6
Humans are the weakest link when it comes to the implementation of cybersecurity. An internal threat refers to the risk emerging inside a company, government agency, or institution and affects the computer system.
Internal threats can be caused by:
- Employee sabotage and theft of data and/or physical equipment
- Unauthorized access by employees to secure areas and administration functions
- Weak cybersecurity measures and unsafe practices
- Accidental loss or disclosure of data
- Damage to computer equipment from fire, flooding, power loss or terrorism
Insider Threat
A person inside an institution who can exploit a system in a way to cause damage or steal data. A former or current employee or contractor with access to sensitive information or privileged accounts may be manipulated into orchestrating the damage or threat to a company1.
Types of insider threats
According to a study conducted by Ponemon Institute, the highest number of insider threats are a result of mistake makers or careless insiders through phishing schemes.
1. Malicious insider/ turn cloak
A person who intentionally misuses legitimate credentials or privilege access to steal information for personal or financial gain. An advantage a turn cloak has over external attackers is that they are familiar with the security guidelines and procedures present in the institution. This can be an employee or contractor or student.
2. Careless insider/ pawn/ mistake maker
An employee who makes an honest mistake that exposes the system to outside threat. This mostly results from phishing emails, leaving a device unlocked or writing down credentials on a sticking note.
3. A mole/ imposter
An outsider who has illegally managed to gain access to an institution’s or company’s network. In most cases, a mole steals credentials belonging to an authorized user.
Common Causes of Insider Threats
- An employee acts on the opportunity to use data for personal gain or steals and sells the data
- Disgruntled employees steal and leak data online to get back at their former employer for a perceived justice
- Negligence or lack of awareness from an employee. This is the most common cause of insider threats
Indicators of a Malicious Insider Threat
Digital Warning Signs
- Downloading or accessing substantial amounts of data
- Accessing sensitive data not associated with their job function
- Accessing data that is outside of their unique behavioural profile
- Multiple requests for access to resources not associated with their job function
- Using unauthorized storage devices (e.g. USB drives or floppy disks)
- Network searches for sensitive data
- Data hoarding, copying files from sensitive folders
- Emailing sensitive data outside the school
Behavioural Warning Signs
- Attempts to bypass security
- Frequently in the school during off-hours
- Displays disgruntled behaviour toward co-workers
- Violation of school guidelines
- Discussions of resigning or new opportunities
Fighting Internal Threats
Prevention is better than cure. The best way to prevent an internal threat incident from occurring is by a school or institution taking the approach to deter attacks causing loss, detect attacks, respond to incidents and return to a secure state.
The school can take the following measures:
- Conduct thorough background checks on employees before hiring them
- Use the principle of least privilege. New accounts in the organization should have the least access permissions needed to perform a task.
- Document guidelines indicating the security procedures all students and staff should follow
- Implement a security monitoring tool in the network to track data access and activities of all users and identify privileged users misusing their rights. An example is Microsoft Network Monitor
- Create an insider threat detection team that monitors behavioural activities of all users
- Educate and train students and staff on attack vectors such as phishing email and the dangers of breaching security guidelines
- Establish physical security in the school or institution. This could involve the implementation of biometrics in the server room or IT department
- Perform risk assessments by first identifying critical assets, possible vulnerabilities and threats that may affect them
Insider Threat Examples
- In 2018, a temporary IT worker in Chicago public schools was arrested and charged with stealing personal data of 70,000 staff, volunteers, students and others. The employee stole data containing names, employee ID numbers, phone numbers, addresses, birth dates, criminal histories, and records of individuals associated with the Department of Children and Family services because he was fired.https://www.cbsnews.com/chicago/news/cps-data-breach-fired-employee-kristi-sims-charged-stolen-database-personal-information-identity-theft/
- A high school teacher in Kobe accidentally leaked private information on the school’s website. The data contained students’ names, health conditions and records. The teacher was uploading a notice to address parents and guardians on an upcoming swimming class when the incident occurred.https://japantoday.com/category/national/teacher-accidentally-leaks-names-health-records-of-students-on-school-website
- In a period of two years, from 2012 to 2014, a computer contractor for Korea Credit Bureaus copied sensitive data (customer names, phone numbers, social security numbers, credit card numbers and expiration dates) on a USB stick and sold it to marketing firms. Over 20 million records were stolen and sold. https://www.bbc.com/news/technology-25808189
- Microsoft Corporation database leak discovered in 2019 by a research company. The leak was as a result of employee negligence and affected over 250 million customers. The database servers containing the records spanning from 2005 through December 2019, were insecure and anyone could access them through a web browser. https://www.forbes.com/sites/daveywinder/2020/01/22/microsoft-security-shocker-as-250-million-customer-records-exposed-online/?sh=1f121dd4d1b3
- Henry Park Primary School accidentally sent personal data of over 1900 pupils to 1200 parents through email in an attached Microsoft Excel file. The document contained students’ names and birth certificate numbers, parents’ names, phone numbers and email addresses. https://www.asiaone.com/singapore/details-more-1900-pupils-henry-park-primary-school-leaked