Identify Insider Threats to Public Sector Data
Learning Objectives
After completing this unit, you’ll be able to:
- Explain the concept of insider threat.
- Define insiders and insider threat categories.
- Identify ways insider threats can happen at your organization.
- Explain ways you can defend yourself from insider threat.
- Identify insider threat and security reporting recommendations.
What Is Insider Threat?
An insider is any individual who has access to your organization’s facilities, systems, technology, customer data, or staff. Insiders can include public sector employees, former employees, contractors, subcontractors, and even customers. As more information is stored in the cloud, staff with access to these systems could potentially threaten your organization.
Cybersecurity measures are frequently focused on threats from outside an organization rather than from individuals inside an organization. However, insider threats are the source of many security incidents across industries. They can potentially steal sensitive data, perform malicious attacks on your networks, and damage or destroy systems and services.
There are generally two categories of insider threat: accidental and intentional. Some behaviors that lead to unintentional threats include:
- Using unauthorized removable media
- Using personal email for work activities
- Falling for phishing emails
- Using unauthorized applications (apps) and software
- Failing to fully test changes to systems before pushing them to widespread use
On the flip side, intentional insiders use their access deliberately to cause malicious harm. For example, they may steal confidential information about public sector services for personal or financial gain, or damage systems or destroy data in retribution for a missed promotion, involuntary termination, or other grievance.
Challenges to Detecting Insider Threats
Malicious acts by insiders are seldom impulsive. Usually, stressful events happen over time that result in the transition of a trusted insider to a malicious one. If not identified and resolved in a healthy manner, these stressors could contribute to an individual’s intent to cause harm to your organization and its staff. That’s why it’s important to identify and resolve potential stressors early on. Additionally, external factors can be at play. An insider could be targeted by an external organization and bribed, or could be extorted.
Insider threat actors can be difficult to detect and often go unnoticed. As someone who deals with public sector data in the cloud, you serve as the eyes and ears of the organization, and need to pay attention to indicators of insider risk.
What Are Risk Indicators?
There are two types of risk indicators: direct and indirect. Direct risk indicators include the following types of behavior.
- Occasional display of suspicious or disruptive behavior
- Attempts to gain access to information or data that’s outside the scope of an employee’s job responsibilities, including attempts to recruit or coerce others into giving information or doing something suspicious
- Bullying or sexual harassment of fellow employees
- Workplace violence incidents
- Serious violations of organization cloud policies
- Disregard of security procedures and protocols
- Financial changes including unexplained affluence or excessive debt
- Working or show up for work under the influence
- Physical and logical access to facilities or proprietary information outside of normal work hours
Indirect risk indicators are behaviors that require additional analysis to reveal suspicious motives. They can include the following.
- Visible animosity toward a coworker
- Sudden decline in work performance
- Irresponsible use of social media
Defend Against Insider Threats
Measures to defend against insider threats include documenting expectations in security agreements, monitoring, cooperating with Human Resources (HR), implementing data protections, and reporting in a timely manner. Let’s take a closer look.
Security Agreements
To help protect against insider threats, public sector employees should define explicit security agreements for any cloud services, especially regarding access restrictions and monitoring capabilities. Public sector data hosted in a private sector cloud service provider (CSP) is under the care of a third party. Malicious insiders who work for the CSP might be able to access the data stored in the cloud for multiple public sector organizations.
One tool to consider in strengthening the security of cloud systems containing public sector data is to put in place terms and conditions to document trust relationships between organizations owning, operating, or maintaining the information systems. For example, the Federal Risk and Authorization Management Program (FedRAMP) moderate baseline recommends this control. These agreements can help document expectations around access to the information system, and how information is processed, stored, or transmitted. Whether this step is necessary depends on the compliance regimes applicable to the organization, and what existing sharing and trust agreements exist between the organizations.
Security Assessments
Another tool for defending against insider threat and bolstering the security of cloud systems containing public sector data is to develop a security assessment plan. For example, the FedRAMP moderate baseline recommends agencies to assess security controls on both an initial and ongoing basis, continuously monitor their IT systems, and ensure compliance to vulnerability mitigation procedures, among other security practices.
