Privileged Accounts Audit - FREE for a limited time
What is an INSIDER?
User Activity Visibility

By Boaz Fischer 01 Dec, 2016

Would you accept your next data breach? Of course not!  

So, let me start by stating the following statement. Data security is about placing the appropriate security controls to achieve confidentiality, integrity and availability on your organisation assets in order to prevent a possible breach.

However, most organisations are confused with this philosophy. The principles of confidentiality, integrity and availability are not balanced.

What do I mean by that? Most organisations spend huge amount of investment and resources on security technologies seeking high levels of “availability”, because that’s what service levels agreements are built on.

Funny enough, organisations mistakenly focus mostly at “availability” for good security practice and that is a recipe for disaster.

Let’s take a look at the example of the Australian Bureau of Statistics (ABS) that suffered a so called Denial of Service Attack on its Census website back in August 2016. Thousands of Australian were prevented from taking part in the census (including myself) which overloaded the website.

Attacking “availability” certainly put a dent into this Government led initiative that was highly embarrassing and may have placed any future online projects on hold such as online voting for many years to come.

Importantly, the resulting consequence from the fallout of this Census fiasco has placed the Australian public lacking confidence with Government led initiatives.


October 2016: The Red Cross Data Breach

The personal data of 550,000 blood donors that includes information about their names, gender, date of birth, address" has been leaked from the Red Cross Blood Service.

This should NEVER have happened for an organisation like Red Cross Blood Service which is responsible for taking care of very sensitive and personally identifiable information, unfortunately, it did.

We all mistakes, we’re human. However, leaving sensitive data on a public exposed web server is as bad practice – It’s as bad, some may say as irresponsible as it gets when it comes to security fumbles.

Where are the necessary controls and checks?

The ramifications of the spill of donor data range from identity theft to possible blackmail. Worse still, people could be dissuaded from donating blood if they fear their details won’t be kept safe.

A breach of “confidentiality” is serious. Lives are at stake and many executives of similar organisations which hold very sensitive information just do NOT understand the ramifications.

What is alarmingly serious, most organizations do not understand where their key data is, let alone what it is and how sensitive it is. Another recipe for disaster.

Yes, digital collaboration is at the heart of every business process - files are created, stored and shared at a rapid pace. But it seems nearly impossible to keep track of who has and needs access to all of this information, and who doesn’t.


Organisations tend to think their data access is under control, but dig a little deeper and holes start to appear. Most organizations grant access readily, yet revoke it infrequently. So, don’t assume that only the human resources group can see the human resources data, or that an employee who left the company last      month had all her permissions revoked. This rarely is the case.


The next case in point, Wells Fargo Bank , the second largest bank in the U.S., deceived over 1.5 million of Americans over many years. Imagine paying fees on a ghost account you didn’t even sign up for? The phony accounts earned the bank unwarranted fees and allowed Wells Fargo to boost their sales figures and make more money in fees and commissions.

The way it worked was employees moved funds from customers' existing accounts into newly-created ones without their knowledge or consent.

The scope of the scandal is shocking. Over 5,300 Wells Fargo employees have been fired. The CEO stepped down. Wells Fargo slapped with a $185 million fines. And plenty of reputation damage to deal with.


Let’s be clear, the attack on “integrity” is very difficult to spot. Hidden within the large volume of daily system changes are the few that can impact the organisation operations and viability. These include unexpected changes to a file’s credentials, privileges, hash value, changes that cause a configuration’s values or ranges and properties to fall out of alignment with security policy.


Which brings me to my final point. In a recent survey conducted by CEB revealed,

90% of employees violate policies designed to prevent data breach .

When conveniences and productivity are chosen over security, employees put sensitive data at risk. It’s no surprise to see employees will often try and work around controls.


Verizon 2015 Data Breach Incident Report stated, 90% of all incidents are people related. Whether it’s goofing up, getting infected, behaving badly, or losing stuff.

People are the greatest risk to organisations.

Therefore, our focus in protecting our assets, must address confidentiality, integrity and availability in equal measures. More importantly, it must address the user risk.

This is not a technology problem but a people problem.



If you want to place the appropriate plans to mitigate these internal threats, known as ‘ Insider Threats ’. you must approach it from a strategic point of view.

A tactical approach or a silver bullet solution as we have seen in some of the above examples, only partially works and usually adds to the overall costs without really providing return of investment or a long-term solution.

Therefore, the best approach is to develop and implement an Insider Threat Program.

The key components of an Insider Threat Program are necessary to prepare organisations for handling insider attacks in a consistent, timely, and quality manner.


If you want to address the confidentiality, integrity and availability on your assets, you must address Insider Threats in equal measures. An Insider Threat Program provides a robust, repeatable set of processes that organisation can use to prevent or detect suspicious activity and to resolve malicious incidents.


Need Help To Implement an Insider Threat Program?

If you are you looking to place appropriate Internal Security Controls to mitigate Insider Threats, and are not sure where to begin, CommsNet Group can certainly help you. This is what we do.

CommsNet Group team has many years of experience delivering improved internal security plans ranging from; Insider Threat workshops, Insider Threat Assessments, Insider Threat Hunting to helping organisations build a comprehensive Insider Threat Program.


To learn more about CommsNet Group services, please Click on the link below to contact the:
Insider Threat Team.  

By Boaz Fischer 18 Aug, 2016

According to CERT-US, a security incident is the act of violating an explicit or implied security policy according to NIST Special Publication 800-61. Of course, this definition relies on the existence of a security policy that, while generally understood, varies among organizations.

