Insider Threat Detection in Government Cyber Security

Insider threats are one of the biggest data security challenges faced by government agencies. The sheer complexity of government IT infrastructure and the value of the information governments process make it easy for a clumsy (or malicious) insider to compromise security (and increase the damage that insider can do). Insider threat detection in government cyber security can only succeed with the right combination of education, management, and technology.

The Scope of the Problem

Government breaches are all too common, and incredibly damaging. According to the Identity Theft Resource Center, although government organizations accounted for just 8.1% of breaches in 2015, they were responsible for 19.2% of breached records — 34,222,763 records in all.

According to Verizon’s 2016 Data Breach Investigation Report, “privilege misuse” — intentional misuse of access by insiders — accounts for 22% of security incidents in government — a bigger share than in any other industry.

But clumsy insiders play an even bigger role in government cyber security incidents. Like privilege misuse, all the other major causes of government cyber security events — crimeware (16%), stolen assets (20%) and miscellaneous errors (24%) — are caused by people doing things they’re not supposed to do. Acts like clicking risky links, misplacing sensitive data or inadvertently breaching HIPAA email rules are all examples of insider threat behavior. All told, insiders are a factor in a stunning 82% of potential government breaches.

Even the massive OPM breach that compromised 28 million government employees in 2015 was — in part — the result of negligent insiders. Although the attack was perpetrated by hackers (likely employed by China), lax security allowed hackers to steal credentials from government contractors. Lack of adequate monitoring, failure to employ strong encryption and two-factor authentication and other oversights all played a role.

Get our free guide: Email Encryption for Government Organizations for eight must-know email security and compliance insights, as well as a practical checklist for determining your encryption requirements.

Defining an Insider Threat

An insider threat is anyone who, either intentionally or inadvertently, imperils your security. A malicious insider is a special case — someone who intentionally abuses access to or knowledge of your IT system to unlawfully use, steal or deface data or cyber security assets. They may print fraudulent licenses or alter records for bribes, use government databases to spy on others, embezzle money or just sabotage IT resources.

An inadvertent insider is generally someone who, without malice, weakens or bypasses your security or enables someone else to. They may do this by a negligent act, such as letting a coworker or friend use their password, downloading data onto a memory stick in violation of company policy, or even misplacing printed copies of files.

But more often than not, the threat is an honest mistake that has more to do with lack of adequate controls or training than individual incompetence. An insider without adequate email security training may receive a message designed to look like it’s from a coworker and click a malicious link, downloading dangerous malware onto their computer. Alternately, they might mistype an email address when sending or hit “Reply All” by mistake, triggering a HIPAA Breach Notification.

Profiling and Insider Threat Detection

Malicious insiders and inadvertent insiders are very different. Malicious insider threat detection can benefit from profiling to a degree. Malicious insiders in the government sector are often disaffected workers out to make a buck. They aren’t, by and large, the misguided masterminds of Hollywood movies: although 26% work in skilled technical positions, the majority of these insiders (58%) work in roles that don’t require deep technical skills.

Malicious insiders breach government cyber security for a range of reasons. They’re most often motivated by money (54%), but may be driven by revenge (24%) or a specific grievance (14%), and may have multiple motives. Often, a specific event (56%) such as a termination or demotion triggers or influences their decision to breach security. Once triggered, they generally plan their actions ahead of time (88%).

But their poor secrecy and incomplete planning skills can be an asset in insider threat detection. Malicious insiders overwhelmingly don’t think about the consequences (90%), and often talk enough to give others some information about their activities or plans (58%). They may ask suspicious questions, or even discuss their plans with friends or coworkers. Many also display “inappropriate or concerning behavior” (43%) which could serve as a warning sign to supervisors or coworkers.

It’s crucial to understand that these insiders generally aren’t criminal masterminds, and tend to just opportunistically take advantage of unsecure access policies and lax internal controls. Most attackers (85%) used their own authorized access, but access control gaps generally contributed (69%).

For the careless or inadvertent insider, unfortunately, profiling doesn’t help. The culprit could be a receptionist who misplaces a file, a police officer who doesn’t understand CJIS compliance rules, the head of IT security or the president. And at one time or another, it may have even been you. And because these accidental threats are much more common, insider threat detection needs to rely heavily on training, supervision and testing, backed up by good security measures. Watching for warning signs can stop the bad guys, but it won’t stop well-meaning ones.

Security and Insider Threats

It’s less exciting than pursuing criminals, but good security is the best defense. As we mentioned before, poor access control plays a role in most malicious insider threats in government cyber security. In fact, 58% of insider attacks were perpetrated using only the actor’s own login credentials.

However, poor access control is also a factor in many accidental breaches. When users have more access than their jobs require or retain access after termination, it creates unnecessary risks, and can exacerbate the scale of breaches.

Organizations need physical, technical and procedural controls in place to control how much access users have. Data should be restricted based on role so that, for example, Protected Health Information (PHI) is restricted on a granular level — even within a department that administers medical benefits. Clerical staff may need access to patient names, but if they don’t need detailed medical records, they shouldn’t have access to detailed medical records.

Organizations should work toward unified compliance frameworks, incorporating HIPAA best practices like business associate agreements with technologically rigorous CJIS compliance standards. CJIS security policy requires controls like weekly audits and account moderation which aid in insider threat detection, along with technical controls like multi-factor authentication, limits on unsuccessful login attempts and 128-bit or greater encryption to prevent breaches.

