Mobility

Insidious insiders: Psychology provides clues in handling invisible threats

Dominic Vogel considers the insider threat risk in organizations and suggests that cross-departmental collaboration could help shore up data loss prevention methods.

Enterprise information security teams tend to pay lip service when it comes to proactively dealing with insider threats. Daily news accounts about database hacking and mass malware attacks strike fear in the heart of companies and consequently, these oft "overhyped" external threats garner far more attention and protection than malicious insider behaviour. Since it is difficult to gather much in the way of cold hard facts about security breaches (due to the ambivalence across industries and countries as to what exactly constitutes a breach), there are varying opinions as to whether the majority of security breaches are caused by internal or external threats.

What we should agree on though, is that the majority of security breaches involve internal employees to a certain degree. This can vary widely based on intent and severity. On one end of the spectrum you have inadvertent employee error (sending out sensitive information to the wrong person or responding to a phishing scam), laptop theft, contractors' unauthorized access to information, and disgruntled employees. The commonality of all of these factors is that they can all result in revenue loss, legal liabilities, and ultimately affect the financial bottom line. There are various technical safeguards and security processes and procedures that can be used to deal with such issues. However, they alone do not provide adequate defence against disgruntled employees hell-bent on stealing sensitive company data.

One of the more extreme examples in recent memory was Private Bradley Manning, the U.S. Army Private accused of sending U.S. national security information to WikiLeaks. Were there any warning signs that could have prevented this from occurring (or at least led to any earlier detection)? In fact there were several psychological clues that hinted at something being wrong. Various news reports have mentioned that Manning was reportedly alternately violent and withdrawn, going through violent mood-swings. Other officers described him as moody and unreliable. It was allegedly common to see Manning slam his fists or books down on his desk and then descend into a completely unresponsive state.

Such psychological displays (which would not necessarily become known to IT per se) are clear indicators of troubling behavior and, as Manning's lawyer argues, should have led to his security clearance being revoked long before WikiLeaks received any material. Such a situation could easily happen in an organizational setting. There can be signs that an employee is exhibiting troublesome behavior that are invisible to IT. Whether it's a conflict with managers (or co-workers) or a disagreement with the company over the ownership of intellectual property, such signs need to be reported to the human resources department.

Solutions such as data loss prevention can aid in identifying "technological" behaviors that are atypical, such as a dramatic increase in the frequency of copying data. However, they alone do not provide the complete picture. By themselves, DLPs will not be able to effectively prevent (or detect) insiders leaking out information. When viewed in the context of concerning psychological artifacts however, this can serve as an indicator of potential insider issues. Such an effort requires IT to work across multiple organizational boundaries with departments such as HR so that concerning behaviors such as policy violations or signs of disgruntlement that are normally invisible to IT are fully revealed.

About

Dominic Vogel is currently a security analyst for a financial institution in beautiful Vancouver, British Columbia.

8 comments
jayohem
jayohem

I once worked with someone who kept trying to hack into the system he was monitoring and downloaded porn onto the government servers we used. Several of us dropped as broad a set of hints as we could. One has to be careful about accusations as you know. One person showed an officer in charge the specific files this person had deposited on a UNIX server. Nothing. Excuses, beating around the bush, etc. Fast forward two years. Same hacker cum porno downloader and a co-worker had an after hours romance. She got tired of it; he didn't. She claimed sexual harassment. He got fired. Other people complained that she should have been dismissed as well. I pointed out that he really got fired for the hacking and porno, but no one in charge knew how to handle that in an efficient manner. This could have been part of the problem with Private Manning. Even with his unpleasant behavior he might not have been doing anything they believed they easily could discipline. Take away his clearance is logical, but in the case of the hacking and porno downloading civilian mentioned above. No one took away his clearance either. As to the code cracking crimis, their weapon of choice is actually more like a knife, which is a versatile and multi-purpose tool. You can slice bread, brownies, and birthday cake or you can.... Guns just shoot holes in people, places, and things. :-)

