What Exactly Is an Insider Threat?
Insider threat is a security risk that originates within the targeted organization, which means user with authorized access to company assets who use that access, whether maliciously or unintentionally, to cause harm to the business. This doesn’t mean that the actor must be a current employee or officer in the organization. They could be a consultant, former employee, business partner, or board member.
The perception of the most organization is that insider threat comes from hostile employees with malicious intent, however most organizations fail to realize that not all insider threats are intentional. Some of the employees who know nothing about cyber safety ethics could be posing an insider threat due to their ignorance or negligence.
Hostile insider: – Someone who maliciously and intentionally abuses legitimate credentials, typically to steal information for financial or personal incentives. For example, an individual who holds a grudge against a former employer, or an opportunistic employee who sells secret information to a competitor.
Negligent insider: – An innocent who unknowingly exposes the system to outside threats, resulting from mistakes, such as leaving a device exposed or falling victim to a scam. For example, an employee who intends no harm may click on an insecure link, infecting the system with malware and phishing.
A spy: – This is a mole from outside the organization who poses as an employee or partner, who is technically an outsider but has managed to gain insider access to a privileged network
How to Detect an Insider Threat through a behavioural pattern of employees?
Common virtual behavioural and physical behavioural signs of an insider threat
- Downloading / accessing significant amounts of data
- Accessing sensitive data which is not relevant with their job function
- Requesting for access of data which is not relevant with their job function
- Using unapproved storage devices
- Network crawling and searches for sensitive data
- Data tampering, copying files from sensitive folders
- Emailing sensitive data outside the organization
- Displays aggrieved behaviour toward co-workers
- Violating of Multiple corporate policies
- Discussing of resigning or new opportunities
Insider threats in covid 19
A significant number of insider threats can be attributed to the rise due to Covid-19 as most organizations have switched to, “Work From Home” (WFH) mode of functioning without adequate security preparation. This sudden and massive shift has exposed loopholes in the organisations’ security systems, such has many employees were waved off by many organisations which might have caused great amount of anger in those employees here if the organizations have not deleted there credentials then there are high number of possibility that those employee many have access to the sensitive information which can be breached.
In another cases there are high chances of possibilities that the current employees may have clicked on links which are been embed with malware /spyware/ransomware or even the phishing links , there are high chances the non IT employees may have high chances of getting this type of email.
How to prevent Insider Threat attack?
- Cyber Security drills (training your employees)especially the non IT employees
- Implementing web application firewall (WAF) and DMARC policies (this includes preventing malware injection attempts by compromised insiders and also from phishing attempts.)
- Determine who has access to that data and who should have access to that data
- Identifying the threat and taking action.
- Enforcing strict policies (Employees in the organization should be familiar with security procedures and should understand that they don’t share privileged content that have been created in organization.)
- Every small time and big time organization should do Information security audit and vulnerability assessment and penetration testing which will help them in identifying the privileged loopholes in organization.
According to media reports top 5 breaches worldwide
Data exposed at Dr Lal PathLabs
According to the media report, Dr Lal PathLabs left private medical records of customers, including those who tested for covid-19, for about a year on an unsecured cloud server until the country’s largest diagnostic chain was notified, the estimate of total patient records is in millions and some of the oldest records dated back to early 2019. The publicly exposed S3 bucket contained over 9,000 files that included booking details, names, gender, addresses, phone numbers, email addresses, patient UIDs (unique identification numbers), digital signatures, limited payment details, doctor details and codes, and details and pictures of where, when, and what laboratory tests were taken,”.
Twitter took the whole internet by storm when it was hit by one of the most brazen online attacks in history! The social media platform suffered a breach where the hackers verified Twitter accounts of high profile US personalities like Barack Obama, Elon Musk, Joseph R. Biden Jr., Bill Gates, and many more. Out of 130 targeted accounts, hackers were able to reset 45 user accounts’ passwords. Hackers posted fake tweets from these accounts, offering to send $2000 for $1000 sent to an unknown Bitcoin address.
Marriott Data Breach
On March 31st, 2020, the hotel chain Marriott disclosed a security breach that impacted the data of more than 5.2 million hotel guests who used their company’s loyalty application. Hackers obtained login credentials of two accounts of Marriott employees who had access to customer information regarding the loyalty scheme of the hotel chain. They used the information to siphon off the data approximately a month before the breach was discovered.
Zoom Credentials Up for Sale!
Due to the COVID-19 pandemic, various organizations across the globe adopted work from home policy. In view of the situation, the Zoom video conferencing app became the most used application for the virtual meeting and got popular among cybercriminals too.
Within a short span of time, the application became vulnerable to various security threats and eventually became a victim of the data breach. In the first week of April 2020, the news of “500,000 stolen Zoom passwords available for sale in dark web crime forums” shook the application users.
It was reported that more than half a million Zoom account login credentials were up for sale and some of the accounts’ credentials were given away for free. In fact, some of the login credentials were sold for less than a US cent each, Along with account login credentials, victims’ personal meeting URLs and HostKeys were available too. The leaked accounts’ details belonged to financial institutions, banks, colleges, and various organizations
Magellan Health (Ransomware Attack and Data Breach)
One of Fortune 500 companies, Magellan Health was struck by a ransomware attack and data breach in April 2020. The healthcare giant confirmed by stating that about 365,000 patients were affected in the sophisticated cyberattack. According to the investigation, the attack was launched with a fully planned process where hackers first installed malware to steal employee login credentials. Then they leveraged a phishing scheme to gain access to systems of Magellan after sending out a phishing email and impersonating as their client before deploying ransomware attack.
– Selwin Murzello
Security Analyst- CyberSmithSECURE