Insider Threats in the US Federal Government: Detection and Prevention

Governments are one of the biggest cybersecurity spenders. In 2015, for example, the US government included $14 billion in cybersecurity spending in the 2016 budget. In 2019, this number reached over $16 billion, and it’s expected to rise even higher in 2020. Meanwhile, a study by SecurityScorecard shows that US government institutions struggle with many cybersecurity tasks, including patching cadence and ensuring the appropriate level of network and endpoint security.

Among the most common causes of cybersecurity incidents, there’s one that deserves special attention – government insider threats. To better understand how to address the problem of insider threats in US government organizations, let’s take a look at the key factors that lessen the effectiveness of a federal organization’s cybersecurity.

What Is an Insider Threat? Definition, Types, and Countermeasures

5 major factors behind the poor cybersecurity in government organizations

Do you know what makes government organizations insecure?

In theory, government organizations are supposed to be well-secured and protected. Understanding the true danger of insider threats, the US government even created the National Insider Threat Task Force to help federal institutions “build programs that deter, detect, and mitigate” the actions of malicious insiders.

But in practice, we can see that federal agencies and institutions still have lots of weak spots in their security risk management programs. These vulnerabilities leave them unprotected from both internal and external cyber attacks.

Statistic shows that insider threats account for approximately 30% of all cybersecurity incidents in government departments and organizations. Therefore, being able to detect and prevent an insider threat is the key to protecting sensitive data of both federal institutions and average citizens.

The fact that government cybersecurity strategies aren’t very effective despite considerable spending can be explained by several major factors:

• The emergence of new and more sophisticated threats
• Malicious insiders
• Low security budgets
• Lack of cybersecurity professionals
• Too many regulations

Let’s look closer at each factor:

Constantly emerging and more sophisticated threats. This isn’t something unique to the government sector but rather a general cybersecurity problem. New threats and attack methods emerge faster than security specialists and vendors can react to them. This is mostly caused by the constantly growing attack surface, with more and more companies, websites, and connected devices out there. At the same time, the fact that it’s quite easy to obtain the knowledge and resources required for an attack also works in favor of cyber criminals.

Malicious insiders. Government employees (both current and former) can cause more damage in a shorter amount of time than external attackers. A third-party vendor or a government contractor can also become an insider threat if they have access to an organization’s systems. What makes things more complicated is that malicious users are harder to detect because they are legitimate actors who behave normally most of the time. Furthermore, not all of them are malicious by nature – many insider threat security incidents are the result of an insider’s negligence and not malicious intent.

How to Prevent Human Error: Top 4 Employee Cybersecurity Mistakes

Limited security budgets. Despite seemingly large overall spending on cybersecurity, a particular government agency or department gets only a small portion of that money. It’s usually not enough to employ a proper IT security solution capable of providing sufficient protection and reacting quickly to emerging threats.

Lack of cybersecurity professionals. Low budgets lead to a lack of cybersecurity specialists and the ineffectiveness of the government’s insider threat prevention programs. With demand for qualified personnel on the rise, government institutions simply can’t offer rates that compete with the commercial sector. A high amount of practical knowledge and experience is a must in this field and is something that a lot of government security specialists lack.

Too many regulations. Despite the lack of funds and qualified personnel, government institutions are still required to comply with a large number of security standards, including NIST and FISMA compliance requirements. In an attempt to comply with multiple regulations, government institutions create sets of rules they must follow, thus taking a policy-based security posture. But this approach doesn’t always work well. In the next section, we explain why.

Top 5 Real-Life Examples of Breaches Caused by Insider Threats

Drawbacks of a policy-based approach

Is blindly following the rules enough to stay secure?

As specified by the Department of Homeland Security, insider threats are “often carried out through abusing access rights, theft of materials, and mishandling physical devices.” So it may seem that the best thing a government organization can do to prevent insider threats is to follow the cybersecurity rules specified by key regulations.

However, this leads us to the implementation of the policy-based approach. Let’s look closer.

A policy-based approach is fixated on checking boxes – making sure that certain compliance requirements are achieved. But complying with requirements isn’t always equal to staying well-protected against insider threats.