These include but are not limited to:

  • Attempts (either failed or successful) to gain unauthorised access to a system or its data
  • Unwanted disruption or denial of service
  • The unauthorised use of a system for the processing or storage of data changes to system hardware, firmware, or software characteristics without the owner's knowledge, instruction, or consent

Security incident response has become an important component for organisation programs. Cybersecurity related attacks have become not only more numerous and diverse but also more damaging and disruptive.

Preventive activities based on the results of risk assessments can lower the number of incidents, but not all incidents can be prevented.

And despite organisation being proactive and implementing security measures to ensure the protection of their key assets, no one is immune to a security breach.

Now what?

The typical first step in reacting to a breach is to determine what caused the breach in the first place. This is where an “investigator” steps in to the picture. The purpose of the investigator is to establish the cause so that one can rectify the issue and not let it happen again. Once it has been addressed, organisations can implement an action plan to deal with preventing it from happening again.

Investigators can also be used to investigate “suspicious” circumstances or for a need for a deeper in depth view of the situation.

Now here is the challenge. In my many discussions with a number of the large enterprise organisations, I have often asked them whether they have an Insider Threat Program Manager in place. The usual response is:

“No, I don’t…. But I have an investigation team”

That’s great. It’s the first step, important and critical but one that does not focus fully on potential mitigating Insider Threats within an organisation.


So what is the difference between having a security investigator as part of your team and having an Insider Threat Team?


Let’s define what and “Investigator” role is:

Investigators work at times under difficult and confidential circumstances, they must have the ability to work with, interact with, question and report to all levels of the organisation while maintaining integrity and following prescribed investigation methodologies capable of court challenge. The investigator's role is critical to the company when faced with a security breach or suspects a violation of laws against its own policies & regulations.


Let’s define what an Insider Threat Program is:

The key components of an Insider Threat Program are necessary to prepare organisations for handling insider attacks in a consistent, timely, and quality manner.

CERT Insider Threat Centre have identified a set of key components necessary to produce a fully functioning insider threat program. The full set of components for a successful insider threat program are illustrated in the figure below:
By Boaz Fischer 11 Apr, 2016

People working within an organisation can pose a substantial threat due to their knowledge of and access to their organisation systems and information. They can easily bypass physical and electronic security measures through their legitimate means of every day work.

Now consider your technical IT administrator.

They have typically all the privileges to access any asset within your business.


Potentially, they also have the ability to hold your business to ransom .


They can:  

  •           disable your network
  •           delete sensitive and valuable information
  •           steal information
  •           snoop into other user’s sensitive information without your notice
  •           disrupt its operations .


They can destroy your business should they want.


Consider the following scenario (based on a true story)


A network administrator designed and created the network for a major US city, was the only person who fully understood how the network ran, and also had ALL the administrative passwords for all the critical assets.


After being reprimanded for poor performance and for threatening co- workers, he was reassigned to a different role. However, he refused to provide the passwords to his replacement and was subsequently terminated and then arrested.


The city was unable to access those critical network assets for a full 12 days. Fortunately, during that time, the infrastructure continued operating normally.


It was also discovered the administrator had installed rogue access points enabling him to log-in remotely. In addition, he had programmed the network devices to fail if anyone attempted to reset them without the administrative passwords.



Do you have an IT manager or even and administrator who is potentially holding your business hostage?

These crimes are committed by technically sophisticated system administrators. Unfortunately, this is an all too common occurrence.


There are many behavioural “precursors” an individual can sometimes exhibit prior to performing his malicious activities. Often, disgruntlement commences with the onset of concerning behaviours in the workplace.


Some examples include:

  •          Conflict with co-workers
  •          A sudden pattern of missing work / arriving late / leaving early
  •          A sudden decline in job performance
  •          Aggressive or violent behaviour
  •          Sexual harassment
  •          Poor hygiene


Behavioural changes are sometimes the result of unmet expectations, such as:

  •          Did not receive a salary increase or bonus
  •          Did not receive a promotion
  •          Change in their access to information
  •          Job dissatisfaction
  •          Supervisor demands
  •          Change in responsibilities
  •          Change in co-workers relations
  •          Work ethic
  •          Personal financial changes



The Hidden problem(s)


Hidden problems, unknown and undetected by the organisation present a set of serious and sometimes devastating risks, potentially compromising an organisation entirely.


1.  Many of the insider offenders (IT administrators) were clearly heading down the path to termination through the escalation of a series of concerning behaviours and associated sanctions.
When these offenders leave, organisations mistakenly assume the problem had disappeared with their termination.
Unfortunately, the problems persist because the organisations had no visibility the offenders had setup remote backdoor accounts, installed rogue software on the network, downloaded malicious code/tools and had installed remote network administrator tools.

2.  Organisations often try and sanction users for their disruptive behaviour and poor performance by demotion, changing their roles, removing their responsibilities.
This only exacerbates the negative behaviour and makes the situation worse.

3.  Excessive trust provided to employees, combined with inconsistent enforcement of organisation policies, allowed IT administrators to subject the organisation to “ransom” like behaviour.

4.  Lack of insight by CEO’s to fully comprehend the problem until it is too late and thereby placed their organisation at serious risk


Insiders who sabotage their organisation often leads to serious business loss and sometimes complete shutdown.


Consider an organisation the size of 100 people. Imagine if this business was shut down for five (5) business working days. The loss of business revenue is calculated as follows:
More Posts

Get In Touch

Level 1, 45-47 Colbee Court,
Phillip, ACT, 2606
Phone: +61 2 6282 5554


About Us

We help you identify and mitigate your Insider Threat by gaining the visibility of user activities as well as their behaviour.

Opening Hours

Business Hours

Mon - Fri
Sat - Sun
Share by: