Could a shutdown ignite insider threats?
- By Bill Aubin
- Feb 14, 2019
The 35-day government shutdown may be on a brief hiatus, but with the temporary deal to fund federal departments slotted to end on Feb. 15, many government workers are worried they will be right back where they were last month when 800,000 federal workers missed two paychecks and nine departments were directly affected.
As some government agencies were shuttered, the Senate was focused on addressing potential external cyber threats or nation-state cyberattacks. While these threats can be extremely dangerous, it is equally important to be alert to insider threats.
A 2018 Ponemon Institute study revealed that the average annual cost of insider-related incidents is $8.76 million, with an average 52 days to resolve each incident. With the strains of the government shutdown on top of all of this, the cost could be significantly worse.
How shutdowns leave agencies vulnerable to insider threats
During the shutdown, many employees were furloughed, not knowing when they would receive their next paycheck. This is a recipe for insider threats. It’s not hard to imagine disgruntled employees expressing their frustration by leaking sensitive information in exchange for payment or in an attempt to halt the shutdown. Furloughed workers might also be tempted to take actions that might negatively impact the agency. They might shut down or lock critical systems or escalate their privileges, taking advantage of system or application flaws to gain access to resources they do not have permission to access.
Perhaps most importantly, with many IT staffers furloughed and security analysts working with skeleton crews, it is easier for burned-out analysts to miss abnormal behaviors that might indicate an insider threat, such as leaving computers open and not logging out, which any potential adversary could then exploit.
Types of insider threats
To best protect a federal agency from insider threats during a government shutdown, it is important to understand the distinct differences between the three types of inside attackers and their motives. Since each is very different, the approach to preventing them will also vary.
Malicious insiders are looking specifically to steal information, such as intellectual property or user credentials of important personnel, or to disrupt operations either for payment or to hurt the organization.
Negligent insiders, who may be stressed or overwhelmed employees, may not follow proper procedures and leave an organization vulnerable.
Compromised insiders are those who have devices that might have been compromised by malware, having fallen victim to a phishing scam or downloaded a file from an unknown address. In these cases, they likely do not even realize the damage they are causing.
Signs of an insider attack
Using analytical clues and context from conversations with fellow employees, security teams can identify certain behaviors that might indicate an insider attack, both. The behaviors include:
- Interest outside of the normal scope of duties (i.e. accessing files not normally handled).
- An abnormal number of file transfers or downloads.
- Working unusual hours without previous authorization.
- Excessive negative commentary about the organization or the shutdown.
- Comments about their continued financial difficulties, including any unresolved debt issues.
- Any noticeable change in personality or mental state.
Protecting agencies from insider threats during a government shutdown
There are four steps agencies can take to prevent insider threats in the event the U.S. experiences another lengthy shutdown:
1. Train employees and establish protocol for access. While this point might be self-explanatory, regular training sessions on identifying threats and phishing emails can lessen the chaos during a shutdown because employees will be better prepared. Training can also reduce the number of employees and contractors who may become compromised insiders. Establish rules and regulations about using devices in the event of a shutdown.
2. Coordinate IT security and the rest of the departments. Coordination between chief information security officers and the different departments can help prepare IT security for a sudden decrease in staff resources. Even putting the list of employees who were affected by a shutdown on a watchlist can help analysts monitor their behavior and will thwart many threats.
3. Organize an emergency threat-hunting team. During a shutdown, everything can turn chaotic quickly if an organization is not prepared. Dedicating a few individuals on the cybersecurity team to check for threats and training them to look for the signs of an insider attack can go a long way.
4. Consider behavior-based security approaches. Behavior-based security management tools use various techniques to track, collect and analyze user and machine data. These platforms can identify any abnormal behaviors, like the ones demonstrated by those orchestrating insider threats. Most importantly, they can spot these unusual behaviors among compromised insiders long before the adversaries have gained access to critical systems. These approaches also help security analysts stop the issues before they become bigger problems.
Mapping out a security strategy before a shutdown, can help agencies prevent insider and external attacks from leaking sensitive information or compromising activity. This planning also helps to mitigate any damages and fill in for employees who are furloughed due to the shutdown.
Insider threats will not go away, and events like shutdowns make them even more likely. By better understanding the motives behind inside attackers and situations that might ignite them, agencies can be better prepared and protected.
Bill Aubin is vice president of federal, Exabeam.