Professional Documents
Culture Documents
WHAT IS AN INSIDER?
• A person…
• The organization trusts
• Given a badge or access device
• To whom the organization has provided a computer and/or network access
• Who develops the organization’s products and services
• Who is knowledgeable about the organization’s fundamentals
• Who is knowledgeable about the organization’s business strategy and goals
• With access to protection information
INSIDER THREAT DEFINITION
• Unintentional
• Intentional
• Collusive
• Third-Party
UNINTENTIONAL INSIDER THREATS
• Negligent:
• Exposing an organization to a threat by their carelessness. Insiders of this type are
generally familiar with security and/or IT policies but choose to ignore them, creating
risk to the organization
• Examples Include:
• “Piggybacking” through a secure entrance point
• Misplacing or losing portable storage devices containing sensitive information
• Ignoring messages to install new updates and security patches
UNINTENTIONAL INSIDER THREATS
• Accidental:
• When an employee makes a mistake causing an unintended risk to an organization.
Organizations can successfully work to minimize accidents, but they will occur
• Examples include:
• Mistyping an email address and accidentally sending a sensitive business document to a
competitor
• Unknowingly or inadvertently clicking on a hyperlink or opening an attachment that contains a
virus within a phishing email
• Improperly disposing of sensitive documents
INTENTIONAL INSIDER THREATS
• Intentional or Unintentional
• This type of insider threat manifests when one or more insiders collaborate with an
external threat actor to compromise an organization
• Frequently involves cybercriminals recruiting one or several insiders to enable fraud,
intellectual property theft, espionage, or a combination of the three
• This type of insider threat is typically difficult to detect, since external actors are usually
well versed in security practices and detection avoidance strategies
THIRD-PARTY INSIDER THREATS
• Associated with contractors or vendors who are not formal members of the
organization, but have been granted some level of access to facilities,
systems, networks, or people to complete their work
• Direct:
• Specific individuals act in a way that compromises the targeted organization
• Indirect:
• Flaws in systems that expose resources to unintentional or malicious threat actors
INSIDER THREAT EXPRESSIONS
• Violence
• Espionage
• Sabotage
• Theft
• Cyber
INSIDER THREAT EXPRESSIONS -
VIOLENCE
• Criminal Espionage:
• Involves a U.S. citizen betraying U.S. government secrets to foreign nations
INSIDER THREAT EXPRESSIONS -
SABOTAGE
• Deliberate actions aimed at harming an organization’s physical or virtual
infrastructure
• Physical Sabotage:
• Noncompliance with maintenance procedures, contamination of clean spaces, physically
damaging facilities, etc.
• Virtual Sabotage:
• Using technical means to disrupt business operations, deleting code, noncompliance with IT
procedures, etc.
INSIDER THREAT EXPRESSIONS - THEFT
•Financial Crime:
• Unauthorized taking or illicit use of person’s, business’, or organization’s money or property with the intent to
benefit from it
• Examples include:
• Identity theft, money laundering, forgery, tax evasion, bribery, embezzlement, and fraud
•Intellectual Property:
• Theft or robbery of individuals or organizations of their ideas, inventions, or creative expressions
• Examples include:
• Trade secrets, proprietary products
• This applies even if the concepts or items being stolen originated from the thief!
INSIDER THREAT EXPRESSIONS - CYBER
•Includes all the previous expressions, using a variety of vectors related to technology, virtual reality, computers,
devices, or the internet
•Unintentional Cyber Threats:
•Non-malicious exposure of organization’s IT infrastructure, systems, and data
•Insider may not realize they are participating in disruption
•Examples include:
•Phishing emails, rogue software, malvertising, etc.
•Intentional Cyber Threats:
•Malicious actions performed by insider intended to disrupt or cease an organization’s regular business operations
•Examples include:
•Changing data, inserting malware, etc.
INSIDER THREAT CASE STUDY - THE
INSIDER
•Frustrated with financial problems and his inability to get promoted, the
engineer sent notes to the Russian embassy and consulate soliciting funds
in exchange for sensitive and proprietary software technology and other
satellite information. Over the course of a year, he met several times with
an undercover Federal Bureau of Investigation (FBI) agent who he
thought was a Russian intelligence officer and collected $3,500 for the
information he passed.
INSIDER THREAT CASE STUDY – HOW IT
WAS DISRUPTED
•His actions violated the Arms Export Control Act and International Traffic in
Arms Regulations and posed a threat to national security and potentially
significant financial harm to his company.
•In cooperation with his company’s insider threat team, law enforcement
intervened to prevent the compromise. This intervention led to the insider’s
conviction for the attempted illegal sale of proprietary trade secrets to a foreign
government’s intelligence service. He was sentenced to five years in prison.
KEY TAKEAWAYS
•The insider threat is similar for many organizations in terms of the nature of the threat
•The character and conduct of the threat will manifest in various ways
•Each insider threat will have or had had some level of trust relationship with their
victim
•Organizations should tailor their approach to the insider threat
•Insider threats are both intentional and unintentional
•Not all intentional insider threats are malicious