Sergey Nivens - Fotolia

NSA contractor arrest for spying underlines insider threat

Malicious insiders are still one of the biggest threats and a popular means of data theft, according to famous spy catcher Eric O'Neill and other security industry experts

The arrest of a former US National Security Agency (NSA) contractor on suspicion of spying further underlines the threat of malicious insiders, security commentators have said.

The FBI secretly arrested 51-year-old Harold Martin in August 2016 and is investigating whether he stole and disclosed top secret NSA network hacking software, according to The New York Times.

He has been charged with theft of government property and the unauthorised removal or retention of classified documents, which are believed to date back to 2014.

If the charges are confirmed, Martin will be the second NSA contractor at consulting company Booz Allen Hamilton who managed to steal secret information while working for the NSA.

In 2013, former Booz Allen contractor Edward Snowden copied documents from the agency that exposed the mass internet surveillance by the NSA and its allies.

It is still not known if Martin passed or intended to pass the data on to a third party, but the fact he was able to access and copy the data has raised new concerns about insider threats.

Former FBI spy catcher turned lawyer and cyber security consultant Eric O’Neill said insiders are the most useful spies or data thieves.

The insider threat has become an area of expertise for O’Neill since he was instrumental in catching notorious US spy Robert Phillip Hanssen in 2001.

Read more about insider threats

“Although insiders have been in part replaced with credential theft, organisations still have to worry about insiders recruited as spies,” he told Computer Weekly.

“The Russians and the Chinese especially love that. If they can buy a person who is already within the defences, who is trusted and can just log in to steal data without being spotted by security systems,” said O’Neill.

Now the national security strategist at security firm Carbon Black, O’Neill said organisations could use the same approach to finding malicious insiders or bad actors using stolen credentials.

“One approach is to monitor networks and systems continuously to be able to see when anyone accesses systems or parts of the environment they shouldn’t.

“If organisations are monitoring who is accessing different endpoints, what’s running on different endpoints or who is in places they shouldn’t be, you can find the malicious insider,” said O’Neill.

Read more about data breaches

  • Drawing on insights from more than 400 senior business executives, research from Experian reveals many businesses are ill-prepared for data breaches.
  • The rise in high-profile security breaches has led to an increasingly worried UK public, calling for 24-hour monitoring of sensitive information.

The insider threat is the largest and most realistic one to corporate data, according to Mark Wilson, director of product development for Stealthbits Technologies.

“No intrusion detection or perimeter security measure can account for this because an internal bad actor with motivation and the correct credentials can and will infiltrate an organisation’s sensitive data,” he said.

The malicious insider has two things in their sight: credentials and data, mainly because of their monetary value. “The challenge is how to minimise the attack surface, alert to a breach and stop the activity before it can occur,” said Wilson. 

This can only be achieved by understanding the insider threat and what their motivation is, and by applying suitable measures to alert and stop the nefarious activity. “More often than not, the insider attack is realised only long after the event as borne out by the fact this breach occurred two years ago.

“The challenge is how to minimise the attack surface, alert to a breach and stop the activity before it can occur”
Mark Wilson, Stealthbits Technologies

No level of security clearance can account for privilege and motivation. Therefore the only way to address this is to consider least level of access the best practice for privileged credentials and minimising permissive and accessible access to data.

Continuous monitoring of digital assess is essential to reduce leaks, according to Julien Bellanger, co-founder and CEO of security firm Prevoty. “Digital data, whether business trade secrets or government sensitive documents, is the holy grail for any hacker,” he said.

The challenge for the information security industry, said Bellanger, is to build real-time visibility across the network, the application, the databases and the endpoints to track sensitive information transactions. “We have historically focused too much on infrastructure and not enough on data protection to efficiently protect against data theft,” he said.

Read more on Privacy and data protection