Many organizations place a very strong emphasis on external security - firewalls, VPN, special network routing, etc. However, a substantial portion of the information security risk comes from within the organization - the “insider threats.” A 2005 survey conducted by US Secret Service, CERT, and CSO magazine showed that where respondents to the survey could identify the attacker, 20% of the attacks were committed by insiders. The impact may be as small as few hours of lost productivity to as much as $700 million in a complex financial fraud case.

A report by the Carnegie Mellon’s CyLab entitled “Common Sense Guide to Prevention and Detection of Insider Threats” released in July 2006 is a very good multi-step approach on improving accountability and decreasing the chance of insider attacks. The full report, of about 45 pages, can be found here.

Here are some of the major points outlined in the report. First and foremost, insiders are a threat to any organization which has anything to protect. Regardless of whether this is confidential client information, proprietary software code, trade secrets, or information which is of value to a third party, an organization is at risk. There are some ways to decrease the risk of insider threats, however, the nature of the relationship between the parties poses some difficulties.

Areas of Insider Threats

Generally, there are three areas of insider threats. Insider IT sabotage, fraud, and theft of information.

With insider IT sabotage the threats come most often from disgruntled current or former employees or clients who intentionally misuse their account permissions to cause damage. Most of these insiders act out of revenge for some negative event in the past such as termination, demotion, dissatisfaction with job or salary and others. Using somebody else’s account (by knowledge or by compromising it) is usually the most often used method to gain access to information; however, creating backdoors or misusing accounts which were not eliminated upon employee’s departure are also common.

With fraud the threats come from current employees, very often in positions such as data entry which require access to sensitive or valuable information. Almost all of the cases of fraud committed by insiders were done by using legitimate user commands, most of the insiders used their own username and password, and most committed the fraud from their workplace. Such frauds are most commonly detected by system irregularities or by complaints by clients or law enforcement.

With theft of proprietary information the threats come mainly from current employees. Most of them are financially motivated while most feel that they are entitled to the information. Most of the insiders under this category had access to the information they took and most used their own username and password to commit the acts. Theft of information is generally hard to detect and when it is detected, most often it is because of notification by a third party.

Among the above observations, it is important to add that according to the research, almost half ot eh employees who stole information while still employed had already accepted other job offers. This shows that extra caution should be exercised once the organization becomes aware of this type of information, either formally or via rumor.

Best Practices for Prevention and Detection of Insider Threats

The paper proposes thirteen practices that should help an organization decrease its risk of insider threats. A brief summary of the proposed practices follows.

Practice 1. Institute periodic enterprise-wide risk assessments. Similar to any effort in preventing security breaches, a risk assessment should be done to evaluate what the organization’s needs, strengths, and weaknesses are. The results of this analysis should dictate many of the other practices.

Practice 2. Institute periodic security awareness training for all employees. This should be already in place - not only to prevent insider threats, but to raise the general security awareness of employees and stop external attacks, such as phishing, as well.

Practice 3. Enforce separation of duties and least privilege. No employee should be responsible along for a critical system and an employee should have exactly as much privileges as necessary to do his or her job.

Practice 4. Implement strict password and account management policies. Similar to the security awareness practice, this should be in place regardless of the threat being addressed. Strict password and account management policies prevent from both insider and external threats.

Practice 5. Log, monitor, and audit employee online actions. This is not to say that you should spy on your employees. But appropriate logging and monitoring should be conducted after employees are made aware.

Practice 6. Use extra caution with system administrators and privileged users. Because system administrators in many cases perform the logging and monitoring, special attention should be paid to persons with heightened privileges.

Practice 7. Actively defend against malicious code. Logic bombs and stealth code can be very hard to detect; therefore extra effort should be made for early detection.

Practice 8. Use layered defense against remote attacks. If employees are trained and vigilant and if they know that their actions are being monitored then they are less likely to attack their systems.

Practice 9. Monitor and respond to suspicious and disruptive behavior. Suspicious behavior should be investigated closely instead of being dismissed. Follow-up by management is necessary.

Practice 10. Deactivate computer access following termination. It may sound like the best and most important practice out of this list; however, according to the research, many insiders (especially system administrators) do not use their own accounts to commit an illegal act. Thus, deactivating access following termination is important, but is not the silver bullet many organizations think it is.

Practice 11. Collect and save data for use in investigations. Proper log files and audit trails should be preserved, secured, and authenticated well. If criminal prosecution (or for that matter civil litigation as well) is to follow, evidence to be used at trial should be properly kept and authenticated. Also, special problems are raised by logging system administrators’ activities because they may be in a position to easily modify the log trail.

Practice 12. Implement secure backup and recovery process. Many of the sabotage acts done by insiders involved destroying valuable information on site and on backup tapes. Backup tapes (especially containing valuable information) should be properly secured and access should be separated among at least two people.

Practice 13. Clearly document insider threat controls. This would help in subsequent policy reviews, will create a better understanding of the policies, and will provide for fewer misconceptions that the organization is acting in a discriminatory manner.

No Responses to “Preventing Insider Threats”

No comments yet

Leave a Reply

Name (required)

Mail (will not be published) (required)

Website

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <code> <em> <i> <strike> <strong>