The FBI Cyber Division Releases Private Industry Notification on Insider Threats in Cybersecurity
May 22, 2019
On April 23, 2019 the Federal Bureau of Investigation, Cyber Division released a private industry notification titled, Cyber Insider Threat Actors Disrupt Networks and Steal Data, Inflicting Significant Losses to U.S. Businesses. This report is intended to assist security professionals and system administrators in protecting their organization against cyber threats and cyber criminals, specifically internal security threats.
Each year organizations place their focus on safeguarding their business from popular external cyber threats including, phishing emails, SQL injection attacks, or DNS hijacking, but few consider the threats that lie internally within their organization – insider threats in cybersecurity.
External Threats vs. Insider Threats to Security
As the names imply, external security threats originate from individuals or groups outside of an organization while internal security threats originate from those within an organization. Many individuals are aware of external security threats and the risk they pose to a business, but often insider threats to security can be just as damaging, if not more so.
Who May Be Considered An Insider Security Threat?
According to Cybersecurity Insiders and CA Technologies’ Insider Threat 2018 Report, 90 percent of organizations feel vulnerable to insider threats. These organizations reported the main enabling risk factors as too many users with excessive access privileges (37%), an increasing number of devices with access to sensitive data (36%), and the increasing complexity of information technology (35%).
It’s important to note that insider threats in cybersecurity can be from any employee of an organization. Technically proficient employees can use their system access to open back doors, steal information, and just altogether wreak havoc. However, there are some employees who may be a larger threat to an organization than others.
The FBI’s private industry notification stated that in most cases involving insider threats to security, the perpetrators held an Information Technology role, including system administrators, technical support, network engineers, and IT contractors. These perpetrators often have substantial access to systems and networks because of their role, and are mainly cited by the FBI as being former or disgruntled employees.
How Do Insider Threats Affect Security and Businesses?
Insider threats in cybersecurity can place an organization in extreme risk. The FBI report indicates that although most cyber insider threat actors are motivated by revenge, other attacks are conducted for the purpose of “profiting financially from stolen information, gaining a competitive edge at a new company, engaging in extortion, or committing fraud through unauthorized sales and purchases.” All of these attacks can cause immediate damage to a business, with these two key takeaways:
- The damage actors caused most often led to network and operation disruption, data deletion, theft of proprietary information, or the compromise of personally identifiable information of customers and employees.
- The average reported loss due to an insider threat was $3.5 million.
- Actors typically had a history of discipline for poor conduct or misusing company assets, and in most cases held an Information Technology role within the company.
The Common Methods Used by Insider Threat Actors
Insider threats can occur through human error or malicious intent – identifying abnormal behaviors and patterns of suspicious activity in your employees is important for managing internal cyber risk. The FBI reported a number of common methods that actors use to steal data that an employee in any role can achieve:
- Stealing employee and customer data or exploiting their privileged access to profit from unauthorized sales.
- Contacting and bribing former coworkers to provide client lists, company data, or network access.
- Using existing or shared administrative credentials and knowledge of company networks and culture to steal data and disrupt operations. Some also used their inside knowledge to conceal their activities, with varying success.
- Other methods are conducted by actors with more of an IT or technical background:
- Creating backdoors into company networks and using remote access software or tools
- to log into company networks.
- Installing malware and keyloggers on company computers and devices.
- Social engineering other employees, such as the Help Desk or other third-party contractors, to share or reset passwords.
Detection and Protection of Insider Threats
Your business is at risk when your data becomes vulnerable to insider threats. Commonly, the types of data that is vulnerable to insider threats are financials, customer and employee data, credentials and passwords, PII and PHI, intellectual property, and network, infrastructure controls.
Best practices for advanced detection and prevention of insider threats include creating policies and procedures that limit privileges and access to confidential data and implementing security tools such as Data Loss Prevention and encryption of data, Identity and Access Management, and endpoint and mobile security. Moreover, the FBI recommends maintaining an audit of administrative accounts, and ensuring all company network systems and database credentials is revoked following an employee leaving the company, as well as monitoring data uploads to all media, email, or cloud storage outside of the company network.
Managing Insider Threats in Cybersecurity with an MSSP
Managing insider threats posed to security can be a hefty job, especially since many employees require access to many networks and systems to perform the functions of their job. This can make it difficult to detect and respond to internal security threats with a one-size-fits-all security software that many organizations rely on. This has led to more and more companies are moving towards managed security service providers for their cybersecurity.
As an MSSP, Secuvant understands how important your business’s assets are. We work with you to first understand your company, goals, and operations and then create a custom security plan made just for you. Not only do we assist with protecting your business from external threats, we also put into place systems that will monitor for internal attacks as well. For more information on managing insider threats, reach out to our security professionals and ask them about Secuvant’s Managed Detection and Response solution to monitor your networks and systems 24/7.