From Hollywood to Reality: Insider Risk Takes Center Stage

The espionage genre, be it feature films or television series, has long been synonymous with insider risk realized. Usually, the protagonist has stolen or is planning to steal information with a partner, destroy key infrastructure, or sabotage systems to cause a denial of service. 

There has been an uptick in documentaries that highlight insider risk events that have occurred within the last decade. The producers, writers and directors have taken what has historically been an esoteric corporate or national security issue and brought insider risk to the theaters and living room. Let’s look, shall we?

Documentaries inform and teach

Two recent documentaries have hit the bullseye when it comes to insider risk management. These would be Ashley Madison: Sex, Lies & Scandal and Reality Winner, both of which dissect incidents that were well covered by mainstream media.

Documentary: Ashley Madison

Ashley Madison – the infamous website where millions engage to “have an affair.” What could possibly go wrong? As it turned out, a whole lot can and did go wrong, and with far reaching consequences. Ashley Madison, a Toronto-based company, grew from its founding in 2002 to 30 million users by 2015. Through the course of the documentary series, we learn about the privacy and security regime, and their healthy use of vaporware sales. Indeed, the company’s former vice president noted that, “The promise of security, anonymity and safety was just something we said. It wasn’t something we did.”

The hack

Then on July 21, 2015, the floor seemingly fell out from under the company when the data on users (both current and former) was compromised via a “hack” by an unknown entity, “The Impact Team.” The hacker released the Ashley Madison files, including names, emails, credit card information, as well as sexual fantasies. If one may imagine sharks feeding, then one has a clear image of the media (and curious individuals) scouring through the released information for the salacious information of persons of note.

Forensic investigations

Forensic investigators discovered that the hacking was enabled via a legacy version of the application that third-party contractors had previously used to access and maintain the site. While the number of individuals who had access to that version was finite, it was the opinion of the investigators that the hack was an inside job, by someone with access to that legacy version of software. Unfortunately, there was insufficient information to identify who the individual was behind the hack. Today, the site boasts of 65 million members from 45 different countries, all sharing personal information.

Many lessons learned

Lessons learned, cybersecurity is more than verbiage, it is work. The urge to market what is a concept and not what is reality proved painful, as the curtain was pulled back for all to see that their data was in fact not protected. One might presume the company now has a security protocol in place more robust than in 2015. The utilization of legacy system software to access the infrastructure, allegedly by a former contractor, speaks to the need to have timely access management controls, as well as the issue around poor data protection protocols, as the legacy system had apparently not been recovered.  

The information provided nation states and unsavory actors with a plethora of insight into a great many individuals with access to corporate or government entities. Couple this with the Office of Personnel Management breach that compromised the background checks of millions of individuals with U.S. national security clearances, and one can see a mosaic being put together by those who target insiders.

Documentary: Reality Winner

The story of Reality Winner is well known; she was an employee of a contractor, Pluribus International Corporation (who was supporting the National Security Agency (NSA)), with Top Secret access. She began her job on February 13, 2017, and around May 9, she stole information to which she had authorized access. The information she took was briefing material (slide decks) which discussed NSA’s offensive operations, including one that was penetrating the Russian government group which had targeted the U.S. elections of 2016. Briefings from the FBI and other government agencies that the two primary political parties in the United States were being targeted by Russian entities early in 2015. In addition, several state’s election offices had experienced cyber incursions. Thus, it stands to reason that the offensive cyber arm of the United States, the NSA, would have a program to locate and penetrate such entities. Winner, an employee of but a few months, was motivated to inform the public that Russia had been trying to undermine the U.S. election of 2016.

Theft of classified documents

Winner’s methodology was to print out a Top Secret codeword presentation. She then exfiltrated the document from the classified work environment by hiding the documents in her undergarments. Once at her residence, she mailed the information to The Intercept (a left of center online publication).  Upon receipt, the media outlet contacted NSA to determine if the document they had in their possession was legit. NSA acknowledged and asked for its return. The Intercept declined and proceeded with their plans to publish, yet did agree to redact some items at NSA’s request.

NSA’s investigation

The ensuing investigation by NSA was straightforward. Find who had printed the document (there were but a handful of individuals across the nation) and interview them. Winner was interviewed by the FBI shortly thereafter and confessed.

