It was revealed last week that the FBI had secretly arrested a former NSA contractor in August. The New York Times reported that an investigation is ongoing to determine whether the individual stole and/or disclosed highly classified code for an application the NSA uses to hack the networks of foreign governments. The situation seems eerily similar to the Edward Snowden leak, and has drawn renewed attention to insider threats and the risks posed by authorized users granted access to sensitive information in corporate networks.
Like Snowden, the contractor, Harold T. Martin III, worked for Booz Allen Hamilton. He was charged with theft of government property and unauthorized removal or retention of classified documents.
“Are we really that surprised?,” asked Ajay Arora, CEO and co-founder, Vera. “What’s most alarming is that the NSA, which has arguably the best security measures in the world, has been breached and attacked not once, but twice now from inside its own walls.”
Mark Wilson, director of product development for STEALTHbits Technologies, stressed that insider threats are the most realistic and largest threat to corporate data. The reality—and challenge—is that no intrusion detection or perimeter security measure can adequately guard against it.
Wilson explained, “An internal bad actor with motivation and the correct credentials can and will infiltrate an organization’s ‘crown jewels’—its sensitive data. Why? Because it has monetary value,” adding, “More often than not, the insider attack is only realized long after the event as borne out by the fact this breach occurred two years ago.”
Arora said, “Age-old security techniques are no longer working. Companies are still getting breached from the inside. It’s no longer about building bigger walls to keep the bad guys from coming in. It’s about looking at the bigger picture—the company’s ‘crown jewels’ and protecting that data no matter where it travels, and making sure only privileged people have access to it.”
Not Just the NSA
While insider attacks and leaks of sensitive data from the NSA make for very salacious headlines, insider threats are in no way limited to the NSA or government agencies. Every company has some information and data of a sensitive nature that should not be shared or seen outside the company, and every company faces the risk that an employee with access to that data could expose it—either intentionally or inadvertently.
Michael Patterson, CEO of Plixer says, “This type of incident has serious ramifications not only for the accused, but also for the other vendors and their employees that have always adhered to the legal and moral aspects of their jobs. The possibility of insider digital theft has never been greater and points to the need to focus on user behavior. No matter the motivation, if someone has signed the NDA for their jobs and then knowingly took or possessed unauthorized data, they should not be surprised at the serious penalties that will ensue.”
Morey Haber, VP of Technology for BeyondTrust, shared the unfortunate reality that when you trust someone to do the right thing, you might discover that the individual has completely different intentions. “Good people can intentionally do bad things even if they believe they are right. Edward Snowden believes he did the right thing, but in reality he violated his oath and committed espionage regardless of personal beliefs for the greater good. Those are plain facts by definition, and the insider threat really should include any trusted user that commits an action associated with a risk regardless of their intentions. They are insiders after all.”
Patterson suggested, “The NSA should have an audit system in place that keeps track of which users are accessing certain files. As an extra measure of security, the audit logs should be archived on multiple servers by incorporating UDP forwarders which make it difficult for inside or outside hackers to delete their tracks.”
A Better Approach
When it comes to security, there is often no difference between insider threats and external threats—at least not at the point of attack. Rather than viewing security as “inside” or “outside” of the network, or “us” versus “them”, a new approach is necessary to more effectively protect what matters most—the data.
Vera’s Arora agrees. “Traditional security approaches are flawed, and continue to fail us on what seems like a weekly basis. We must change our approach to cybersecurity by assuming your data will travel and protecting the data itself, use a security solution that works with the cloud, mobile, and web-based apps, to ensure the security measures work across the board.”