The Threat Within

Who is the insider?

But what exactly is the insider threat? What, or rather who, is an insider? Security professionals and government agencies all have their own definitions and all of these that I’ve read differ in their own little way, but fundamentally the meaning is the same.

  

I am not going to quote each and every definition (please use the web links opposite to visit some of the specific sites), but the important thing to remember is that an insider is a person to whom you have given legitimate access to your assets. In my opinion a former employee does not fall into this definition (and so is not an insider) as they no longer have legitimate access. In fact, their activities are likely to constitute a criminal offence in themselves.  



In the counter terrorism arena we talk a lot about capability vs motivation. Terrorists have motivation in buckets but most lack the capability - for example they cannot access the materials to build an effective IED. On the flip-side the insider has the motivation but also the capability as they have the in-depth knowledge of your organisation and the way in which you go about your business.

Companies are understandably slow to come forward and admit about their insider incidents as it could demonstrate a weakness in their internal processes or systems. This weakness could lead to uncomfortable questions from shareholders and governing bodies. The majority of insider incidents are reported by co-workers who experience suspicious activity but many still go undetected.

An Insider can be anyone in your organisation, anyone from the part time cleaner right up to a member of senior management. There is no ‘one size fits all’ profile for the insider, but there are a number of warning signs which could identify that you have a problem (we will cover these in future articles). It is important to remember though that current staff can become an insider, so 'Jim' who has been at his middle management role for 6 years and has a clean record may have a sudden change in personal circumstances (he could fall into financial difficulties) and could become a threat!

There is a massive misunderstanding and a lack of experience when it comes to the insider threat and this stems from no one department taking responsibility for it. The HR department generally deals with pre-employment screening (although in our opinion the security team should), IT systems are taken care of by the IT geeks wearing sci-fi t-shirts and musical ties, and any resulting investigation is dealt with by the security team.

There are various different types of insiders and the threat they pose will be different to each of you but in general they are:

• Single Action Groups (animal activists or swampy students) – to cause harm, damage or media coverage
• Terrorists - to cause large scale harm and to maximise media coverage
• The Lone Wolf - because they want to and can! They are not part of any other group
• Journalists – to identify an loop hole and to sell more newspapers
• Foreign Intelligence Service
• Competitors (corporate espionage) - trying to gain trade secrets, insider trading information or just to gain the upper hand over you
• Disaffected Staff – revenge for not giving them that promotion/pay rise or someone who thinks they know better then the organisation itself.
• 3rd Party Facilitation – helping somebody else to gain entry or supplying someone else with the data to commit crime, admin account login/password or giving them your building access card.
• Unknown Pawns - exploited via various means but one way could be via social engineering or 'water cooler talk'. Normally these types of insider are unaware of the information they are supplying others with.

Why do these people do what they do?

• Kudos
• Reward 
• Personal Mission
• In the name of Public Interest
• Identify an issue or wrong doing
• Revenge
• Intelligence
• Facilitation of Crime

The effects of an insider can be far reaching but may include: 

• Reputational Damage – poor media coverage, loss of investment opportunities
• Financial Loss – Loss of sales or fines imposed by the ICO or regulating authorities (e.g.: Ofcom or the FSA).
• Physical Damage
• Unrest Internally with Staff – potential a lack of trust between staff
• Loss of Operational Service
• Loss of IT Service (normally via denial of service attacks)
• Theft
• Fraud
• Poor International Relations

I keep coming back to it, but the single most important factor to consider is that these people have legitimate access, but what does it mean?. For me, this means they have already bypassed the majority of your physical and electronic security measures which protect you. Insiders are placed into organisations for the long term to build your trust, to gain a very in-depth understanding of your processes and the assets they are interested in. Even law enforcement are concerned that people with clean records will join in entry level roles and will raise through the ranks in order to supply serious organised criminals with information to assist them in committing crimes.

