Means
Access
Aiding and Abetting
Asset Control
Bluetooth
Bring Your Own Device (BYOD)
Clipboard
FTP Servers
Installed Software
Media Capture
Network Attached Storage
Physical Disk Access
Placement
Printing
Privileged Access
Removable Media
Screenshots
Sensitivity Label Leakage
SMB File Sharing
SSH Servers
System Startup Firmware Access
Unrestricted Software Installation
Unrevoked Access
Web Access
- ID: AR2
- Created: 22nd May 2024
- Updated: 23rd July 2024
Means
The mechanisms or circumstances required for an infringement to occur.
Sections
ID | Name | Description |
---|---|---|
ME024 | Access | A subject holds access to both physical and digital assets that can enable insider activity. This includes systems such as databases, cloud platforms, and internal applications, as well as physical environments like secure office spaces, data centers, or research facilities. When a subject has access to sensitive data or systems—especially with broad or elevated privileges—they present an increased risk of unauthorized activity.
Subjects in roles with administrative rights, technical responsibilities, or senior authority often have the ability to bypass controls, retrieve restricted information, or operate in areas with limited oversight. Even standard user access, if misused, can facilitate data exfiltration, manipulation, or operational disruption. Weak access controls—such as excessive permissions, lack of segmentation, shared credentials, or infrequent reviews—further compound this risk by enabling subjects to exploit access paths that should otherwise be limited or monitored.
Furthermore, subjects with privileged or strategic access may be more likely to be targeted for recruitment by external parties to exploit their position. This can include coercion, bribery, or social engineering designed to turn a trusted insider into an active participant in malicious activities. |
ME018 | Aiding and Abetting | An individual or individuals knowingly assist a subject to gain access to devices, systems, or services that hold sensitive information, or otherwise contravene internal policies. |
ME001 | Asset Control | A subject can access devices that have not been assigned to them. |
ME004 | Bluetooth | A subject can conduct bluetooth file transfers from an organization device. |
ME022 | Bring Your Own Device (BYOD) | An organization has a Bring Your Own Device (BYOD) policy, where a subject is authorized to connect personally owned devices—such as smartphones, tablets, or laptops—to organizational resources. These resources include corporate networks, cloud applications, and on-premises systems that may handle confidential and/or sensitive information.
The use of personal devices in a corporate environment introduces several risks, as these devices may lack the same level of security controls and monitoring as organization-owned equipment. |
ME012 | Clipboard | A subject can use the clipboard on a device (copy & paste). |
ME009 | FTP Servers | A subject is able to access external FTP servers. |
ME003 | Installed Software | A subject can leverage software approved for installation or software that is already installed. |
ME013 | Media Capture | A subject can capture photos, videos and/or audio with an external device, such as taking photos of a screen, documents, or their surroundings. |
ME008 | Network Attached Storage | A subject can write to a Network Attached Storage (NAS) device outside of the organisations control. |
ME017 | Physical Disk Access | A subject has the ability to access the physical disk of a target system. |
ME025 | Placement | A subject’s placement within an organization shapes their potential to conduct insider activity. Placement refers to the subject’s formal role, business function, or proximity to sensitive operations, intellectual property, or critical decision-making processes. Subjects embedded in trusted positions—such as those in legal, finance, HR, R&D, or IT—often possess inherent insight into internal workflows, organizational vulnerabilities, or confidential information.
Strategic placement can grant the subject routine access to privileged systems, classified data, or internal controls that, if exploited, may go undetected for extended periods. Roles that involve oversight responsibilities or authority over process approvals can also allow for policy manipulation, the suppression of alerts, or the facilitation of fraudulent actions.
Subjects in these positions may not only have a higher capacity to carry out insider actions but may also be more appealing targets for adversarial recruitment or collusion, given their potential to access and influence high-value organizational assets. The combination of trust, authority, and access tied to their placement makes them uniquely positioned to execute or support malicious activity. |
ME014 | Printing | A subject has the ability to print documents and other files. |
ME007 | Privileged Access | A subject has privileged access to devices, systems or services that hold sensitive information. |
ME005 | Removable Media | A subject can mount and write to removable media. |
ME011 | Screenshots | A subject can take screenshots on a device. |
ME023 | Sensitivity Label Leakage | Sensitivity label leakage refers to the exposure or misuse of classification metadata—such as Microsoft Purview Information Protection (MIP) sensitivity labels—through which information about the nature, importance, or confidentiality of a file is unintentionally or deliberately disclosed. While the underlying content of the document may remain encrypted or otherwise protected, the presence and visibility of sensitivity labels alone can reveal valuable contextual information to an insider.
This form of leakage typically occurs when files labeled with sensitivity metadata are transferred to insecure locations, shared with unauthorized parties, or surfaced in logs, file properties, or collaboration tool interfaces. Labels may also be leaked through misconfigured APIs, email headers, or third-party integrations that inadvertently expose metadata fields. The leakage of sensitivity labels can help a malicious insider identify and prioritize high-value targets or navigate internal systems with greater precision, without needing immediate access to the protected content.
Examples of Use:
|
ME015 | SMB File Sharing | A subject has the ability to share files across a network through Server Message Block (SMB) file sharing. |
ME010 | SSH Servers | A subject is able to access external SSH servers. |
ME016 | System Startup Firmware Access | A subject has the ability to access the system startup firmware of a target system. |
ME002 | Unrestricted Software Installation | A subject can install software on a device without restriction. |
ME021 | Unrevoked Access | The subject has left the organization but still has access to services or data that is reserved for employees. |
ME006 | Web Access | A subject can access the web with an organization device. |