If someone asked you who Harold
T. Martin III was would you know? What about Edward Snowden? Most people
know the latter individual. These 2 people do have something in common; Snowden
‘took’ a huge cache of classified documents and fled the United States in 2013.
Martin on the other hand is in custody as of right now, arrested in August of
last year for allegedly stealing classified material which was found in his
home and car. In Martin’s case, some of the material he took, like the
NSA-developed exploits, ended up being published online.
The debate is still on
whether he published them or he was hacked and someone else published them.
What these 2 contractors have in common is that they both worked for Booz Allen
Hamilton, a well-known and established government contractor; nothing against Booz Allen, just the case of
bad apples falling from their tree.
 |
| Image Courtesy of beforeitsnews.com |
The National Counterintelligence and Security Center
(NCSC) defines insider threat as “…when a
person with authorized access to U.S. Government resources, to include
personnel, facilities, information, equipment, networks, and systems, uses that
access to harm the security of the United States”. While the NCSC’s
definition focuses on the U.S. Government, the same logic can be rightfully
applied to private corporations with the key takeaway being, these people have
‘approved’ access and knowledge of your system. Kind of tough to catch the
insider threats then… wow! How do I know Joe Blow from accounting has no
malicious intent when he reads the company’s financials or what Jane Doe from
IT is intending to do with the firewall policy report. We simply can’t. Intent
is something that can’t be measured.
The threat triangle
states that 3 things have to be present for the threat to materialize; Intent,
Opportunity and Capability. If any one of those elements is missing, the threat
may not materialize. Of the three, intent is the intangible element. You can
measure whether someone is capable of doing something, you can measure what
your security landscape is therefore determine what opportunities may be
present in terms of security gaps/lapses, but you can’t measure whether someone
is intending to commit a crime. We can speculate based on other factors like
debt issues, personal problems, negative emotions towards the company; but all
these are at best simply guesses or speculations. The focus, therefore, should
be on opportunity and capability when are crafting an insider threat mitigation
plan.
In
conclusion
As noted by the
Snowden-Martin case, even the best of the best can and do experience cases of
insider threats. Every company has their ‘secret-sauce’ and none wants their
proprietary advantage or whatever keeps them at the top of their food chain
exposed to the public. Many companies would fold if their trade secrets got
publicized. Think about what Pepsi would do if Coke’s ‘recipe’ got publicized
or what Bing would do if Google’s search engine algorithms were readily
available for the public to scrutinize. The insider threat is surreal and can
cause a lot of damage to a company. Every company should pay attention to their
‘approved’ humans and invest in controlling both external and internal threats
accordingly.
No comments:
Post a Comment