There have been numerous incidents of insiders

There are many tools in organisations to prevent these threats and most fall under the security specialism of Personnel Security, some of these are:

• A robust pre-employment screening regime (most potential insiders can be detected at this stage - especially journalists and people that have clearly lied on application forms or CV’s)
• Having a staff exit (leavers) procedure
• Having a positive security culture – where staff are aware of the security risks that your organisation is susceptible to
• Good policies and procedures, which staff are aware of and read
• Awareness of the potential warning signs (we will cover some of these in a future articles)
• Support from the board and senior management
• A robust security audit process including auditing 3rd party providers (make sure all contracts include a 'right to audit 'clause)
• Utilising the electronic tools you have in place – system logs, forensic tools etc

Whatever approach you decide for your business, it must be risk-based and targeted. Each organisation’s risk appetite will be different, but one thing for sure is you ‘will’ experience an incident as a direct impact from insider action – it is purely a matter of when, and how significant the impact is.  

The insider threat is a very vast subject and something that is impossible to cover in a single blog post. In my future articles I will give you some more details on this risk but until then expect the unexpected, these people are very difficult to detect but are easier to prevent.

Beer Googles!

Some of the Internet Search Engines

I recently read an article (its here) which mentions some of the pitfalls when using the Internet to search for information (including pictures) for potential recruiters. I think this is a very interesting subject and I would recommend reading the article and the subsequent comments at the end which offer both arguments for and against from the HR professionals prospective.

Any information posted on the internet is in the public domain so surely I/you shouldn't put anything on here that you don't want others to potentially see (for whatever reason), however the issue then comes when someone else puts something on the internet without your knowledge and which could potentially lead to reputational damage for you! Obviously the privacy settings within social networking sites could help here, but these are only as good as the users awareness of these and also your friends of a friend of a friends awareness of these also!!

My personal view (as is all of the content on this site) is that a Google search (or Yahoo! for that matter) is a tool which can be utilised with caution within the pre-employment screening process for certain roles. For example security sensitive positions where an internet search may highlight information which would prompt you to ask some more probing questions during the interview stage i.e. you may find that someone worked for company XYZ, wasn’t sacked but mentions on their social networking profile how they were able to procure £2000 fraudulently and further more this role doesn’t appear on their CV within the employment history section.

From a legal or DPA prospective I am not too sure what the view on this is(but I can guess that it’s not particularly pro). Now with my security hat on surely advising a candidate at the initial stages that an internet search may take place will potentially deter the candidates who could pose a problem................in the current climate good candidates are a plenty, we all want to recruit the best, but we also don't want to recruit the candidate within the accounts department who has previous for fraud (but never convicted) or the candidate who has links to a terrorist organisation that joins your business to gain valuable intelligence and pose an insider threat.....or the person that lacks integrity and is clearly not a team player!

Update 7/10/10: Sal Remtulla, Head of Employee Screening at Risk Advisory has recently circulated some snapshots of recent CV liars. You can read her analysis here

Personnel Security - Something we should all be paying a lot of attention to!

Personnel security is everything involving employees: recruiting them (also known as pre-employment screening), training them, monitoring their behaviour, and sometimes handling their departure. Personnel Security relies on a system of polices and procedures to reduce the potential security risk.

In these modern times not only are organisations at risk from external threats but we also have a very significant threat from the insider. An insider is classed by the CPNI (part of the security services) as 'someone who exploits or has the intention to exploit their access to an organisations assets'. So this could result in a number of different scenarios including fraud or an employee who sells your company data to a competitor or an employee who is feeding information to a terrorist organisation.

Personnel security is an area that many 'security professionals' think they understand, but in my experience actually don't. There are elements of personnel security which are managed by non security departments for instance pre employment screening by HR or it may even be outsourced to a 3rd party provider. If this is the case I recommended carrying out some of your checks to see if they are doing what you think and expect they should be doing.

I am lucky enough to receive training from some world class experts in this area, but the level of understanding is very different from organisation to organisation. The strategic objectives for personnel security are the same for everyone but in a private sector environment I believe it is a little more difficult, for example government departments have a security policy framework(SPF) which includes 70 mandatory controls (supported by various baseline standards) which must be adhered to (along with a annual declaration of adherence). The private sector has not got this level of hierarchy governance but of course there is no reason why at a local level you can’t have a similar assurance process. I would recommend any security professional obtaining a copy of the SPF which is publicly available here It is useful and a document which I refer to regularly.

The insider threat has seen a dramatic increase in the UK in recent years and one contributing factor to this are the advances in physical and electronic security. In order to gain access to organisations, it is now considered easier to infiltrate it with the co-operation of an insider. The current financial crisis has also increased the likelihood of the insider threat as staff who would normally not be tempted into exploiting their 'privileged position' may be willing to do so (e.g. for personal gain or they maybe disgruntled for not receiving their bonus etc). It is important to note that the vast majority of employees are genuine but with a robust Personnel Security process in operation the potential insider threat is reduced and you will ensure they are detected quickly and efficiently.

