We are in the process of delivering next month's NoticeBored security awareness materials on "Insidious Insiders". This topic has turned a shade darker since we last covered it, thanks to a number of research studies and warnings from the likes of CERT and the FBI indicating to us that insider threats are escalating.
If you've caught the news this week, you probably saw the unfolding drama at the Vatican concerning leaks of confidential internal matters to the Italian press and allegations that the Pope's butler was involved. So much for trust and ethics as security controls! If your organization relies heavily on the trustworthiness and ethics of insiders, perhaps it's time to dust-off your insider threat analysis and review where you really stand.
For a few years now, the news media, researchers and various official sources have been consistently playing-up the use of industrial espionage by China, in particular, although I'm quite certain that China is not the only bad boy on the block. As well as malware and hacking from the outside, social engineering and information theft from within are the flavor of the month. At the same time as they are bleating about the ongoing theft of intellectual property and flagrant disregard for IPR, the evident lack of media concern about industrial sabotage strikes me as rather odd: provided they are measured and reasonably subtle about it, well-placed insiders can quite easily wreck a company's commercial prospects by forcing it to bid inappropriately, miss crucial deadlines, and generally screw around with vital commercial relationships, all without necessarily tipping-off senior management.
I can't help but wonder whether substantial delays to both the Airbus A380 and Boeing Dreamliner products were purely the result of wiring and outsourcing concerns (or whatever they claimed), or perhaps, just conceivably, the commercial impacts of skulduggery deep within the ranks. The aerospace industry is intensely competitive with an enormous amount at stake, including strong national interests and of course the defense side of the business. Do you think I'm paranoid to believe that there might be more to this massive EU v US bun-fight than perhaps meets the eye?