The "Insiders" Threat

We make substantial investments opposite external opponents, but sometimes "forget" the option of internal threats created by people – employees and managers in business organizations and other bodies. Arik Brabbing, formerly the Head of the ISA's Cyber Division, in an exclusive opinion article on the internal threat that exists within every organization

Illustration: Bigstock

When dealing with cyber threats, most of the attention is devoted to threats posed by external elements – hostile (and sometimes friendly) countries, rival business organizations, terrorist organizations, hacker groups (that keep attempting to hack into organizations that do not possess suitable cybersecurity and information security systems for extortion purposes), and an extensive range of other potential attackers. All of these opponents make considerable efforts in an attempt to hack into business, political and state organizations and inflict damage by stealing information, presenting ransom demands, demanding protection money and by various other methods.

The Internal Conflict

We make substantial investments opposite external opponents, but sometimes "forget" the option of internal threats created by people – employees and managers in business organizations and other bodies. This "forgetfulness" is not always the result of the excessive workload of managers in companies and organizations or information security specialists and others charged with safeguarding the organizational assets. It stems from the fact that devoted employees and managers, who invest many hours of their work in the success of the company, organization, business or party; employees whose professional activity, integrity and reliability the management trusts, could find themselves in different situations – as outlined herein – which might make them "insiders". "Insiders" is the definition of an internal threat that could inflict damage which sometimes equals the potential of a state possessing a high technological capacity to hack into the computer systems of opponent states or organizations.

The focus is on employees and managers in organizations as well as on suppliers who provide consulting services in such fields as IT, technology, cyber, R&D, logistics, and sometimes even to dedicated systems linked to the organizational or business core of the company. This is a major conflict for corporate managers – the tension between the need to safeguard the company's assets and the need to maintain its public image and the perceived way in which it treats its employees and managers.

The most notable example, mainly owing to the massive damage actually inflicted, is the famous Edward Snowden, an employee of the world's most powerful intelligence agency – the US National Security Agency (NSA). Snowden had been employed as an IT and cyber specialist at CIA, where he became a regular employee in 2007. After two years he completed his term at the Agency and started working as an external supplier of the NSA in the capacity of a computer system administrator. In 2009, in the course of his work, he collected highly sensitive information regarding the organization's capabilities and activities, which he submitted in 2013 to the editorial boards of two major newspapers in the USA and UK.

The damage Snowden inflicted on the NSA was strategic in terms of the unveiling of tools, methods of operation, capabilities and operations, which caused considerable embarrassment to the US government. The act of a single person inflicted damage on a scale that only a major technological world power could inflict on another country.

The reason, according to Snowden – ideological in this case – was the Agency's infringement and extreme violation of the privacy of hundreds of thousands of individuals around the world, but also the links it maintained with intelligence agencies of countries regarded as the opponents of the USA and the intelligence operations it conducted opposite friendly national leaders and countries. Finally, Snowden's own connections with Russian organizations could explain some of the motivations for his activity.

The need to monitor the activities of employees and managers, identify indicators of irregular behavior and install deterrence and monitoring resources in business, political and private organizations is frowned upon in the civilian market, and could have an adverse effect on the company's image to the point of making it difficult for it to recruit employees. On the other hand, as everyone understands, such activity is required and does take place in secret organizations or highly classified organizations in many countries around the world – even in Israel. In Israel, this category includes intelligence and security organizations, units and organs associated with the Intelligence Directorate, IAF, C4I Directorate and other elements of the IDF, organizations and companies dealing with the weapon systems and advanced capabilities of the State of Israel and other sensitive units and organizations.

As someone who had served with the Israel Security Agency (ISA – SHABAK) for many years, I was required – just like any other employee and manager – to pass in-depth personal vetting processes, regular polygraph tests and security classification renewal procedures according to the position and type of unit in which I served. Authorizations of access to classified intelligence material were constantly revised and updated, and strict compartmentalization was maintained between units and many other activities. IDF troopers and officers and employees of the Israel Police, security services and sensitive industries undergo processes that are similar to those I had passed.

The severity and magnitude of the potential external and internal threat are fully and profoundly understood. Leakage of information from or hacking into such organizations could inflict strategic damage on the state. Owing to the corporate culture of organizations engaged in the secrecy and activity of the organization, all those examinations and processes are regarded almost as an obvious necessity and accepted with understanding and with no need for the employees' consent. The elements in charge consider the rules and limits of the violation of privacy on the one hand, and the need to safeguard the organization's secrets on the other hand, and differentiate between the characteristics of the various examinations and frequency according to the positions and ranks of the individuals concerned.

In the senior positions I had served within the ISA, I was extensively involved in agent running and in managing counterintelligence operations and was responsible for the organizational cyber setup generally, and for providing cybersecurity to the critical infrastructures of the State of Israel in particular.