My top 10 recommendations are:

1. Assess Personnel Security Risks and include these on your risk registers
2. Have a helpline in place for employees to confidentially report concerns
3. Know the source of employment references
4. Confirm employee has the Right to Work in the UK (a legal requirement)
5. Carryout qualification checks and check physical certificates where possible
6. Where possible complete the 'pre-employment screening' process prior to start date
7. Promote a positive security culture
8. Advise potential employees of the level of checks you use, this may deter potential insiders

from joining the organisation
9. Transparency - have clear polices and procedures in place
10. Audit - to provide assurance that the systems are effective

In future blogs I intend providing some more details on each of the individual personnel security subjects which will hopefully help you going forward.

£430m loss, let's blame the Security Guards!

Five master pieces valued at up to £430m have been stolen from the Museum of Art in Paris. Museum officials discovered the theft early on Thursday, when they found a smashed window and a broken padlock which had been cut to gain access to the five paintings.

A number of news headlines highlighted the that the guard/s (some reports state that 3 were on duty) were sleeping and the Evening Standards headline said 'Guards dozed as thief stole Paris paintings'! Why is it that the security guards sleeping hits the headlines and not the other catalogue of errors and issues that took place at the Museum :

• CCTV cameras pointing only at the roof
  
• Managements decision to switch off the alarm system because it kept going wrong (parts were on order).
  
• The paintings may not have been insured
  
• £15 million was spent upgrading security during a two-year refit which ended in 2006.
  
• Theft not discovered for up to 3 hours
  
• The intruder slipped into the Museum after simply removing a window.

• Insiders working for low pay in galleries are often suspected of helping criminals.
  

I think this really goes to prove a point that I made in this blog after my recent visit to IFSEC. You can spend an awful lot of money on technology (£15m in this case) but you still have the human element 'who leave cameras pointing at the ceiling' or the senior member of management that 'turns of the alarm systems due to false activations' or the member of staff who 'leaves the door unlocked in return for €50's'.
There is and always will be a requirement to have a robust security management regime (including Physical Security and Personnel Security) in place along with regular security audits to provide assurance that these measures are proportionate and effective. Although the night guard failing asleep is a serious issue (and one which is a common in the industry) it hardly deserves to be the headline for what is a heist of the century and a £430m loss of some of the rarest art pieces in the World.

One of the pieces stolen a £15m: Fernand Leger's 'Still Life with a Chandelier'

