An insider threat is a harmful behaviour that directs against an organisation. It originates from people who have legitimate access to the network, applications, or databases of the organisation. A person who works for an organisation can be a current or former employee, a partner, a contractor, or a temporary worker. He is one who has access to the organisation’s physical or digital assets. As a rule, the term describes illegal or malicious behaviour. It describes people who unintentionally harm the business.
Insider threats are an increasing trend these days. This is shown in several studies. Such breaches occur either accidentally or intentionally.
Internal malicious attackers have a particular edge over other types of malicious attackers due to their expertise with business systems, processes, rules, and procedures as well as with the individuals that utilise those systems. They are highly aware of the various system versions, as well as the vulnerabilities that exist inside them. Consequently, organisations must treat insider risks with the same seriousness with which they treat external threats.
Types of Insider Attacks
Insider attacks are of different types. They can be malicious and careless threats.
According to the FBI, internal damage, espionage, intellectual property theft, and fraud are among the most common objectives of harmful insider threats. For financial, personal, and/or malicious purposes, they purposefully misuse their privileged access to steal information or damage systems. Some examples are a dissatisfied former contractor who brings crippling malware into the company’s network or an employee who sells confidential documents to a rival.
Careless Insider Threats
Inadvertent insider security risks introduced by careless employees are termed as careless threats. Human mistakes, bad judgements, unintended aiding and abetting, convenience, phishing (and other social engineering methods), malware, and stolen credentials are all common causes of data breaches.
The Four Major Insider Attacks that Shook the World
Four insider attacks that had a major impact and leakage of confidential company data and customer data to third parties are as follows.
Capital One Insider Attack
Capital One Bank had a huge data breach in March 2019, exposing 106 million consumers’ data records (including financial data). A combination of two factors possibly caused the breach.
Misuse and misconfiguration of a Web Application Firewall with privileged access. In the OWASP (Open Web Application Security Project) top 10 security issues include security misconfiguration. A Threat Stack survey detected at least one serious security misconfiguration by 73 per cent of firms.
The hacker gained access to the accounts and credit card applications of over 100 million consumers by exploiting a web application firewall that had been set up incorrectly. Following a successful patching effort, the corporation now claims to have ‘no credit card account details or log-in credentials’ exposed.
In this well-known insider threat incident, the hacker had not done identity-concealing and, in fact, she discussed her Capital One hacking technique with co-workers using the communication channel Slack. She also boasted about it on social media and on GitHub (where she used her full name). ‘Leakage’ is a term psychologists use to describe this type of conduct, in which insiders, who want to cause harm, expose their plans.
A security breach occurs regardless of whether a misconfiguration is the consequence of human error or a lapse in security awareness. An internal threat is as detrimental to a company’s reputation as a malicious one is.
Cisco Data Breach
Business clients utilise Cisco’s WebEx internet video conferencing platform for demos and meetings. In 2018, a Cisco developer erased hundreds of virtual machines, rendering the clients’ WebEx accounts inaccessible for weeks.
Unauthorised access led to the Cisco insider threat. An employee used his own Google Cloud project to deploy code to delete 456 Virtual Machines. One has full control of his resources and data if he has access. So, one should grant a case-by-case basis access. In this breach, possibly two-factor authentication or other access management methods were not in use to secure sensitive resources.
After the breach, suspension of approximately 16,000 customers’ WebEx Teams accounts happened for for two weeks. There was no data loss due to the operation. However, Cisco spent $1.4 million on additional personnel expenditures and another $1 million on compensation for customers as a result of the incident.
According to the 2020 Insider Threat Report, 63 per cent of companies feel that the greatest insider security risk are privileged IT users.
Target Corp Attack (Externally Motivated)
The Target Corporation breach, which occurred in 2013, is perhaps the most well-known insider attack to have occurred in the recent 10 years. The breach compromised the personal information of 60 million consumers. The corporation just recently reached an $18.5 million settlement in a lawsuit stemming from the hack.
Malware plantation on the system caused the breach of Target’s customer database. The hackers stole complete names, phone numbers, email addresses, and credit card numbers. The breach was because of an auto-downloaded malware from a hacked server. Infection happened on 40,000 of the retailers’ 60,000 points of sale terminals.
An unnamed senior executive with one of the nation’s largest credit card companies, who was not involved in the Target attack said this. The infected devices were told to retain and transfer mag-stripe data that had been acquired during transactions at the point of sale (POS).
Initiation of this insider attack came from outside.
Obtaining and exploiting privileged credentials, belonging to a Target Corp subcontractor, was used to gain access to the primary target data centre.
Twitter Social Engineering Attack
Twitter made headlines in July 2020 for an insider attack. Bitcoin transactions made on several high-profile Twitter accounts caused a loss of around $250 million.
Hijacking the accounts of Barack Obama and Elon Musk spread Bitcoin fraud. According to a Twitter review, social engineering and phone spear-phishing were used in the assaults. The spear-phishing assaults targeted members of Twitter’s admin staff, who had access to account administration tools with special privileges.
Twitter users transferred approximately $180,000 in Bitcoin to fraudulent accounts. Coinbase exchange network thwarted another $280,000 in Bitcoin transactions.
Twitter’s stock price dropped by four per cent as a result of the event. The firm postponed the introduction of its new API to improve security processes and train personnel about social engineering attacks.
Methods to Avoid Insider Attacks
One can perform risk assessments for the whole company. An individual’s critical assets, weaknesses, and threats that could harm him should be on his radar. One must make sure to include all of the risks that come from insider threats such as theft and fraud. Then, think about the risks and keep improving his IT security infrastructure based on how important each one is.
Workplaces should have physical security set up. For this one can hire a professional security team that will always follow security rules. One should keep people from getting into places where important IT objects are (such as server rooms or rooms with switch racks). Checking for IT devices needs to be done at the entrance.
Explore the possibility of mandating data encryption on removable media before copying it; two system administrators must authorise any deletion of essential data or changes to the configuration. One should use role-based access controls and group policies to keep employees from accessing information or services that they don’t need to do at their jobs.
Detecting and preventing an insider attack is more challenging than dealing with external threats. When it comes to standard security measures, overlooking of firewalls and intrusion detection systems happens. Security alarms are unlikely to go off if an attacker logs in using a user ID, password, IP address, and authorised devices.