According to CERT-US, a security incident is the act of violating an explicit or implied security policy according to NIST Special Publication 800-61. Of course, this definition relies on the existence of a security policy that, while generally understood, varies among organizations.
These include but are not limited to:
Security incident response has become an important component for organisation programs. Cybersecurity related attacks have become not only more numerous and diverse but also more damaging and disruptive.
Preventive activities based on the results of risk assessments can lower the number of incidents, but not all incidents can be prevented.
And despite organisation being proactive and implementing security measures to ensure the protection of their key assets, no one is immune to a security breach.
The typical first step in reacting to a breach is to determine what caused the breach in the first place. This is where an “investigator” steps in to the picture. The purpose of the investigator is to establish the cause so that one can rectify the issue and not let it happen again. Once it has been addressed, organisations can implement an action plan to deal with preventing it from happening again.
Investigators can also be used to investigate “suspicious” circumstances or for a need for a deeper in depth view of the situation.
Now here is the challenge. In my many discussions with a number of the large enterprise organisations, I have often asked them whether they have an Insider Threat Program Manager in place. The usual response is:
“No, I don’t…. But I have an investigation team”
That’s great. It’s the first step, important and critical but one that does not focus fully on potential mitigating Insider Threats within an organisation.
So what is the difference between having a security investigator as part of your team and having an Insider Threat Team?
Let’s define what and “Investigator” role is:
Investigators work at times under difficult and confidential circumstances, they must have the ability to work with, interact with, question and report to all levels of the organisation while maintaining integrity and following prescribed investigation methodologies capable of court challenge. The investigator's role is critical to the company when faced with a security breach or suspects a violation of laws against its own policies & regulations.
Let’s define what an Insider Threat Program is:
components of an Insider Threat Program are necessary to prepare
organisations for handling insider attacks in a consistent, timely, and quality
People working within an organisation can pose a substantial threat due to their knowledge of and access to their organisation systems and information. They can easily bypass physical and electronic security measures through their legitimate means of every day work.
Now consider your technical IT administrator.
They have typically all the privileges to access any asset within your business.
Potentially, they also have the ability to hold your business to ransom .
They can destroy your business should they want.
Consider the following scenario (based on a true story)
A network administrator designed and created the network for a major US city, was the only person who fully understood how the network ran, and also had ALL the administrative passwords for all the critical assets.
After being reprimanded for poor performance and for threatening co- workers, he was reassigned to a different role. However, he refused to provide the passwords to his replacement and was subsequently terminated and then arrested.
The city was unable to access those critical network assets for a full 12 days. Fortunately, during that time, the infrastructure continued operating normally.
It was also discovered the administrator had installed rogue access points enabling him to log-in remotely. In addition, he had programmed the network devices to fail if anyone attempted to reset them without the administrative passwords.
Do you have an
IT manager or even and administrator who is potentially holding your business
These crimes are committed by technically sophisticated system administrators. Unfortunately, this is an all too common occurrence.
There are many behavioural “precursors” an individual can sometimes exhibit prior to performing his malicious activities. Often, disgruntlement commences with the onset of concerning behaviours in the workplace.
Some examples include:
Behavioural changes are sometimes the result of unmet expectations, such as:
The Hidden problem(s)
Hidden problems, unknown and undetected by the organisation present a set of serious and sometimes devastating risks, potentially compromising an organisation entirely.
1. Many of the insider offenders (IT administrators) were
clearly heading down the path to termination through the escalation of a series
of concerning behaviours and associated sanctions.
When these offenders leave, organisations mistakenly assume the problem had disappeared with their termination.
Unfortunately, the problems persist because the organisations had no visibility the offenders had setup remote backdoor accounts, installed rogue software on the network, downloaded malicious code/tools and had installed remote network administrator tools.
2. Organisations often try and sanction users for their disruptive
behaviour and poor performance by demotion, changing their roles, removing
This only exacerbates the negative behaviour and makes the situation worse.
3. Excessive trust provided to employees, combined with inconsistent enforcement of organisation policies, allowed IT administrators to subject the organisation to “ransom” like behaviour.
4. Lack of insight by CEO’s to fully comprehend the problem until it is too late and thereby placed their organisation at serious risk
Insiders who sabotage their organisation often leads to serious business loss and sometimes complete shutdown.
Consider an organisation the size of 100 people. Imagine if this business was shut down for five (5) business working days. The loss of business revenue is calculated as follows:
The Edward Snowden 2013 National Security Agency Data Breach was arguably the most damaging breach to ever impact the U.S. Intelligence Community.
It is presumed that Edward Snowden copied 1.7 million intelligence files. According to the Pentagon's Defense Intelligence Agency, the theft of these documents could "gravely impact" U.S. national security and put "defense personnel in harm's way and jeopardise the success of current operations,".
Based on the number of files that have been released, it exposes U.S. tactics and harms relations with allies. The bulk of the documents pertain to Pentagon operations against terrorists, cyber criminals, drugs and weapons smugglers and American adversaries.