Top Secret: Pentagon Leak Sheds Light on Insider Attack Threat

After a US National Guardsman allegedly leaked hundreds of the country’s most sensitive classified documents, security experts are pondering the best ways to protect intellectual property from internal threats in the enterprise.

Jack Teixeira, a 21-year-old enlisted IT worker for the Massachusetts Air National guard, was arrested on charges of illegally sharing top-secret national defense information after a New York Times report linked him to photos of the classified documents shared on social media. A Financial Times article suggested thousands of people had access to the same classified material.

The breach exposed critical US secrets regarding the war in Ukraine.

While national security may not be at stake with enterprise breaches, internal threats can wreak havoc on businesses. Such business breaches rarely attract the same level of press attention, but cybersecurity experts are well versed in internal threats both from negligence and malicious intent.

Zero Trust and Behavioral Analytics

Maxine Holt, senior director of content for Omdia’s cybersecurity research group, says organizations can employ behavioral analytics and zero-trust policies to help defend against and respond to internal threats. “We’ve seen a lot of organizations deploy more behavioral analytics to see what employees are doing and to see if anything is out of the ordinary,” she says. “That can certainly help from a security standpoint.” Omdia is owned by Informa.

The “zero-trust” standard of authentication is crucial to protecting intellectual property, Holt says. And this standard applies to remote and office workers alike. “It’s about authenticating people as they go through the organization’s systems. It’s about making sure that somebody who is trying to access a piece of data or a piece of information should actually have access to that information.”

Tight controls on information access and classification are crucial components of security data. “Information should be there on a need-to-know basis,” Holt says. She adds that businesses need to classify sensitive materials much like governments do -- and they need to have tight controls on access in place. “It’s incumbent upon the organization to make sure they’ve got better data classification capabilities in place.”

Author and former Microsoft CIO Jim DuBois agrees about the importance of zero trust in the modern threat landscape. “Insider threats are where the whole zero-trust concept came from,” he says. “And the idea is that just because something or someone is on the inside, it doesn’t mean you can trust automatically. Just because you already authenticated it before doesn’t mean you don’t authenticate again and again. And, while this might sound bad, organizations must assume that all employees don’t have good intent. A lot of hacks have come from employees being bribed, a bad agent inserted as an employee or employees who have valid access being tricked into doing things they shouldn’t.”

Omdia’s Holt said 91% of companies surveyed admitted to having a breach in the past year. About 40% of those breaches came from within the company. While a small percentage of those breaches could be assigned to malicious intent on the part of the employee, she says it’s clear that companies need strict controls on data handling.

Reputation Versus Corporate Responsibility

The Pentagon leak undoubtedly stained security reputations at the highest levels of government and may endanger lives. While the stakes may not rise to the same level, businesses face reputation damage that could be costly and disruptive.

In a perfect world, companies would freely share information regarding security breaches to benefit the wider community. But businesses often keep leaks and breaches confidential to protect the company.

A Bitdefender report released earlier this month found more than 40% of cybersecurity teams were instructed to keep breaches confidential. The US had the highest rate, with 71% of IT/security professionals responding that they’ve been told to keep quiet on breaches.

Those alarming numbers come as no surprise to Holt and DuBois. They say damage caused by publicized leaks can erode customer confidence and lead to serious hits to an organization’s bottom line.

“The incentive today is to not report because your only benefit is that you’re helping somebody else at the risk of your reputation,” DuBois tells InformationWeek. “So we’ve got to figure out how to change that incentive so that we get better reporting. And that might be some way to report anonymously -- so that we’re able to update the collective intelligence so everybody can protect their systems.”

Holt says regulations are necessary to encourage reporting, but even those rules are often skirted. “When it’s sensitive personal information, you might be required to report the breach,” Holt says. “But we know the reporting still doesn’t happen because of the potential damage to reputation. And that’s a big issue because organizations want customers to trust them.”

Holt agreed that an anonymous reporting method would be a good solution. She says preparation can be also helpful if a breach does go public. “If they have a playbook in place and they know what happens if they do report a breach, the company can handle damage reasonably well,” she says. “If they don’t have a plan, the reputational damage is going to be worse because they are not talking to the affected customers.”

What to Read Next:

Breach Takes Systems Down Across Western Digital

GoDaddy Hit with Multiyear Breach

Security Top IT Investment Priority in 2023