Multi-factor authentication is not a substitute for other good authentication practices, such as strong passwords and frequent password changes. Google Apps security settings (currently known as G Suite) can help admins, allowing them to require strong passwords, restrict user permissions and enforce other compliance measures, and many other cloud productivity suites have similar controls.

Choosing data-centric, client-side encryption is crucial to government cyber security. Point-to-point encryption like that used in TLS (the encryption system most secure websites use) encrypts email and other data when it moves between servers, but leaves it vulnerable to hackers if it travels through a compromised server. Client-side encryption scrambles data before it leaves the sender’s device, and only decrypts it when it reaches the destination, greatly decreasing the threat of a breach.

Finally, you can’t neglect the basics. Consistent patching is crucial — particularly as a defense against non-malicious insider threats. If and when someone clicks on the wrong link, having the computer patched and protected by anti-malware programs will decrease the chances of a serious infection.

Education and Insider Threat Detection

As we mentioned above, good security and administration is the best defence against accidental insider threats. However, education also plays a crucial role. Employees need to be trained and retrained to eliminate security risks and compliance issues.

Poor access processes are a major source of insider breaches. Using unsecured public Wi-Fi, storing your access credentials on your computer or leaving your computer unsupervised in a public place can all result in criminals gaining access to sensitive data or even stealing an employee’s login credentials. For similar reasons, employees should never store passwords in-browser, and should configure browsers to clear their cache on exit.

Security rules should clearly spell out what incidents should be reported, who they should be reported to and how they should be handled. Each department should have specific procedures placed in prominent places, with contact info for reporting potential breaches.

Anything that could compromise government cyber security needs to be reported promptly. If, for example, an employee improperly used a public computer for a secure login, or suspects that someone may have spied on them typing in their password, prompt notification and remediation will decrease the risk of a serious breach. Therefore, it’s crucial that employees feel free to approach management. If workers fear termination or severe discipline for reporting a mistake, they’re much less likely to report it.

Tools that automate security rules can also mitigate risk. For example, Virtru Data Loss Prevention (DLP) (now available for Outlook and Gmail) automatically screens employee emails for signs of compliance violations. When employees attempt to send a suspicious email, Virtru DLP’s configurable rules can pop up warnings, email supervisors, encrypt emails and take other measures, preventing employees from breaching compliance and providing further employee training. Virtru DLP has add-on rule packs, such as HIPAA email rules, which can be quickly configured to the needs of the organization.  Virtru Pro also allows users to recall an email — even after it’s been read.

Malicious Insider Threat Detection

Although good access control decreases the risks of insider threats in government cyber security, there will always be people whose jobs require access to sensitive data which they could choose to abuse. Therefore, good access auditing is a must, both to catch bad guys quickly and to discourage abuse by making the consequences clear.

You need both technical tools and procedures in place to audit employee access and use of sensitive data. Virtru provides a suite of tools to do this over email and file encryption. Along with the benefits discussed earlier, Virtru DLP can also aid in malicious insider threat detection by CC’ing administrators on suspicious messages. Other features, such as automatically stripping attachments can help limit the damage caused by certain insider threats, such as leakers.

The Human Element in Malicious Insider Threat Detection

Good management and supervision are the best way to spot malicious actors before they strike. Managers should check in with employees and be on the lookout for potential warning signs. Many of the traits displayed by at-risk Insiders are things you’d find suspicious in any worker — for example, greed, destructive or compulsive behavior. Factors that may indicate financial difficulties or poor mental health, such as gambling or alcohol abuse, are also warning signs.

However, malicious insider threats also have particular behaviors that are characteristic of someone up to no good on the computer. Inappropriate access patterns, such as logging in without authorization or during odd hours can also be warning signs. Similarly, if a worker suddenly gets very interested in information that’s outside the scope of their job, you may want to examine them as a risk.

Good collaboration between departments can aid in prompt insider threat detection and mitigation. There’s a lot of overlap between behaviors that could trigger HR intervention or discipline by management and signs of a malicious insider. If management, HR and security staff are able to work together, they’ll have an easier time spotting suspicious patterns.

Collaboration between workers and management and a spirit of collective responsibility for security are also important. Workers should be encouraged to approach management If someone tries to use their login credentials or appears to possess sensitive data that they shouldn’t have. With most malicious insider threats in government cyber security, someone else either knows what’s going on or witnesses warning signs before the breach. Make sure that someone feels free to come forward in time.

Insider Threat Detection Resources

There’s been a lot of great research on how to spot, detect and mitigate Insider threats in government cyber security. Use these resources to learn more about how to keep your workplace secure.

General Government Cyber Security:
The Encrypted Cloud: a Guide to Government Cyber Security

Insider Threat Detection and Mitigation
Insider Threats in Cyber Security

Case Studies
How Virtru shows Columbia County Employees When to Encrypt
Virtru Brings Email Security and Compliance to Pitkin County

Breach Statistics
Identity Theft Resource Center – 2015 Data Breach Report
Verizon 2016 Data Breach Investigation Report

Insider Behaviors
U.S. Secret Service and CERT/SEI – Insider Threat Study: Illicit Cyber Activity in the Government Sector
NCCIC/US-CERT Combating the Insider Threat

Subscribe to Our Newsletter

Connect With Us