform Module, as defined by the Secure Computing Group.
- All superuser passwords need to locked up in a secure vault and never used again. The vault must be truly secure. A FIPs 140-2 level 1 container is not sufficient. It must be FIPS 140-2 level 4. Once the superuser accounts are locked-up, privileged access management must be put in place to ensure every user has only the entitlements necessary for their role. This goes from the CEO to the CISO, network admins and end users. No one gets more access than they need.
- Experts agree a perimeter defense is no longer effective. The answer is segmentation. Whether you call it micro-segmentation or hyper-segmentation, it must be granular enough that there is a virtual segment for every user to every service. When a threat actor gains access, they will hit a dead-end.
Is insider threat our greatest threat? No. Data shows malicious insiders and planned attacks make up 11%, on average, of all breaches. While insider threat is a problem we need to address, it’s nothing in comparison to the documented external threat that is crippling our nation.
Unintentional insider threats (UIT) should no longer be considered a threat vector. External threat actors attacking insiders (UIT-HACK) is an external threat. The other losses that happen, such as accidental disclosure (DISC), improper disposal (PHYS), lost portable equipment (PORT) are not insider threats, but mismanagement and lack of proper procedures set up by management. It’s time to declassify UIT as a threat vector and start addressing the problem.