Why we can't stop malicious insiders?

Security experts have been saying for years that insiders -- malicious, careless or simply unaware -- are a greater threat to organizations, both public and private, than hackers.


Security experts have been saying for years that insiders -- malicious, careless or simply unaware -- are a greater threat to organizations, both public and private, than hackers.

And the world got another illustration in support of that argument last week when the most famous whistleblower of the moment, Edward Snowden, admitted he had leaked top-secret documents about the National Security Agency's (NSA) surveillance --both telephone and online --of American citizens to The Guardian and The Washington Post.

Snowden was technically not an NSA insider. The former CIA technical assistant was working for Booz Allen Hamilton as an infrastructure analyst for the NSA (Since admitting he was the source of the leaks, he has been fired). But, he had insider privileges, which is essentially all that matters.

[Related: NSA can access data without court approval, claims Snowden]

And that raises again the question of whether organizations should put more effort into securing themselves internally than in fighting to keep out malicious attackers. But it also raises the question of whether extra effort is even worth it, since neither training nor technology can stop every insider threat.

Snowden said in a video interview with The Guardian that his level of privileges meant that, "I, sitting at my desk, certainly had the authorities to wiretap anyone, from you or your accountant, to a federal judge or even the president, if I had a personal e-mail."

And even if he is extradited from Hong Kong and prosecuted, whatever damage has been done by exposing government secrets isn't going to be undone.

There is no universal agreement on the level of the insider threat, even though the Snowden case has received international attention. According to Verizon's 2013 Data Breach Investigations Report, insiders were responsible for only 14 percent of confirmed data breaches. "Our findings consistently show that external actors rule," the report said.

But other experts say the key word there is "confirmed." Gary McGraw, CTO of Cigital, said he suspects a majority of data breaches are never announced.

"I wouldnt be surprised if they (insider breaches) are understated."

Mike DuBose, a former Justice Department official who led the agency's efforts on trade-secret theft and who is now the head of the cyber investigations unit at the risk-management firm Kroll Advisory Solutions, told Brian Fung of National Journal that, "Amidst all the concern and discussion over foreign hacking, what gets lost is the fact that the vast majority of serious breaches involving trade secrets or other proprietary or classified information are still being committed by insiders."

McGraw noted that the power of insiders is demonstrated by the fact that the goal of hackers is to become insiders.

And the impact of insider breaches is more significant than frequency, said Carson Sweet, CEO of CloudPassage.

"While there may be a lower frequency of inside jobs, the impact that an authorized insider can wreak is typically far greater, and can happen over a longer period, than that of an outsider," he said. "Having an employee go rogue --especially one in a privileged position --can turn catastrophic very quickly."

But it is simply not possible to stop all insider attacks or breaches, experts say.

Find your next job with computerworld UK jobs

"Recommended For You"

Expanded '2-person rule' could help plug NSA leaks Provisions under which NSA can collect, retain data on U.S. residents revealed