Inspection in detail is available for Packet’s behaviour, but unfortunately, there is no possibility or means to inspect a person’s Intention. ( CIA triangle )

The reason I selected this title “Blind spot in the Bermuda(CIA) triangle” is that we all know the security triangle CIA is the core concept of any security system.

In most cases, the insider’s threat events and incidents can impact any side of the triangle and goes mysteriously leaving no clue about the events.

There are still believes that Bermuda triangle is an unsolved mystery!!  Similarly, any insider can invade not only corners of the triangle and damage it but can bring down the complete triangle down and make it a straight line.

The controls, policies, framework, technology, programs are very negligible when compared with other threats to the company.

The human element is the weakest link in the security chain. It ends up in breach of trust, SLA, adjustments, internal conflicts and competition that leads to the insider’s threat.

In this paper, there is no statistical data provided but the possibilities and intention of the insider are described in detail.

Man / Women in Camouflage Mask

Insider’s threat is severe, in fact, difficulty in identifying the same. The insiders can create havoc in the system, a real challenge to identify. Differentiating the insider from the genuine user will be a tedious task, like differentiating between good and look-alike of good- evil.

The company or the information security team should understand that Insiders threat is not a technical threat. These kinds of threats can happen knowingly or unknowingly, intentionally or unintentionally, but the result of this attack is catastrophic.

The Insiders attack can directly cause the public and customers to lose the interest in business, lose the confidence in technology.

If the technology/product is compromised it can be rectified or convinced to the group of people and can be proven given the required time. An example of such instance is ransomware attacks and other attacks.

Also read Risk with Steganography and Importance of running Steganalysis with Network Systems

It is very hard to identify the insider attacker and intention behind such attack. If the intention of the attacker is to just reboot a service or server for a minute time just once, then the damage is less.

But if the same insider has a vengeance or monetary involvement or any other bad intention then the damage is going to be severe.

Revenge with Vengeance

There are such situations which cannot avoid having disgruntled employees but can be handled. yes!! It is by developing an Insider threat program and insider threat assessment team for the same.

Also on every team, it is necessary to create a “conflict free environment”. Additional role to the team leader with a knowledge of Insider threat program is really a need of the hour.

The team is like a hand and team members are like the fingers, not all fingers are same, which we need to be dealt with a different approach. Treat them equally with equal opportunity and encourage not to do back stabbing with open communication.

There will be a drastic improvement in the disgruntled employee. I have heard saying “Am going to bring down everything one day”, which was told by an engineer who had a complete access to most of the security devices!!!

Treat them equally with equal opportunity and encourage not to do back stabbing with open communication.

There will be a drastic improvement in the disgruntled employee. I have heard saying “Am going to bring down everything one day”, which was told by an engineer who had a complete access to most of the security devices!!!

Do you think, you can stop it??? Yes, but not completely, but yes!! But how? Not completely with any technology or with any authoritative powers, the best is to have an open talk with him which will help to understand, identify and assess the problem as well as the employee’s problem.

As of now, he is a frustrated employee. Not giving him a chance to become a disgruntled employee by disrespecting his thoughts and providing opportunity will reduce his frustration. Basically, make him feel and realize him that he is best at his work and appreciate him/her to bring up the issue which will help the employee to get rid of evil thinking.

If still in the assessment, results are showing negative and if the employee is assessed as a threat, best is to replace the employee.Check all his access are properly revoked and all his credentials are removed.

His other accessible devices, mobile access, and email id need to be blocked and informed to the entire team that he is no more part of the organization or the project including customer associates.

Imagine a situation, given a chance the security administrator of a company wants to take the backup of the firewall configuration but the scenario was not favoring the company instead of the employee.

Maybe he is a good employee with right intentions but curiosity prioritizes his thought. He had a very good relationship with the security team manager and he was able to get the approval to take the backup in his flash drive in order to restore in case of any disaster during activity.

This privilege was given based on trust but he was able to carry the entire company data in his pant pockets!! There are lots of chances that this data could be used in a wrong way.

A good employee today can turn as an insider threat months later or years later as there is no confirmation. Circumstances make man!! Unknowingly if it was lost and stolen from someone or leaked out side it will be an unrecoverable disaster.

This applies for all storage mediums including emails, drop box, etc., Always, “No trust model” is the best model to avoid this kind of attacks, but still, this could have been prevented by controls, monitoring policies and awareness. For example, in this instance, the flash drive could be given to the employee by the company itself with an encrypted option.

Having a secondary backup server in the network or any other safe location inside the corporate network or postponing the activity until the backup server was made available could have prevented this situation.

