When information security professionals discuss social engineering techniques, the conversation tends to revolve around outsiders attempting to gain access to information or physical assets – this is a serious and ever-present threat that must be appropriately addressed. However, a significant majority of breaches are caused by insider threats. This social engineering technique is one of many used by people who hack systems from the inside.
All insider jobs involve a period of establishing trust. When an employee completes work and participates in projects, the relative level of skill and competence is a key aspect to the amount of trust extended to that person. It’s also an important piece of data used to determine the relative threat a specific individual presents to an organization. For example:
- Employee ABC: Is a programmer working on a development team with privileged access to multiple systems. ABC has consistently delivered high quality work, actively participated in complicated troubleshooting and is known for identifying highly effective ‘out of the box’ solutions.
- Employee 123: Is a programmer working on a development team with privileged access to multiple systems. 123 has consistently delivered substandard work, which has resulted in multiple discussions with management about improving job performance. 123 frequently asks others for help in completing basic daily tasks and is known around the company as being lazy and unfocused. 123 has somehow managed to perform well enough to remain employed.
Both employees have the same level of logical access and physical access. When evaluating the risk of programmers as insider threats, it would be assumed that Employee ABC could caused significantly more damage than Employee 123. From a purely technical perspective ABC is a higher risk.
Employee 123 has established the reputation for being incompetent and lazy, which creates a perception of inability. While 123 has the logical access to do significant damage, it is assumed this individual lacks the technical skills to pursue any kind of advanced programming or clandestine activity.
By acting like an incompetent and lazy employee, 123 has established the trust necessary to act as a significant insider threat.
After the hacker has completed the tasks necessary to achieve the desired goal, the next step is to make a professional mistake or participate in an activity that results in leaving the company. This could be a technical error that sets back a project by several months, a loud and profanity-laced argument with a member of management or some other drama that further solidifies the commonly held opinion that this individual is an idiot.
Reduced Perception of Risk
After this person is let go, the usual termination procedures are followed, and access is removed in a timely manner. Given the perception of this individual as incompetent, it is human nature to assume nothing more needs to be examined or addressed because it is not possible for this person to successfully modify information systems and assets without getting caught. This assumption is what the hacker is counting on because a more in-depth and careful examination of the systems would reveal multiple highly sophisticated modifications, resulting in a steady breach (or potential future breach) of data and resources.
Insider Threat Protection
While employed: If an individual is skilled and savvy enough to get through all the degrees, certifications, skills tests and interviews required for the job, then their transformation into an incompetent idiot is worthy of attention from management. It’s possible the individual truly is lazy and difficult to work with. It’s also possible that reputation is being actively established to cover their tracks. Either way. It’s worthy of investigation and monitoring. Some questions to consider:
- Does the employee work at odd hours?
- Does the employee attempt to access areas that are not necessary or appropriate for the job?
- Does the employee manage to get around a thorough review of work at any point in the process?
- Does the employee spend time ‘bothering’ people with higher, complimentary or different privileged access rights?
- Does the employee spend a lot of time ‘playing with’ their phone?
- Does the employee regularly bring privately owned equipment (e.g.: USB drives) to work?
While none of these activities, by themselves, is proof of malicious activity, they are worthy of note. An in-depth review of access, completed work and other activities may be warranted.
After termination: Performing thorough risk prevention and proper termination procedures across all systems and all employees are the best protection against this kind of threat. Never assume that a specific measure is unnecessary because the individual in question is perceived as being incompetent.