Monitoring
Whether you work at a public sector organization, a CSP, or a third-party vendor, if you process and store public sector data in the cloud, you have a responsibility to monitor that data. Security monitoring in the cloud includes capturing, reviewing, and correlating audit log data. Also consider logging and reviewing all activities performed by users within cloud environments. Check for events such as abnormal login times or attempts to access unauthorized resources.
Organizations dealing with public sector data can consider using user and entity behavior analytics (UEBA) solutions that use algorithms and machine learning to detect anomalies in the behavior of not only the users in a corporate network but also the routers, servers, and endpoints in that network. UEBA can help you to recognize any peculiar or suspicious behavior, such as instances where there are irregularities from normal everyday patterns or usage. For example, if a network user regularly downloads files of 20 megabytes every day but starts downloading 40 gigabytes of files, the UEBA system considers this an anomaly and alerts an information technology (IT) admin. Or if automations are in place, it automatically disconnects that user from the network.
Integrate with Human Resources
Another important measure is integrating insider threat defenses with Human Resources (HR). HR professionals are more likely to identify patterns, behavior, and trends that help mitigate potential harm to an organization and its employees. For example, HR can identify red flags during the interview process, creating mechanisms for employees and managers to provide two-way feedback and share concerns. HR can also provide suggestions for delivering notifications of termination respectfully and in a way that minimizes intrusiveness and embarrassment. Depending upon an employee’s role, there may also be separation agreements that are required to continue confidentiality post-employment.
HR also has insights to employee performance records and potential disciplinary actions for correlating events back to certain behaviors. It’s critical that HR perform pre-hire background checks that are regularly updated after hire, obtain employee acknowledgement of policies and practices, and provide training on insider threats.
Data Protections
Additionally, it’s important that public sector organizations ensure that their data protection and monitoring requirements for CSPs are commensurate with the organization’s own requirements. It’s vital that protections include physical and technological requirements, and HR requirements for CSP employees.
Timely Reporting
As someone who works with public sector data, you can serve as the first line of defense for insider threats by reporting unusual activity to your organization’s security team. Your organization’s incident response team can investigate unauthorized access to data or attempts to circumvent security configurations by keeping an eye on suspicious activities or threat indicators. Depending on your organization’s requirements, you may also need to report unusual activity to your human resources team, or outside groups such as law enforcement.
If something at work doesn’t feel right—an unusual access request or information request, for example—don’t hesitate to contact your organization’s incident response or security team right away. Keep in mind that the longer an attacker is on your network, the deeper they can go, the more backdoors they can open, and the more data they may be able to extract. Any public sector data displayed outside the cloud’s authorized boundaries constitutes a security incident and should be reported immediately. This applies not only to customer data but also to any information that can impact the CIA of the cloud environment.
Acting fast when you spot a potential security incident is critical, because it helps your incident response team track down the source and thwart any potential damage. What’s more, if your organization has a security incident involving public sector data, you may be subject to external reporting requirements. For example, under the General Data Protection Regulation (GDPR), organizations have just 72 hours to gather all related information and report data breaches to the relevant regulator.
By reporting suspected incidents to your organization’s incident response team immediately, your organization is better able to meet its external reporting requirements. If your organization fails to meet these requirements, you can incur fines, damage customer and investor trust, and continue to repeat past mistakes.
Sum It Up
In this unit, you learned about insider threats and the concern they pose for protecting public sector data in the cloud. Now, let’s turn our attention to an important security control to consider when managing and protecting public sector data in the cloud: access control.
Resources
- External Site: Cybersecurity and Infrastructure Security Agency (CISA): Detecting and Identifying Insider Threats
- PDF: Software Engineering Institute (SEI): An Insider Threat Indicator Ontology
- PDF: Cybersecurity and Infrastructure Security Agency (CISA): Combating the Insider Threat
- External Site: The Washington Post: Government and critical industries aren’t ready for insider threats
- External Site: The Wall Street Journal: Capital One Breach Highlights Dangers of Insider Threats