There are numerous ways to safe guard the company asset but lack of awareness will be the main cause for this kind of attacks. Some don’t and do’s regarding this are:

• A few years back there was another instance: Most of the firewall admin passwords were changed by the X-administrator and he left his job. Here he just wanted to show case his influence and wanted to take the revenge.
• Automatic scripts installed in the server to reboot by itself during a specific period of time.
• Rules were disabled in the firewall and name was changed to confuse the administrator.
• DON’TS
• Talking about the customer in the bus terminals and sharing the information about the same.
• Talking bad about customer and company policies in the public spaces.
• Taking the complete laptop backup from the customer site for future references

There are much more examples and cases in the industry, don’t be a victim and become the case study.

Inside State Actor in CIA triangle

Might be little funny to say “Inside State Actor” but they are having an access to all the machines. Otherwise, from an Insiders point of view, they have the license to hack. The percentage of the incident is more or equal to the technical threats.

There are more solutions to avoid the technical threats, but there are very less or Zero solutions to the insider’s threat.

There is no silver bullet or immediate fix. In most of the cases, it is a reactive step. After the incident occurs, they remove the employee ID’s and start monitoring the activity. The most insider’s threat happens with strong determination to create a problem.

They will have the strong intention in their mind, trying all the possibilities and go to any extent. But it can be controlled to some extent.

Imagine a developer in the mobile R&D Company taking the picture of the source code which he has developed or developed by someone and leaking it outside or using it for his own research…

The damage is for the company and how do you stop it? Another example steganography, embedding the confidential data inside song or video clip or some other data. These intentional insiders will work for a very long time or short time to gain the confidence to steal the data.

The core security team’s negligence and no investment from the company to protect and detect technologies can be another big reason for insider attacker.

The controls, awareness, training to all the employees in the company can stop the insider threat at some level. Not the entire team may be Insider attackers, so it will be easy for a security team to handle once identified.

Insider Threat Program CIA Triangle

Is there any solution for this threat? Any ways to completely get rid of this issue? The answer is NO as of now, No way of escaping from them.

But security as a practice the Insider Threat Program and Insider Threat assessment can reduce the risk gradually increase the awareness.

At every level there should be a member of the insider threat team and the complete team should be linked with each other and connected to the lead of the team, so that there is less chance of attack.

Upgraded technology, monitoring, and control policies, awareness, training to the members of all level including contractors, mobile employees, full time & remote employees including physical security team members to Janitors etc. can prevent such incidents.

Discussing the issues in the meetings, discussing the logs, alerts, activities shared by the team members with the threat program manager can help to take the required measures.

Planning the remediation, planning mitigation plans, Audit and assessment of individual resources, concentrating more on identified risky resource and performing close monitoring can mitigate such incidents.

It is the matter of recognizing both technical and behavioral indicators and outlining the mitigation strategies consistently which prevent such threats.

There are programs available in the industry by certain institutes how to perform and what to perform and they assist us in achieving the goal and best practice in the industry.

This kind of programs create awareness among the employees and it makes them rethink before committing any such activities.

It’s our duty and responsibility to educate our associates, just like teaching our kids about good touch and bad touch!! We will also educate them about the laws, punishments, the penalty for such mischievous acts.

In every project, there should be training for the ODC teams, periodic assessments and meetings. New joiner to the project or to the company has to sign the clause and undergo the training specific for insider threat and abide the same. This makes the employee feel that he is equally responsible for company’s information asset.

Conclusion

This blind spot is very dangerous. In the security triangle- lack of Awareness, lack of monitoring behavioral activities, employee intention, attitude, mood swings trigger as an insider threat. In the Security triangle Confidentiality, Availability and Integrity, the link between these three core concept of security can be broken by an insider.

The damage is unbearable and it becomes unnoticed or becomes mysterious. The insider will have a complete access, visibility and control over the security triangle and he can bring down the services available, breaking the integrity and confidentiality.

This is the scary blind spot for any security officer and company to deal with and it has to be dealt with a combination of people and technology, as I always emphasize “Security is a layer of defense”.

This layer of defense is most critical and important. In countries like the USA, the government itself introduces the executive order for such critical threats. For instance, Edward Snowden is celebrated by few but he is charged with a criminal act for damaging the countries privacy. Let’s join together and solve the mystery of “Blind spot in the Bermuda triangle”

Credits: This article is Originally Written by Vijay Nagaraj. All the Content of this Article Belongs to Original Author. GBHackers on Security won’t take any credits.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity updates also you can take the Best Cybersecurity courses online to keep your self-updated.