Lancope is now part of Cisco Learn MoreLancope Arrow About Cisco
Business People Connection Tree

Insider Threats Part 1 – Who Is Attacking Your Network?

Tom Cross

In a recent survey conducted by Lancope, the insider threat was a major concern for respondents, with 40 percent citing it as a top risk to their organization. Recent news events such as the WikiLeaks disclosures have also brought the insider threat into focus.

But what do people really mean when they say “insider threat”? Often, they are referring to negligent insiders who accidentally harm systems or leak data due to carelessness. However, it is important to understand that there are various types of insider threats, each one coming with its own set of challenges and different ways to combat them.

So who are these “insiders” attacking your network? At Lancope, we view the insider threat as three distinct categories of threat actor:

Negligent Insiders

Negligent insiders are insiders who accidentally expose data – such as an employee who forgets their laptop on an airplane. They don’t mean to do anything wrong – they are just employees who have access to sensitive data and inadvertently lose control of it. A large number of security incidents and “data breaches” fit this description.

Malicious Insiders

Malicious insiders are employees who intentionally set out to harm the organization either by stealing data or damaging systems, such as a disgruntled employee who deletes some records on his last day of work. In most cases, malicious insiders were once happy employees – cases of malicious attacks on computer systems by employees often result from a breakdown in the relationship between the employee and the company, which can happen for a variety of different reasons.

Research by the CERT Insider Threat Center at Carnegie Mellon University surrounding hundreds of real-world cases of attack by malicious insiders has shown that most incidents fit into one of three categories:

  • IT Sabotage - Someone destroys data or systems on the network
  • Fraud - Someone is stealing confidential data from the network for financial gain
  • Theft of Intellectual Property - Someone is stealing intellectual property for competitive advantage or business gain

Compromised Insiders

A compromised insider is an employee whose access credentials or computer have been compromised by an outside attacker. A compromised insider is really an outsider – it is someone who has access to your network as an authorized user, but they aren’t who they are supposed to be. Compromised insiders are a much more challenging type of insider threat to combat since the real attacker is on the outside, with a much lower risk of being identified.

Knowing the various types and characteristics of insider threats can help organizations put the right defensive measures in place for each threat. The next post in this series will cover multiple tactics that can be used to address these three types of insider threats.


More from this contributor:

One of the concerns that has been raised about the Heartbleed vulnerability is that it was introduced into the OpenSSL code base several years ago,...
In the last several installments of this blog post series, we spent some time talking about 1) the different types of insider threats, 2) how to...
In Part 2 of this blog series, we discussed various security tools that can be used to detect and subvert the different classes of insider threats...