By zvika fleishman
The term Insider Threat, as used in the world of information security, refers to the challenge of identifying information leaks from inside the organization, initiated by employees. The system of trust developed
between theemployer and the employee, at all management levels, sometimes provides a basis for complacency The inherent discomfort built into the working relations, along with privacy legislation, make it difficult for the organization to identify and monitor potential risks that stem from employee behavior. This article describes a scenario, based on a real-life case, which is relevant to various organizations in Israel and around the world.
This was how it all began: Dan's morning started out like every other morning. He arrived at his workplace with an R&D company regarded as one of the most desirable employers in the market. After two and a half years with the company, Dan could already picture himself being promoted to the position of head of a development team. He was a professional, young, and self-confident. Later that day, he contacted his superior and asked for a personal appointment. He prepared justifications to support his request for promotion, examples of important ideas that would advance the company's development, a few jokes, and lots of charm.
At 15:30, Dan entered his appointment with his superior, Rachel. The meeting – how shall we say it – did not really progress the way he had planned it. Rachel complained about his arrogance, his unwillingness to share information and teach the younger employees, his lame jokes, and general tactlessness. She did not really approve of his idea for promotion.
Dan left Rachel's office, enraged and furious. He returned to his desk, logged into Google, and started looking for senior development engineer positions through the leading personnel placement websites. Subsequently, Dan thought about the "dowry" he could bring with him to his new place of employment. Procedures he had written, scripts he had devised. He started copying files into his laptop computer and then to a portable storage device. Another check through the company's CRM system provided him with access to the client list, which he promptly exported into an Excel file. Just for backup, he printed more than 200 copies of that file. Over the next few days, Dan sent his resume 12 times, using his personal email account on Google, from his corporate laptop computer. He continued to back up company data and extract more and more information about the company's clients.
Serious Potential Damage
Dan's calendar started logging "locked" private meetings. He started going to interviews. One of the companies that approached him was a direct competitor of his current employer. The interviewer liked him. He was referred to the next stage of a professional interview with the manager and head of the development team. At this point, he made a real impression. They realized he was "on the ball," that he was knowledgeable about their product (as he came from a company that had a similar product), and that he was familiar with development and product management processes. During that meeting, Dan went to the whiteboard and outlined the development architecture of his present employer. He turned on his laptop computer and presented procedures from the development process. He passed that stage, too.
In the next stage, Dan was supposed to meet with a senior executive and then begin negotiating his pay and terms, but the rumor about the guy who arrived from the competitor spread among the management ranks. The CEO and VP Sales attended Dan's next meeting. Dan realized it was very important for him to make a real impression, as they also hinted to fantastic terms and benefits, including an orientation bonus and an executive car. He presented the client list, described the problems, addressed the reasons for the license renewal issues, and even disclosed specific data about the costs of customer retention along with the company's price list.
Dan was hired. He signed the generous contract and submitted his resignation to his superior, Rachel, who was not really moved. In the coming months, the company where Dan had worked until recently lost many clients, failed at tenders, lost license renewals, and dismissed dozens of employees.
This Could End Differently
The scenario outlined above is based on a true story. The real and only question is: how could it be prevented? How could it be detected in time?
Let us describe a somewhat different scenario, where the organization had assimilated a system for monitoring irregular behavior patterns that examines threats both external and internal.
In this case, as soon as Dan left Rachel's office enraged and furious following his unsuccessful interview, she reported the harsh conversation through the HR system and entered a summary of the meeting in Dan's personal file. The control system, connected to all of the organizational systems, received the update and identified Dan as a potential risk: an employee who had come in expecting promotion was rejected – a process that could constitute a risk.
On the following day, Dan started saving data on his laptop computer and portable storage device. The system identified this in time and raised his risk grading, not because of the actual operation – which Dan may have been authorized to perform – but because of the accumulation of negative points: a disappointing interview plus saving of data, as a sequence.
During the next stage, the system identified Dan's logging into job websites and his sending of his resume. At this point, his grading reached the action threshold. The system automatically changed the authorization policy regarding Dan's activity within the company's systems, and denied him access, along with the option to save and print data from those critical business/operational systems of the organization. Additionally, the system sent alerts to the company's security officer and to Dan's superiors.
Implementing an automatic risk containment policy will prevent attempts to access the CRM system or projects with which the employee is not associated personally.
Fear of Spies in the US Military
The scenario described as Insider Threat concerned elements within the US Pentagon. The scenario described a situation where a spy had managed to occupy a medium-level position within the US military – the type of position that links between service branches or setups, between operational units and organs. People in these positions have access to substantial amounts of information, intelligence or other. A spy in this position can extract unauthorized information and inflict intelligence and image damage to the USA. The realization was that a way must be found to monitor the individual user, which would trigger all the red flags in real time and prevent that user from extracting and using the information. The Raytheon Company rose to the challenge and developed a system, with the help of computer and cyber specialists and psychiatrists, designed to look for the unusual and dangerous through behavioral irregularities and web activity. The system was designated Forcepoint Insider Threat (FIT).
The FIT system searches for any user accessing information he or she is not authorized to access and analyzes the user's actual behavior. It compares the individual user, using machine learning algorithms, with his or her behavior along the time axis. Additionally, the user is compared with other users in the same position. Finally, the user is compared with the rest of the organization. This system had been assimilated by federal agencies, banks and financial companies, telecommunication companies, hospitals, insurance companies, and organizations possessing massive amounts of data.
Similar cases in Israel? Allow me to remind the reader of the case of Anat Kamm, who, while serving in the IDF as an assistant to the bureau chief of the general commanding IDF Central Command, stored 2,085 computer files, including confidential documents, and shortly after her discharge handed most of them over to journalist Uri Blau. After the affair became public, Kamm confessed and was convicted, in a plea bargain, of serious espionage and unauthorized disclosure of confidential information, and served a jail sentence. Additionally, a few months ago, a senior employee in the development department of a well-known cyber technology company attempted to sell the source code of his employer's system through the Dark Net for $50 million.
The most famous case in this category involves Edward Joseph Snowden, a former CIA employee working for the US National Security Agency (NSA), who leaked confidential information about the agency's surveillance programs. In June 2013, Snowden submitted to the Guardian and Washington Post highly classified material about top-secret surveillance programs, including the NSA's PRISM program and the joint NSA/GCHQ program MUSCULAR.
Forcepoint, Raytheon's subsidiary and cyber technology arm, has had its product assimilated by strategic and sensitive clients, in the financial and defense sectors.
The author is the Director of the Federal field at Forcepoint Israel