Page 19

Corporate Security

and Kmart also being hit here in Australia. We’ve also seen another peculiar trend emerge from the backrooms of security research companies, where new vulnerabilities are marketed with a sexy name, well-designed websites and sensationalist commentary to make them newsworthy. If the security team is not focusing on these two areas, then they aren’t doing their job right, while all the other threats fall by the wayside. But this approach is wrong. Managing security outcomes aligned with this kind of media sensationalism will only serve to protect one aspect of your castle, so you’ll have all your troops at the front gate, not realising your tunnels are unprotected and your streets are full of spies. The Internal Malady Security is a process and needs to be tackled in a methodical and sequential manner, where you start with a threat assessment, then conduct a full audit of your assets, classifying the assets against a scheme of labelling that allows you to a) determine the impact of loss of confidentiality, integrity or availability, and hence b) the risk to the organisation of this impact being realised. Your threat assessment will undoubtedly categorise a variety of threat actors, along with their attributes, such as likelihood of them attacking you, as well as their means, motive and intent. One such group is this insider threat actor category, which can be further decomposed into the following subgroups: • Current employee with standard system access rights • Current employee with elevated system access rights • Current subcontractor or partner with standard system access rights • Current subcontractor or partner with elevated system access rights

employee is a ‘plant’ and has been untrustworthy from the beginning. The majority of actions an insider will take are keenly planned and will attempt to cover their tracks as they go. Furthermore, no matter what the external influence is, something will have affected the internal threat actor to make them act: mounting up a gambling debt, an extra-marital affair or being addicted to illicit drugs. Once an external threat actor has leverage over a member of your staff, then they can be coerced into attacking you. The vulnerabilities that affect insiders are wide and varied. In some cases, it may simply be due because they have become disillusionment with the company or policy of your government. Edward Snowden, for example, has publically stated that he no longer believed in the U.S. government or trusted the motives behind their national security programs. He felt that their actions and leaders needed to be held to account under public scrutiny, which led to the massively damaging leak of highly sensitive data. It could be that your rogue insider wants to exact revenge on his boss, or the whole organisation, believing they have been overlooked for promotion or discriminated against. The other category of malicious insiders are those driven by personal or financial gain, who are looking for something that the organisation cannot or won’t give them, especially where they have a personal vulnerability, such as gambling debts or a drug habit. The point is, there is no typical profile for what an insider might look like or act like, which is the primary reason they are such a difficult threat to detect and a complicated one to deal with.

When you then consider the three elements of mean, motive and intent,

When you then consider the three elements of mean, motive and intent, you start to build a fairly comprehensive picture of what could happen if any of these threat actors were present in your business and had the associated rights to access information assets.

you start to build a fairly comprehensive

Who are these Insiders?

business and had the associated rights to

Reports of external actors recruiting members of staff to act against their own organisation are common, originating from foreign governments, competitors and organised criminal gangs, all with something to gain. In 2011, the results of a survey conducted by the U.S. Secret Service, the CERT Insider Threat Centre, CSO Magazine and Deloitte , showed that the most common crimes perpetrated by malicious insiders were: • Unauthorised access to or use of corporate information • Unintentional exposure of private or sensitive data • Viruses, worms, or other malicious code • Theft of intellectual property (IP)

access information assets.

History has shown us that few insider threats are acts of impulsive opportunity. Mostly, the crime is premeditated and the motive has come from a change of circumstance – unless it’s part of a longer strategy by an external actor, where the

picture of what could happen if any of these threat actors were present in your

Innocent Mistakes The one area of major concern that you can deal with relatively easily is that of innocent mistakes. If you have not trained staff on how they should behave and ensured they all know what they are doing, how they should act, and how they should interact with your systems, then there is little you can do if they do something wrong. A comprehensive security awareness program, with training, exercises, and regular communications campaigns, will ensure your security messages get heard. Review your induction program to make sure staff know what to do on the very first day of their employment, so that there can be no doubt of what is acceptable and what isn’t.

Chief IT Magazine | 19

Profile for Asia Pacific Security Magazine

ChiefIT.me Magazine - Sept/Oct 2016  

ChiefIT.me Magazine covers the domains of Information Technology and Innovation. Be kept up-to-date with all the latest industry news and pr...

ChiefIT.me Magazine - Sept/Oct 2016  

ChiefIT.me Magazine covers the domains of Information Technology and Innovation. Be kept up-to-date with all the latest industry news and pr...

Profile for apsm