SOME OF THE BIGGEST ART THEFTS IN HISTORY

• May 2010: A lone thief stole five paintings possibly worth hundreds of millions of euros, including works by Picasso and Matisse, in a brazen overnight heist at a Paris modern art museum.
• February 2008: Armed robbers stole four paintings by Cezanne, Degas, van Gogh and Monet worth $163.2 million from the E.G. Buehrle Collection, a private museum in Zurich, Switzerland. The van Gogh and Monet paintings were recovered.
• December 2007: A painting by Pablo Picasso valued at about $50 million, along with one by Brazilian artist Candido Portinari valued at $5 million to $6 million, were stolen from the Sao Paulo Museum of Art in Brazil, by three burglars using a crowbar and a car jack. The paintings were later found.
• February 2007: Two Picasso paintings, worth nearly $66 million, and a drawing were stolen from the Paris, France home of the artist's granddaughter in an overnight robbery. Police later recovered the art when the thieves tried to sell it.
• February 2006: Around 300 museum-grade artifacts worth an estimated $142 million, including paintings, clocks and silver, were stolen from a 17th-century manor house at Ramsbury in southern England, the largest property theft in British history, according to reports.
• February 2006: Four works of art and other objects, including paintings by Matisse, Picasso, Monet and Salvador Dali, were stolen from the Museu Chacara do Ceu, Rio de Janeiro, Brazil, by four armed men during a Carnival parade. Local media estimated the paintings' worth at around $50 million.
• August 2004: Two paintings by Edvard Munch, The Scream and Madonna, insured for $141 million, were stolen from the Munch Museum in Oslo, Norway by three men in a daylight raid. The paintings were recovered nearly two years later.
• August 2003: A $65 million Leonardo da Vinci painting was stolen from Drumlanrig Castle in southern Scotland after two men joined a public tour and overpowered a guide. It was recovered four years later.
• May 2003: A 16th-century gold-plated Saliera, or salt cellar, by Florentine master Benvenuto Cellini, valued at $69.3 million, was stolen from Vienna's Art History Museum by a single thief when guards discounted a burglar alarm. The figurine was later recovered.
• December 2002: Two thieves broke in through the roof of the Vincent Van Gogh Museum in Amsterdam and stole two paintings by Van Gogh valued at $30 million. Dutch police convicted two men in December 2003, but did not recover the paintings.
• December 2000: Hooded thieves stole a self-portrait by Rembrandt and two Renoir paintings worth an estimated $36 million from Stockholm's waterfront National Museum, using a motorboat in their escape. All paintings were recovered.
• October 1994: Seven Picasso paintings worth an estimated $44 million were stolen from a gallery in Zurich, Switzerland. They were recovered in 2000.
• April 1991: Two masked armed men took 20 paintings - worth at least $10 million each at the time - from Amsterdam's Van Gogh Museum. The paintings were found in the getaway car less than an hour later.
• March 1990: In the biggest art theft in U.S. history, $300 million in art, including works by Vermeer, Rembrandt and Manet, was stolen from the Isabella Stewart Gardner Museum in Boston, Massachusetts, by two men in police uniforms.
• December 1988: Thieves stole three paintings by van Gogh, with an estimated value of $72 million to $90 million, from the Kroeller-Mueller Museum in a remote section of the Netherlands. Police later recovered all three paintings.
• May 1986: A Vermeer painting, Lady Writing a Letter with her Maid, is among 18 paintings worth $40 million stolen from Russborough House in Blessington, Ireland. Some of the paintings are later recovered.
• August 1911: Perhaps the most famous case of art theft occurred when the Leonardo Da Vinci's Mona Lisa was stolen from the Louvre by employee Vinczo Peruggia, who was caught two years later.

Security is simple......

Sometime ago a colleague and I were discussing the security arrangements for a particular site. We agreed on the asset we were trying to protect but could not agree on the security solutions that had been deployed and this quickly became quite a heated discussion. I believe that security in its purest form is quite simple, yet if this is true why is it one of the most emotive topics for me right up there and alongside with religion, football and now coalition politics.

I suppose the purpose of writing this blog and sharing my experiences, questions and concerns is a way of me trying find out more and attempt to understand what it is about security that makes everyone an expert. I understand that the physical or technical security application to a site, risk or areas is important, but will always strongly maintain that without the right people, processes and procedures it doesn’t matter about the Rolls Royce kit if it’s not being utilised properly.

I was fortunate to present at the recent Counter Terror Expo 2010 on providing assurance to senior management of security risks. Whilst preparing I found myself getting angry at the lack of people in the security world actually talking about this subject and noted that there are lots of ideas, discussions, plans and strategies about what the government do and how parts of the Critical National Infrastructure (CNI) are assisted by that, but the gulf between public and private I think is just too great. What happens to the private company, limited company or the small business that would not have exposure to or have the staff to understand the CONTEST strategy or the HMG Security Policy Framework (which I believe is being widely touted and over used as the way forward) what does it mean to any of them? The same could be said for most other areas of the (and for now I use the words loosely) ‘security world’ as what do they do about countering fraud, personnel security and screening arrangements for the insider threat.

Following my presentation I received feedback from a couple of visitors who said it was interesting and that they hadn’t really given providing assurance much thought, "my Finance Director could understand some of our security risks that way, thanks". Now I am not suggesting it was a pinnacle of my career but I took this feedback as a compliment (don’t get many so I’ll take it) but thought maybe I should open this discussion up to others, maybe I could post some of the questions that I don’t think I could answer without comparing it to religion, football or politics. So here goes…..it’s a simple one really….. Ready….....

What is Security?

I really hope anyone visiting this blog can help me, I am guessing there's no absolute right or wrong answer but any comment will assist in my quest, thanks for reading.

National Trust Defends Security After Theft

The National Trust defended its security measures yesterday following the theft of silverware thought to be worth thousands of pounds in a break-in at a stately home. The full story is here