A policy-based approach doesn’t require an organization to actually assess risks and fix existing security flaws. As a result, government agencies often fail to accomplish a number of critical tasks:

• Update software on time. Most government agencies don’t update software unless it’s explicitly required by regulations. Failure to keep software up to date leaves organizations with vulnerabilities that can be exploited by attackers. Often, even cybersecurity solutions provided by the government don’t get updated.
• Fix existing security flaws. Not all regulations specifically require government agencies to fix existing security flaws and vulnerabilities. The security solutions required to fix such flaws usually cost money that most organizations decide to save, leaving these vulnerabilities extant. Such actions inevitably put sensitive data at risk of being stolen.
• Properly detect insider threats. Most regulations require some form of access management and activity monitoring. However, not every government organization employs comprehensive cybersecurity solutions for government to control access to critical data, monitor user activity, and ensure effective incident response. To properly address the problem of insider threats, a combination of a well-planned insider threat program and a sophisticated insider threat prevention solution (user activity monitoring solution) is needed.

As you can see, for US government organizations, insider threats are one of the key cybersecurity challenges. But what is the real danger that people pose from within? Let’s find out.

How to Build an Insider Threat Program [12-step Checklist]

Mitigating insider threats in government organizations

What happens when you don’t see a wolf among the herd?

Government organizations in the US aren’t as immune to data leaks and data breaches as they want to appear. But as scary as hacker attacks seem, the biggest danger often comes from within. The case of Edward Snowden, one of the most talked about leakers, proves this.

Here’s the main issue: most of the time, malicious actors act normally and perform their regular duties, thus remaining indistinguishable from their non-malicious peers. So how can you detect a wolf in sheep’s clothing?

Improving an organization’s cybersecurity while also addressing the problem of cyber threats caused by insiders requires a holistic approach. Here are three key steps that can be taken to increase the level of an organization’s cybersecurity:

Specify dangerous actions. Organizations can enhance their cybersecurity policies with what they lack most – clear rules that prohibit dangerous actions.

A list of such actions should include:

• Sharing passwords
• Installing and using shadow IT
• Using unapproved USB devices
• And so on

Educating government staff on cybersecurity best practices is essential. It helps government organizations get the most out of a traditional policy-based approach and reduce the number of negligent insiders.

Limit access privileges. Every employee and every role in an organization should have a set of clearly defined access permissions. Unauthorized personnel should be prevented from accessing data and systems they aren’t supposed to.

Approaches such as role-based access control, the principle of least privilege, and zero trust will be helpful in implementing this in practice.

Monitor user actions. Being able to watch, record, and analyze every action a user takes when working with critical assets is the key to detecting and halting insider attacks. If a cybersecurity incident takes place, recorded information can help determine the cause and improve the cybersecurity policy to prevent similar incidents.

With these three steps, insider threats in federal government agencies can be effectively mitigated. In particular, government organizations can lower the risk of attacks caused by negligent and opportunistic insiders. And by combining user monitoring with UEBA, organizations can improve the detection of malicious insiders even further.

Portrait of Malicious Insiders: Types, Characteristics, and Indicators

Ekran System is a sophisticated insider threat prevention and detection platform that provides a rich set of tools for:

• Managing privileged access and passwords
• Monitoring user activity
• Investigating and responding to cybersecurity incidents

Ekran can record every user session, regardless of the applications used, network configuration, and level of user privilege. Suspicious processes, applications, and sessions can be terminated manually or automatically. The platform comes with a standard library of cybersecurity rules, but custom rules for alerts, notifications, and incident responses can also be specified.

Ekran offers a flexible licensing scheme that allows organizations to adjust costs according to the scale of deployment and easily transfer licenses between endpoints for focused investigations.

The platform also makes it easier for government organizations and their subcontractors to meet the requirements of NIST, FISMA, NISPOM, and other acts, standards, and regulations.

US-Based Defense Organization Enhances Insider Threat Protection with Ekran System [PDF]

Conclusion

Government organizations struggle to address the problem of insider threats. The need to cut costs and comply with multiple regulations forces them to implement ineffective cybersecurity policies.

To address the problem of insider threats, agencies should implement effective cybersecurity solutions for government. Thus, they can pay more attention to user activity monitoring, access management, and incident response. They can also detect possible attacks in a timely manner and significantly limit the attack surface. Specifying dangerous actions in an organization’s cybersecurity policy and educating employees on the true importance of these restrictions will also be helpful.

Ekran System is a comprehensive insider threat prevention platform that can be used for privileged access management, user activity monitoring, incident response, and auditing.