Insider threat

A follow up to my previous blog on the insider threat http://geraintw.blogspot.co.uk/2012/08/insider-threat.html which gave the example of Jessica Harper, 50 a former Lloyds Bank worker, who while working as head of fraud and security for digital banking carried out a fraud worth more than £2.4m for which she has been convicted and waiting sentencing.

Today I came across the story http://www.theregister.co.uk/2012/08/29/toyota_disgruntled_contractor_hack/ of former IT contractor for Toyota's US manufacturing who has been ordered not to leave the USA  after logging back into Toyota's systems that same night and he was released from his contract and spent roughly six hours trashing the place Toyota hasn't said what data it believes he may have stolen, it could include pricing, parts specifications, quality testing, or design information.

The Insider threat is often thought about in terms of malicious actions as in the two cases listed above, however it can be accidental actions that can lead to data leakage, in the UK an often quoted case is the missing child benefits date from HM Revenue and Customs http://www.computerweekly.com/blogs/public-sector/2008/06/hmrc-loss-of-child-benefit-cds.html

A 2009 report commissioned by RSA shows accidental security incidents caused by company insiders are more frequent and could potentially have a greater impact on information security than malicious insider attacks. There are many examples of both malicious and accidental data loss, leakage and alteration caused by insiders, many accidental losses are not reported unless there is unique circumstances surrounding the situation as in the case of HRMC.

The white paper, Insider Risk Management: A Framework Approach to Internal Security, shows that the majority of senior management give higher priority to protection against malicious insider attacks over investing to prevent more the more frequent, and potentially more harmful, accidental insider security incidents.

Information security is about Confidentiality, Integrity and Availability and all three sides of the CIA triad are involved in the insider problem. An information security professional needs to understand all the threat agents, vulnerabilities and exploits when conducting a risk assessment as part of implementing controls to reduce the insider threat and must consider both the malicious and accidental scenarios.