HumInt is the intelligence activity that deals with the recruitment of agents but also with the development of psychological profiles of terrorists and attackers and understanding their motivations and the process they undergo before they commit a terrorist attack. There is a connection between HumInt and internal cyber threats, which, quite naturally, are imposed by or through individuals. The fascinating connection between cyber and HumInt exists not just in the context of cybersecurity, as I intend to address in future articles.

The standard term for an internal threat within the organization, "Disgruntled Employee," is, in my view, not sufficiently accurate. It applies to employees and managers, but reflects only a part of the motivations that drive employees to inflict damage on the organization's activity, steal information, deceive the company, steal money or valuables, sell or divulge information to competing organizations, undermine business processes, damage the reputation and goodwill of the organization and so forth. Such employees are divided into several types, as outlined below.

Disgruntled Employees

A "disgruntled employee" can be anyone who feels he or she is underappreciated or not properly promoted professionally or administratively; an employee who feels bullied by his environment; an employee who conceives the organization as an entity that is inconsiderate to its employees and their needs; an employee who feels resentment and anger toward direct and indirect superiors over a long time, mainly because of their attitude toward him or her. An employee of this type is a convenient target for organizations or states in the context of state-sponsored espionage or business/industrial espionage.

As far as the issue of spying for a foreign country or organization is concerned, the ISA is responsible for handling and prevention, often in cooperation with MALMAB – the organ in charge of security within the defense establishment. MALMAB is responsible for all of the divisions of the Israel Ministry of Defense (IMOD), the defense industries and other classified and sensitive organs. These two organizations are involved in the prevention of information leaks, in the issuance of directives and in conducting training exercises intended to heighten the awareness of employees and managers.

In the civilian realm, the company itself is responsible for these tasks.

Any employee can inflict damage on the organization he/she works for, but in this context we refer to employees who have access to organizational databases or computer systems that constitute a part of the organizational core. The employee's access enables him or her to inflict a substantial damage on the organization, as I have pointed out, owing to the availability of extensive authorizations enabling him/her to access significant systems and databases – whether the employee had obtained those authorizations legitimately or through theft. In addition to the authorizations, such an employee possesses sufficient knowledge to access core systems and databases using his/her technological knowledge or through the identities of other employees he/she may use.

Another characteristic of a "disgruntled" employee, when the background is ideological, political or ethical – he/she is an employee who endeavors to damage the organization against the background of a radical ideology or personally opposing the organization's activities for political reasons (for example, a political party or movement). Alternately, the employee may conceive the organization's activity as unethical or immoral (for example, a company engaged in the development of devices that violate the privacy of the public, and so forth).

Distressed Employees

Another category of employees that constitute a potential risk to the organization consists of employees subjected to serious, prolonged economic pressures. This may apply to the employee personally or to members of his/her family (for example, the Eti Alon – Israel Trade Bank affair). These pressures might lead the employee to steal money or information and technological tools and trade in them so as to come up with the substantial amounts of money needed as a result of the distress situation. Employees of this type will often engage in "petty theft" involving small amounts of money, and would save the money over a long period of time until it has accumulated into a considerable amount.

Deceived/Manipulated Employees

Elements external to the organization might use employees as an excellent platform for gaining access into the organization and its databases, operation and control computers and technological areas that are sensitive regarding the organization's activity and business.

Although in many cases the employees involved are acutely aware of information security and the opponents' intentions to engage in business/industrial espionage and extensive collection of information regarding their activity and the activities of their businesses, they still fall into the trap, thereby providing access to elements that are undesirable to their organization.

In this case, we are dealing mainly with focused activity by opponents, vis-à-vis employees and managers in a competing organization. This focused activity targets one or more of the organization's employees, with the intention of establishing trust and connections in a manner that would eventually lead the employee, even without intending to do so, to provide technological access to his/her organization's computer systems.

This "confidence trick" tactic is an act of deception/manipulation – a common, well-established method of operation in the world of state-sponsored espionage but also in the realm of business/industrial espionage. For example, a connection may be established with an employee through social media or through various applications – from games to on-line services (taxi, messenger, shopping, advertising, etc.). From the moment the connection has been established and mutual trust has been developed vis-à-vis the employee, that connection may be utilized to convey to the employee, who remains unaware and suspects nothing, attack, collection and hacking tools, initially into the devices he/she possesses (first and foremost – his/her mobile phone). This process is intended to gain more extensive knowledge about the employee and his/her connections.

From this point, it will be relatively easy to access the organizational system within which the employee operates, especially by using the employee's private device to connect with some of the organizational systems, provided an authorization has been obtained (for example – authorization to access the employee's E-Mail account), or with organizational databases accessible through a mobile platform (e.g. a laptop computer) or a stationary platform (e.g. a home computer) used by the employee. Having accomplished that, the "cyber" path into the organizational systems will be relatively quick and easy.