Doug Vitale
Doug Vitale

For sure, you can never eliminate the risk posed by insider threats in an information system. And I agree with you when you write, "The majority of security breaches involve internal employees to a certain degree". As long as people are vulnerable to the temptations of financial gain or revenge, there is always a risk that those who have system access will abuse their trusted roles for such motives. There are some ways that administrators can reduce the likelihood of insider threat incidents. They are: 1. Least privilege. 2. Separation of duties. 3. Rotation of duties. 4. Logging of server and Internet access (accounting and auditing). 5. User training on how to spot and report malicious insiders. 6. Tight authentication with non-repudiation (to ensure that malicious insiders cannot impersonate or "frame" innocent users).

HAL 9000
HAL 9000

IT should never have been involved to begin with in that particular case. The number of Rules that where Flouted and allowed to be flouted is unbelievable to me and I did work in a [b]Secure[/b] Environment once upon a time. The problem here is that Management was so poor if he actually did as he is accused of doing that the leak was enviable. Little things like being able to take recordable Media of any kind into and out again should have been prevented and if nothing else was ever considered that one basic action alone would have prevented the Alleged Leak. When I worked in the position that I had we could take whatever we liked onto the Base do whatever the hell we liked but we couldn't remove any Writable Media no matter what it was from the base under any circumstances, & I most defiantly was not as lowly graded as Manning was. While I could take typed reports off base but only to Official Meetings and even then I had a Security Detail to escort me to prevent any person from getting whatever it was I was carrying except those who it was intended for. The fact that he not only had the ability to remove writable media from his workstation but was actively encouraged and never confronted on his behaviour is the most frighting thing that appals me. [i]Not to mention that there was a writer int he computer to begin with.[/i] The fact that what he is alleged to have stole was low grade, is the only saving grace here and that is no [b]Saving Grace.[/b] Of course if he didn't do what he is accused of, none of the above applies and we need to think long and hard as to how those documents got where they did so easily. The reality of the situation here is that the damage should have been far worse and really should have been. Everyone should be breathing a massive sigh of relief that it wasn't far worse than what was leaked actually was. When you allow Basic Security to lapse in any form you have to expect leaks and not act all surprised when they happen. Here I would suggest that they saved a few $ by changing Basic Security and then wonder why nasty things happen when they do. It's Inexcusable that those in Power have been allowed to get away with their actions which led to this situation.

AnsuGisalas
AnsuGisalas

So, now if an employee is at odds with their idiot boss, that's a valid excuse to give them the boot? That's what it seems you're saying Dominic, in between the abuse of "lip service" and putting "ambivalence" (not being sure whether one likes or hates somehting) instead of "ambiguity" (uncertainty as to what something is). I must say, I don't like where you're going. Of course, behavior as that supposedly exhibited by Manning should have led to, at the least, psych eval.

jkameleon
jkameleon

Judging from circumstantial evidence, Wikileaks is so called "limited hangout" operation. If this is indeed the case, Manning was professionally pressured and manipulated. That is the possible cause of the symptoms, described above. Now... what to do if you suspect that there's some sort of secret op going on? Keep your mouth shut as a true patriot, or play by the rules, blow the whistle, and risk retaliation?

sissy sue
sissy sue

Agreed. But I don't think that Manning's behavior pointed to a psychological problem. Yikes! There have been times when I've thrown books or pens or whatever down on my desk out of frustration at work, but I would never think of sabotage or retaliation against my employers or clients. Nor would I expect to be considered a risk simply because I was a hot-head having a bad day. It's just not that easy to judge who is the security risk and who isn't.

AnsuGisalas
AnsuGisalas

But maybe expectations are different on a military base?

ultimitloozer
ultimitloozer

I was known to have launched various tools across the room when having a bad day. And we even had one piece of equipment that when it went down, you just kicked it where you could see the scuff mark and the trunk would magically start working again as per my instructions on my first day on the job.