Former US National Security Agency (NSA) contractor, Harold T. Martin III, faces trial this June on charges that he stole an astonishing 50 terabytes of data
The huge haul contained documents far more sensitive than anything Edward Snowden made public. It is believed that his illegal activities began in 1996 and continued up to his arrest in 2016.
Anyone can be an insider – even security professionals
The nature of this NSA breach should be an eye-opener for any organisation about the risk of the insider threat and the vital importance of real-time alerting to any suspicious activity and behaviour. Every employee – from regular key workers to specialist high-level cybersecurity contractors – can be an insider threat, but businesses that recognise this and are primed to proactively manage the risk can effectively safeguard their most important assets.
Many of today’s organisations are rightly making cybersecurity a top priority. Many have even enhanced their dedicated information security departments by hiring specialist experts to spearhead efforts. While this proactivity is to be celebrated, it’s imperative that all organisations still remember that even those who are entrusted to manage cybersecurity have the potential to be an insider threat and must be part of the big data security picture.
Understanding what behaviours to watch out for
We know that employees and trusted third-party contractors who turn into malicious insiders do so for a number of reasons, from personal and financial gain to even larger ideological reasons such as objections to a company’s principles. At the same time, however, using an unsanctioned device or cloud-sharing platform to collaborate with a business partner and move data from one place to another can accidentally expose data to outsiders. Research from the Ponemon Institute reports that two out of three insider threat incidents are caused by employee or contractor negligence; no one is immune to making mistakes.
By nature of their work, security professionals like Martin often require far-reaching and legitimate access to company systems. This statement from the NSA case prosecutors helps illustrate the reach this one veteran security specialist had within the intelligence services over a 20-year period: “Martin held security clearances up to top secret and sensitive compartmented information (SCI) at various times, and worked on a number of highly classified, specialised projects where he had access to government computer systems, programs and information, including classified information.”
Historically, this type of access has made them an attractive target for external hackers who can compromise insider credentials and effectively cause a breach from the inside. Today, however, anyone trusted with access to the network – regardless of their level within the organisation – can be a threat and everyone’s credentials should be monitored at all times for any suspicious or out-of-character behaviour.
Martin is also accused of copying penetration tools from the NSA’s elite computer hacking squad, signifying a failure of real-time alerting to any anomalous activity around highly sensitive information. Having a clear understanding of the many ways in which data can leave the operating network, and an alerting system in place that covers all endpoints and possibilities is fundamental to keeping data secure. Up until recently, technically skilled users like Martin took advantage of external storage devices, such as flash and hard drives, to exfiltrate data out of their endpoints believing they were too hard-to-track. That is, fortunately, no longer the case. Now, organisations can choose solutions that can even tell them when an unauthorised cloud storage or USB storage device has been accessed or when keyboard shortcuts like screengrabs or copy and paste take place or if a file name is changed for no apparent reason.
The importance of visibility
Having this level of granular insight also means that organisations can understand the full picture of who accessed what, when and even why — for example, did that employee send files to their personal email account in order to work on them over the weekend or did they rename files from “2019 financial statements” to “Timesheets” for less innocuous purposes?
Unfortunately, legacy security tools such as data loss prevention (DLP) are typically unable to provide this type of visibility into a person’s activity. This is because they are solely focused on data, not user behaviour, and dependent on burdensome data classification that can be difficult for organisations to manage. They are also unable to provide investigating security teams with insight into the intent or wider context behind an insider threat incident.
Ultimately, in today’s complex cyber threat landscape, every employee and contractor, from the mailroom to the boardroom, has the potential be an insider threat. Even those charged with maintaining the security of company systems can cause harm if they don’t employ security best practices or if they are intentional insiders, like Mr. Martin. It’s clear that to protect sensitive data and systems, organisations must adopt a security approach that is both user-focussed and data-centric.
The good news is that by proactively implementing the right data security policies, tools and gathering intelligence, organisations can not only swiftly detect and stop breaches in motion but also learn from them. By gaining valuable insight into what users were doing when a breach occurred, situations can be dealt with in an informed way and trusted insiders can be coached in better data security practices; becoming empowered to do their bit to prevent breaches in the future too!
Original article published in TechNative on 25 March 2019
Subscribe to the Proofpoint Blog