Attacking Internal Attackers

Insider Threat is a book about real-life security breaches and how each character – insider threats – behind every story compromised sensitive information and exposed their respective organizations to losses and other risks.

A bank employee conspired with an outsider to commit fraud. A disgruntled employee deleted crucial files that had not been backed up. A “trusted employee” used the company credit line to steal lots of money. An employee sold trade secrets to the competition after getting fired. A security guard caught on camera stealing from a client establishment he is supposed to be protecting. The list could go on and on.

The book defines an insider threat as a person who has special access or knowledge with the intent to cause harm or danger. For enterprises, an internal attacker is simply a security nightmare as it relates to loss of money, property, and customer.

In business, hiring the right person for the right job through personnel security investigation (PSI) is supposed to be a critical management function. Personnel background check is so important because security equipment and the human barriers deployed inside company premises do little if anything to prevent the insider threat. For this reason, background investigation should not even be delegated to a person who is untrained or who has competing priorities. Unfortunately, there are enterprises, both large and small, which hire people based on gut feelings alone, in order to cut down on their recruitment costs, rather than through proper security vetting. Hope your company is not one of them.

Consequently, in many cases, they just accept information provided by the applicants at face value for the sake of expediency. This lapse in corporate judgment, of course, has the potential to end up in the hiring of either problem employees or dishonest employees, or both. Some companies would even realize that they hired an employee from hell rather too late. If the undesirable employee was assigned to a managerial post, then an enterprise gets a department, or perhaps the entire business, to be run by a boss from hell. Surely, negligent hiring will very likely come back to haunt an enterprise.

According to the authors, if a competitor or similar entity wants to cause damage to an organization, steal critical secrets, or put an enterprise out of business, they just have to find a job opening, prep someone to ace the interview, have that person get hired, and they are in. The fact that it is that easy should scare an enterprise.

Insider Threat is essentially a book about real-life security breaches and how each character – insider threats – behind every story compromised sensitive information and exposed their respective organizations to losses and other risks. More importantly, how the internal attackers were eventually caught and made to pay for their crimes. Hence, it is packed full of case studies concerning security incidents that happened both in public and private sectors, which include the banking and financial sector.

Everything in this book is written in a very simple and easy to understand manner although it falls again under the domain of information technology. The authors are IT experts with intelligence background. The 10 chapters in the book actually expound on the premise that the weakest link in any security problem is the human factor, and insider threat is no different. Accordingly, no matter how well thought out a security plan is, no matter how much technology an enterprise utilizes, no matter how many resources it has, humans still will be one of the key areas of focus for the insider to do harm. From there, it provides analysis to each case study presented.

For an enterprise to brace for the challenges to come, lessons can be learned from those organizations and industries that were victimized by internal attackers – industries including banking and finance, manufacturing, service, media, military, and government institutions. At home or in the office, possible threats also include first responders, water, electricity, natural gas, telephone, and Internet service. Away from home or office threats include traffic control systems, mass transit, voting safety, and licensing organizations.

With regard to state and local government insiders, some case studies presented are enough to send shiver down one’s spine. The book offers straightforward answers to controversial questions on whether electronic voting is safe and whether the lottery is susceptible to insider threats. An interesting read before casting one’s vote in the automated 2010 election and next purchase of lottery tickets.

While the book is more than 400 pages long, security experts may still find the book lacking the rigorous depth made for typical physical security manuals. However, it remains a practical guide for anyone who wants to understand the real nature of internal attackers ranging from industrial spies to cyber-hit-men. The anecdotal information it provides is not readily available in just any nuts and bolts handbook on security.

Insider Threat: Protecting the Enterprise from Sabotage, Spying, and Theft, 1st Edition – published by Syngress Publication, Inc. on 15 March 2006.  •