Lessons learned are plentiful

The teaching points here are numerous. Though only an employee for less than 90 days, she had already had one security violation when she “inadvertently” carried a classified document out of her workspace and into the unclassified area (cafeteria). Upon returning to her workspace, a bag check was in effect, and she was caught coming back with a classified document and written up.

Bag checks are effective, but bag checks only check what is being carried by the individual in or out of the sensitive environment. An inspection of the clothing of individuals is not part of the enter/exit bag checks. One may posit that her prior encounter with the bag inspection was checked off as a “lesson learned” how bag checks work in her current environment. With this methodology adapted, she hid the classified documents on her person.

In addition, there was a missed opportunity within the insider risk management (IRM) program at her employer. Winner was less than 90 days into her employment, had a security violation seemingly right out of the starting blocks. Did this evidenced behavior not warrant closer supervision? If an IRM program was present, it clearly missed critical behavioral clues. A rounded IRM program, underscored by behavioral context, would have surfaced enhanced risk and appropriate adjustment into monitoring employees/contractors.

Hollywood entertains while teaching

Several television series of late have provided us with entertainment surrounding insider risks, as well as showing us a good bit about tried-and-true modus operandi used by bad actors when going after intellectual property or state secrets.

Series: The Flight Attendant

For example, The Flight Attendant is a lively series centered around a murder mystery with a subplot of nation state espionage.  A supporting character, who is also a flight attendant, is tasked with stealing corporate secrets from a company (a defense contractor to the United States government) to which she has indirect access by a nation state. How does she accomplish this? She accesses the information via her husband’s laptop and is paid in cash for the information.

The perils of device sharing

Her unwitting husband thinks she is using his laptop to order take-out or shop online. This screams at the downside of BYOD (Bring Your Own Device) and the sharing of corporate devices with others. More subtly, it also speaks to the risk posed by those with whom an employee cohabitates having access to sensitive and proprietary information.

Series: The Americans

Then we have The Americans – a long-running series that details the Cold War espionage activities of a couple who own and operate a travel agency in the United States. The stereotypical family – married with two children and living in a modest home – is their cover legend. The reality is the couple are highly effective Russian illegal intelligence officers. Through the run of the series, they were highly successful within government and industry alike, spotting, accessing, and engaging targets of interest with access to desired information – the insider. Once engaged, the   witting insider’s motivation may be money, recognition, resources for family, desire to assist their “paramour” or other individual needs being satisfied. The unwitting is being duped, socially engineered to take an action which without the prodding or manipulation would not otherwise take.

The American’s takeaways for the IRM team

For the IRM team, training on how employees may be socially engineered is as important as understanding how information is taken from the enterprise. The series, when looked through this lens, both entertains and teaches.

How might one deter such activity? Monitoring printer usage is one deterrent.

When insider risk is identified, have a plan

Not having a plan of action when an insider risk presents itself is a recipe for risks becoming threats and threats becoming significant security breaches. Each entity’s ability to monitor behavior, educate the workforce, and lock down sensitive data is different, and often times resource driven. As shown in the Ponemon Cost of Insider Risks Global Study, sponsored by DTEX Systems, the average investment into addressing insider risk is $200/employee. While the cleanup following an incident is $16.2M USD which consumes on average 86 days to contain.

Action plans must be in place when behavior increases risk. The Flight Attendant’s sharing of a laptop containing sensitive information and copying that information to USB sticks are both enhanced risks. The Americans saw lifestyle changes in those targeted by the intelligence officers, certainly warranting a conversation. The Ashley Madison hack was tied to a legacy operating system version that had been retained by an unidentified contractor. Whether the contractor was compromised, or the perpetrator was the contractor, third-party risk is clearly in play.

Reality Winner was an insider with privileged access employed less than 90 days, already had a security violation within the first three months, and then printed out a highly classified document to which she had access, yet no need to know. Behavioral clues were present – they were either missed or weren’t being monitored for.

Motivation isn’t always money nor is it always obvious. Humans can and will continue to maneuver within their positions of trust. Cyber tools are there to offer data, insight, and visibility into the digital behavior of individuals and the movement of data and of persons as required.

As you watch your programs such as these in the future, keep an eye on how Hollywood has brought the topic of insider risk to the big screen (and little box), and cull the educational nuances on how insiders steal, damage, or misuse sensitive information.