Serious threats to private and governmental organizations do not only come from the outside world, but also come from within. Some employees and contractors with legitimate access to buildings, networks, assets and information deliberately misuse their priviledged access to cause harm to their organization. What are the reasons behind their actions? Is it debts, greed, ideology, disgruntlement, or divided loyalty?
Regardless of their motivations or vulnerabilities, traitors have very similar types of personality and display a certain pattern of behaviours before committing an insider incident. As a prevention measure, it is vital that organizations and employees understand, recognize and detect the common indicators of insider threat. Would you recognize the signs?
Mario Vachon is an Insider Threat Security Specialist with the RCMP Departmental Security Branch.
2. A National Strategy Built Upon Four PillarsA National Strategy Built Upon Four Pillars
«Building a Culture of Security»«Building a Culture of Security»
Protected B
3. “The thief who is the hardest to
detect and who can cause the most
damage is the insider. It is the
employee with legitimate access”
US Federal Bureau of Investigation (FBI)
“Who has the most knowledge about your organization,
its vulnerabilities and the value of its information?
Those inside or outside? Clearly employees
are well placed to compromise your data”
Dr. S.
Kabilan, Conf. Board of Canada
A Trusted EmployeeA Trusted Employee
4. Percentage by User Group
55
46
43
35
28
Figure 1:
The Largest Risk to an Organization
Insider Threat
Who Poses the Biggest Threat?
55
46
43
28
35
25
2015 Vormetric Insider Threat Report
Privileged Users
Contractors / Service Providers
Business Partners
Ordinary Employees
Executive Management
Other IT Staff
From Left: Edward Snowden, Chelsea Manning & Jeffrey Delisle
5. Insider Threat
Understanding the Traitor / Mole / Spy
• They changed over time
• Almost all were trustworthy and loyal when first given
a security clearance (security screened, interviewed, polygraphed)
• Majority volunteered their services to a foreign government.
They were not enticed, persuaded, manipulated or coerced
70%70%
•Mostly male, 30 to 50 years old
•Middle management
•Emotional, personal crisis
•Unhappy
•Work frustrations
30%30%
•Mostly male, 20 to 26 years old
•Entry to low management
•Immature, impulsive,
•Unhappy
•Ideological view, whistle-blower
The usual suspects are …
6. Insider Threat
The Usual Suspects
… with access to
facilities and networks
… with access to sensitive
information and ideological
views, marital,
financial difficulties
and/or substance abuse
… with privileged
access
80% vs 20%
7. Detection of Risk Indicators
2016 - Sgt. Mario Vachon, M.Sc.
RCMP Insider Threat Security Specialist
Insider Threat
Pathway to Commit an Insider Attack
1. Personality
Disorders
2. Stressors
3. Concerning
Behaviours
Intention
Volition
10. 3. Concerning Behaviours
• Personal Conduct
Immature / Violence / Immoral / Bias / Retaliatory / Deviant /
Dishonest / Lack of Integrity / Manipulative / Impulsive /
Poor Judgment / Security & IT Policy Violations
• Divided Loyalty
Political / Country / Association / Social Network / Employer
• Ideological
Radicalization / Religion / Terrorism / Beliefs
• Egotistical / Entitlement
• Exploitable / Vulnerable Lifestyle
Alcohol / Drug / Gambling / Sexual Paraphilia
Insider Threat
11. UK Insider Threat Study
5 Types of Insider Activities5 Types of Insider Activities
Insider Threat
2013 CPNI Insider Data Collection Study
Centre for the Protection of National Infrastructure
Unauthorized Disclosures
Corruption
Facilitation of Third Party Access
Physical Sabotage
IT Sabotage / HackingIT Sabotage / Hacking
Male
Age
60% committed by employees
with less than xx years of service
82%
31 - 45
Permanent Employees 88%
> 5 years
Primary MotivationPrimary Motivation
20%
47%
14%
14%
Financial
Ideology
Recognition / Ego
Loyalty
Self-Initiated 76%
Female 18%
13. Sgt. Mario Vachon, M.Sc.
Insider Threat Security Specialist
Departmental Security Branch
Royal Canadian Mounted Police
(613) 843-5557
mario.vachon@rcmp-grc.gc.ca
«Detection of Risk is useless without Resolution of Doubt»«Detection of Risk is useless without Resolution of Doubt»