From the U.S. Office of the Director of National Intelligence (ODNI) we have September as National Insider Threat Awareness Month. co-sponsored by the National Counterintelligence and Security Center (NCSC) and the National Insider Threat Task Force(NITTF) ], partnering with the Department of Defense (DoD), the Department of Homeland Security (DHS), and the Federal Bureau of Investigation (FBI). Here is my small contribution to the awareness effort.
The challenge of dealing with insider threat begins with understanding that not all threatening insiders are intentionally acting maliciously.
- Fully trustworthy individuals in the enterprise make mistakes, and sometimes those mistakes have serious consequences for safety or security. The actions may be the result of simple ignorance, laziness, or even rampant stupidity.
- Similarly, trusted insiders sometimes intentionally violate standard policies or procedures, for what they consider valid reasons with good intentions, not realizing the potential damage to safety or security their actions present. (I discussed this situation in my INFOSEC World 2016 talk, Maybe It’s the Boss’s Fault.)
- A third category of trusted “threatening insider” is the person who has been fooled by an outsider into taking an action, thinking it in full compliance with all policies and rules, but has in fact, jeopardized the safety or security of the enterprise, just as the malicious outsider had planned. For example, there are many finance clerks who have paid phony invoices for toner cartridges never delivered, and thousands of workers who have fallen for the fraud of phishing, spear phishing, and whaling e-mails.
- Finally, there are the trusted insiders who intentionally take malicious action. This last category may be the most dangerous, and the most difficult to deal with, because they will work to hide their actions. This group includes the prankster, the greedy, the planted outsider (spy), as well as the formerly gruntled worker who has, for some reason, become dis.
Besides staying aware of the four categories of threatening insiders, we must keep in mind the broad range of activities that may be involved. While the cybersecurity community may focus on information security and privacy, the full range of activities includes theft of money and goods, industrial and nation-state espionage, and even sabotage.
The last action, sabotage, leads us to a fascinating, and surprisingly useful even today, reference from the days of World War II, the Office of Strategic Services (OSS) Simple Sabotage Field Manual. In 2008 the Central Intelligence Agency, successor to the OSS, released a redacted declassified version of the manual to the public. This is the real deal, and worth a read for tips on activities to watch for in your organization. Of special interest to the information assurance or cybersecurity type, dive into section 5(11), General Interference with Organizations and Production, beginning on page 28. Denizens of every modern bureaucracy will recognize quite a few suggested activities easily attributable to nominally trustworthy members of the enterprise. I guaranty you will be able to spot your coworkers in that section!
Note that since the release in 2008, Bruce Schneier pointed to the manual for discussion in his blog in both 2010 and 2016.
Finally, if you are curious about more from the OSS, the US Special Operations Command (SOC) has made available a library of seven OSS manuals.
(c) 2020 D. Cragin Shelton