An NSA contractor stealing sensitive government documents is in the news again, and it has nothing to do with Edward Snowden, movies or pardon requests. But it does have everything to do with the ever-present threat of insiders and third-party contractors and how these concerns continue to get swept aside or given less importance than breaches caused by outside actors and nation-states.https://o1.qnsr.com/log/p.gif?;n=203;c=204663295;s=11915;x=7936;f=201904081034270;u=j;z=TIMESTAMP;a=20410779;e=iYou have probably heard about the arrest of Harold Thomas Martin, a Booz Allen Hamilton employee who is alleged to have stolen classified documents and possibly committed other cybercrimes. As the Military Times reported, this incident is yet another reminder that just because your employees have a security clearance, it doesn’t ensure classified information is safe.
Even if your company doesn’t require security clearances, this incident showed just how easy it is for insiders to breach your most sensitive data. As Morey Haber, VP of Technology at BeyondTrust, told me in an email comment:
While some security experts dismiss the realities of the insider threat to not include hackers, the truth is that when you trust someone to do the right thing, you may find out they actually have different intentions. Good people can intentionally do bad things even if they believe they are right. Edward Snowden believes he did the right thing but in reality, he violated his oath and committed espionage regardless of personal beliefs for the greater good. Those are plain facts by definition, and the insider threat really should include any trusted user that commits an action associated with a risk regardless of their intentions. They are insiders after all.
Also, Tony Gauda, CEO of ThinAir, told me this is a good reminder that you don’t need to be hacked to be breached:
For too long, the security industry has heralded authentication technologies as the silver bullet for combatting sophisticated cybercriminals, neglecting the fact that ‘fully-authenticated’ is not synonymous with ‘non-malicious.’ If even some of the world's most secure organizations are experiencing insider threats, it is a sign that these human attacks are some of the hardest to track and defend.
Gauda said that we need to invest in technologies capable of generating insights based on how those users are acting on the information. He recommended better authentication tools. Brian White, COO of RedOwl, agreed with the need for better user assessment tools, but he advocated the need for behavior analytics. In an email comment to me, White discussed printer use and how behavior analytics could track an insider’s printing to discover a potential threat. Behavior analytics, he said, would be able to detect an employee who suddenly went from a handful of printed documents per day to hundreds. Printing activity in particular is a security blind spot in most companies, White said:
Enterprises often don’t track who’s printing what or how frequently. While many track USB downloads, many enterprises can’t stop employees from printing and stuffing documents in a briefcase or their socks.
While not every hack or insider breach is going to result in threats to our national security, they can lead to the loss of proprietary secrets or sensitive employee and customer information. What are you doing to prevent insider breaches?
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba.