3 Apr 2022

Insider Threats: The Cybersecurity Risk That Needs More Attention

Die-hard fans of the Marvel Cinematic Universe (MCU) will recall a statement made by the machiavellian character called Helmut Zemo in the movie Captain America Civil War, which goes “An empire toppled by its enemy can rise again, but one which crumbles from within stays dead forever“. This is after the character had successfully managed to cause a schism that split the Avengers team.

The same statement by Helmut Zemo applies to the cyber threats that organisations face in the form of insider threats. By definition, insiders can be internal staff, contractors and suppliers of services to your organisation which have intimate knowledge of your organisation’s internal systems and controls. Insider threats are thus cyber threats faced by an organisation that can be caused by insiders who have intimate internal knowledge of your organisation’s systems. The insiders have legitimate access, or where this legitimate access is not available, can have a know-how of how to circumvent internal controls in order to gain access to some system resources.

If a compromise is done using those insiders as vectors, the amount of damage that befalls your organisation is insurmountable. This is because, unlike external attackers who do not have access to the organisation, and have to follow a long step of doing a reconnaissance and intelligence gathering process on your organisation to gain a picture of what your infrastructure environment is like, an insider, having legitimate access already, does not need to go through a gruelling process. Moreover, detecting these insider threats is not easy, as legitimate access is simply that, legitimate. Some technical users will also be able to erase track of what they have maliciously done, thus destroying any evidence that may link to them.

The insider attacks are however both intentional and unintentional. Unintentional insider threats are usually caused by ignorance to corporate information security policy guidelines or non-existence of the same. Intentional insider threats are motivated by a hunger for attainment of some goal that is lacking, be it financial or for some other reason.

In August 2020, a 27 year old Russian national by the name Egor Igorevich Kriuchkov was arrested in the United States after a botched attempt to bribe a Tesla employee with half a million US dollars to install malware on Tesla’s computer systems, that would at first appear to be DDoS attacks only to mask a second intrusion that would be an alleged espionage and ransomware attack. This attack was only averted because the Tesla employee reported the issue, leading to the arrest of Egor Igorevich Kriuchkov.

Adopting this scenario as a case study to Zimbabwe, would an employee of your company refuse to take such a significant bribe? Looking at the remuneration structure that you currently have in your organisation (not to lobby of course), would you anticipate that your employees are content and gladly pass on the offer? Whilst the issue of remuneration is best suited to other platforms, this is simply meant to emphasize that the financial situation of an individual is a motivator to perform malicious actions that are detrimental to organisations.

Taking into cognisance that insider threats can either be intentional or unintentional, organisations need to ensure that they have appropriate control measures in place to ensure that all legitimate user access is confined to normal acceptable use and within the confines of one’s duties. Some of the measures, though not exhaustive include:

  • Implementing user access controls
  • Implementing separation of duties and responsibilities
  • Restricting removable media
  • Conducting regular cyber security awareness trainings

User Access Controls

User access controls authenticate users attempting to access systems, and employ selective restrictions and granting of privilege to system resources that the users need to be able to fulfil their job requirements. This needs to be centrally managed by the system administrators. This layered approach of employing both authentication and authorisation complements each layer in protecting your data. The resources being accessed may either be internal systems, or access to the internet.

User access controls also imply keeping tabs on employees employment status in your organisation, mandating managers and section heads to report any staff movements be it promotions, lateral transfers and dismissals. If an employee has resigned or has been dismissed, their company user credentials, access and privileges need to be terminated. Some of us have come across news in which an ex-employee of an organisation was able to gain access to a system and make unsanctioned changes.

Separation of duties and responsibilities

Separation of duties is also another crucial control that needs to be implemented. On a high level, when you are on a till in a supermarket and an entered item needs to be removed and reversed, a till operator either rings a buzzer (don’t know the real name) or a light which alerts a supervisor that the till point requires his or her attention. The supervisor is then able to scan their badge, enter their pin, and the item is reversed.

No single user should have eternal privileges, mainly to prevent misuse of company systems, fraud and conflicts of interest. Those who follow US politics will be familiar with the phrase “check and balances” that is used to point out that their system of governance is fool-proof enough to ensure that all actions are accountable and can be audited. Having a system of checks and balances in place clips the wings of influence of any single employee, and guards against internal control failures and the circumventing of internal policies. This oversight promotes the idea that no single person will have wholesale access to temper with the system.

Restricting removable media

Removable media storage should be ideally restricted. Business operations that require file transfers can be done electronically without the need for the removable media.

A simple google search of the word Stuxnet will produce a huge number of articles on the virus which was allegedly created by Israeli intelligence in association with the USA’s NSA targeting Iran’s nuclear program. The virus was designed to target a specific Iranian uranium enrichment plant, the Natanz nuclear facility, infecting PLCs which are computers designed to control industrial systems.

Introduced allegedly via USB, beating an air gap security mechanism which isolates a computer network from the internet, the malware would lie dormant and only become active when triggered by a particular effect. The malware affected the spin rate of centrifuges used in the uranium enrichment, damaging them. On the screens of the scientists, they would troubleshoot but not find any issues as all systems reported they were okay, a stealthy fixture which Stuxnet employed.

Conducting regular cyber security awareness training

Whilst employing strong and next-gen cyber security solutions is the buzz in the IT world today, organisations are often overlooking the most important factor, the employees who use those systems. In my view, those systems are only as strong as the weakest link, the end users. This is because humans by nature are susceptible to attacks, mostly those that employ social engineering attacks that influence them to perform an action.

Conducting regular cyber security awareness training for the end users not only make them more cyber security aware and less susceptible to falling for cyber-attacks such as social engineering, but will also be empowered to act as an organisation’s first line of defence, by being alert.

This post was initially made as a contribution to the Security Insights Magazine