In many workplaces, functionaries can manage certain control systems using smartphones – to control important operational systems in buildings, scientific instruments, and medical systems, smoke monitoring and temperature control systems, surveillance cameras and so forth. When the same device is used for the owner's personal activities and for operations on behalf of the organization or business, it provides a relatively easy option for exploiting the employee, who remains unaware, as a "bridge" into core operational systems, thereby gaining control over those systems and allowing those opponent or competing elements to run them.

Unaware Employees

Finally, there is the passive employee who does not know how to ask a question – the "unaware employee". The characteristics of this employee category are similar to those of the deceived/manipulated employee but in this case, the complexity is different. Many organizations suffer from a low level of awareness regarding such issues as information security, system security, preventive behavior, monitoring and alert tools and unprofessional management of access authorizations. Other problems include insufficient protection of computer systems against external devices employees often connect to their computers at work (for example, recharging cellular phones); insufficient implementation of the proper procedures for receiving material from external suppliers, such as failing to "clean" such material before it is allowed into the organizational systems. Materials of this type may include data from presentations, quotes and demo clips to portable storage devices, cameras and so forth.

When personal awareness of the need to comply with proper information security standards and to secure other computer systems is not one of the top priorities of the organization and its employees, and when corporate culture does not regard this sensitive field as a significant value for the organization and its employees, it will be easy for anyone to hack into and rummage through the organizational systems, steal assets and disrupt the activity of the business, organization or company.

Unaware employees will commit numerous, diversified "violations" and the organization they belong to will be a soft, easy target for random hackers and most definitely for business competitors.

Regulation & Procedures

As stated, the internal enemy is even more dangerous than enemies operating from the outside. Even when these facts are abundantly clear to the management, many cultural and ethical difficulties prevent the organizational leadership from taking action that would protect the organization against its own employees and managers. Standard, self-explanatory procedures applied in security organizations or organizations engaged in highly sensitive activities, with the emphasis on the state level – are totally unsuitable for private workplaces and businesses. Anyway – who would like to work at a workplace that regards the employee as a "threat" and takes various measures to protect itself against those "valued and devoted employees who constitute our most important asset," as many CEO often declare?

So, what are the primary solution trends for the internal threat?

The first measure should be a management decision that defines cyber as a challenge for the organization and assigns the cybersecurity issue to the responsibility of the top management, followed by the appointment of a senior executive to take charge of the issue, along with the relevant functionaries.

The second measure should define the task of protecting the organizational assets as an element of the organization's corporate culture.

The third measure should consist of an extensive activity aimed at heightening awareness of the various threats among the employees and managers, including procedures, seminars, training exercises, inspections and evaluation of employees and managers for their activity in this field. There is nothing like surprise, unannounced drills to illustrate the severity of the threat to the managers and employees.

The fourth measure should consist of the establishment of an intra-organizational technological setup for monitoring irregular activity in systems defined by the management as critical to the organizational core. The actual monitoring should be accomplished through technological resources and the employees should be aware of it. The objective of the monitoring effort is to identify abnormal and irregular activity in the organization's critical systems and databases.

The fifth measure should consist of a stringent periodic inspection of the authorizations for accessing information systems, databases, and in certain organizations (not necessarily classified security organizations) – relevant installations and rooms.

The sixth measure should consist of a process of integrating information between the internal organizational systems dealing with personnel (employee evaluations, personal interviews and so forth), organizational resource management, security measures and controlled access to offices and rooms, communication with suppliers and so forth, for the purpose of spotting irregular phenomena and activities, while strictly following the individual privacy laws. Only by integrating databases will it be possible to identify the emergence of an internal threat in time.

The seventh measure should consist of the installation of visible surveillance measures (cameras) as a warning regarding the use of computers, printers and other devices whose activity is monitored.

The eighth measure should consist of informational activity, coordinated with the trade union or the representatives of the company's employees, regarding the dosage, characteristics and inclusion of employees in the organizational decision-making processes in the contexts of safeguarding the organizational assets.

Balance & Sensitivity

It is important to stress that every company, business, private or public organization has a duty to strictly safeguard its organizational systems, secretes and critical systems to accomplish its objectives – with the emphasis on reputation and financial profits.

A well-balanced and sensitive system is required in order to handle the internal threat potential, with the emphasis on the threat imposed by employees and managers, while strictly observing individual privacy and acting as early and as discretely as possible whenever indicators have been spotted of an activity by an employee that calls for an inquiry or clarification vis-à-vis that employee.

We should always bear in mind the fact that an organization will change its ways, that in many cases it would enforce stricter supervision and operate in an excessive manner, if it encountered a situation where a cyber hack had been executed against it through one of its employees. This may be avoided.

***

Arik Brabbing has served in the ISA for 30 years. He is the former head of the ISA's Cyber Division