How To Spot Malicious Insiders Before Data Theft

Psychologists identify warning signs that could tip you off that

According to a new research study, the majority of insider attacks are conducted by 37-year-old Caucasian men. Now, forget that data point, on which too many organizations fixate, misguiding their internal investigations.
The problem with that is that its just a demographic statistic, not a psychological profile. What if she is a 57-year-old African-American female? said Harley Stock, a board-certified forensic psychologist whos managing partner of the Incident Management Group, in an interview. Thats why, instead of focusing on demographics, he said that examining a suspected inside-attackers behavior--including previous rule violations--is a far better way to investigate such cases.
Stocks warning is backed by a new, empirical study of existing research into
insider attacks
that he conducted with Eric Shaw, a clinical psychologist who helps companies and government agencies investigate insider cases, as well as conduct employee and organizational risk assessments. Weve tried to summarize the best available empirical research--not expert opinion, Shaw said in an interview.
Their resulting
report
, sponsored by Symantec, found that if companies truly want to prevent or trace insider attacks, especially involving intellectual property (IP), then they should be watching for a handful of warning signs--both when they interview employees, as well as during their employment. If those warning signs should arise, then organizations must follow them up, preferably by already having a workplace response team ready to investigate. Such teams are typically composed of human resources and information security representatives, attorneys or legal representatives from HR, as well as a forensic psychologist.
[ Torrent of attacks has made it a busy year for cybercrime investigators. Check out the
8 Most Notorious Cybercrime Busts Of 2011
. ]
Warning signs will vary, but often involve employees with a grudge who are about to change jobs. Termination, resignation, any exit planning, or rumors [of that] are grounds for an IP insider risk assessment, because its such a strong finding that people take this stuff when they leave, even with IP agreements, Shaw said.
Watching for suspicious behavior, of course, wont help spot or prevent all inside attacks. But Shaw and Stocks own experience, as well as reviews of research into past insider attacks, has found that organizations often failed to heed obvious warnings signs--not just job changes, but also people displaying escalating levels of rule-breaking or misbehavior, signs of extreme stress, or employees with a grudge who were preparing to change jobs.
Take the case of
WikiLeaks suspect Bradley Manning
, whos accused of the largest breach of government documents in history. Before that alleged leak, however, Manning had exhibited numerous signs that should have led to his being denied access to top-secret information. Manning was getting into physical fights, violating the dress code, he was clearly on peoples radar, and psychologists had said, Dont deploy this guy. And he was deployed anyway, said Stock. Indeed, according to a recent article in the
Guardian
, the legal team defending Manning plans to highlight in court how
numerous warning signs
about Mannings emotional and mental state were ignored. The defense plans to call multiple witnesses, including a psychologist who recommended Manning be removed from his duties, as well as a psychiatrist who had concluded Manning was at risk to himself and others and that he should be banned from carrying a useable weapon.
Similarly, one of Mannings supervisors had reported that Manning had an angry outburst during a counseling session in which he flipped over a table and had to be restrained after he stepped towards a rack of weapons. None of these warnings, however, appeared to have been acted on, or passed up the chain of command.
Although Manning had access to a wealth of secret information, its also emerged that
none of his data access was ever logged
. That gets to another recommendation from Shaw and Stock: surveillance, especially for creating a baseline of normal behavior and data-access patterns. With surveillance, its virtually impossible for these individuals to engage in IT theft without changing their normal behavior, said Stock. Once we see changes in those behaviors, they can become a person of interest to us.
Another recommendation: screen employees properly before hiring them. For example, if someone served in the military, looking at their military discharge record, called their DD214, is one of the best predictors of behavior, said Stock. If they behaved badly in the military, theyll behave badly in the workplace.
Likewise, he said that in insider theft investigations, the culprit often turns out to be someone that had been hired in spite of obvious warning signs, as noted by hiring managers. When asked why they hired the person anyway, people at the company would respond that they were ramping up a project, and needed the person anyway.
Interestingly, not every insider who steals information has a grudge against their employer. While that was true in 67% of cases, Stock said that 26% who stole didnt have any bad feelings toward the company. In many of those cases, however, the employees displayed Machiavellian signs--combining ambition with job frustration, and often willing to devote considerable time and energy to taking intellectual property theyve worked on to their next job.
Overall, 65% of people who stole IP already had a job lined up with a rival company, 20% were simply recruited by
outsiders who wanted the data
. In 25% of cases, data ended up with a foreign company or national entity.
Role-based access control based on least user privilege is one of the most effective ways to prevent the compromise of corporate data. Our new report explains why proper provisioning is a growing challenging, due to the proliferation of big data, NoSQL databases, and cloud-based data storage.
Download the report now
. (Free registration required.)

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
How To Spot Malicious Insiders Before Data Theft