Identifying and Countering the Insider Threat

September 9, 2009 by ADMIN
Share |

By Richard Stiennon, Chief Research Analyst, IT-Harvest

What is the insider threat?

The insider threat is that posed by employees, contractors, and visitors that are granted too much trust. In some cases that trust is almost naively granted.

Anyone within an organization could have the motivation, access to resources, and the tools to steal information, or even destroy critical resources.

While often overlooked, the insider threat actually outweighs the threats from cyber criminals, hackers and the random malware that most organizations concentrate on.

It is the insider that understands where the keys to the kingdom are hidden.

When I was engaged in white-hat hacking for one of the Big Four audit firms it would take me about two days within a bank, railroad, or utility to figure out how I could steal from them or their customers.

And, that was with information I gleaned from inside staff. We assume that the employer - employee contract is enough to curtail bad behavior.

But, ask anyone who manages staff involved in handling cash and you will understand the threat posed by employees. Look at the controls, cameras, even the lack of pockets in Casino operations.

Next time you go to a bank check out those video cameras.

They are there to keep the tellers honest. To understand the level of controls needed to protect your assets you have to think of your data, communications, and processes as if they were cash.

What is the threat?

The threat is that you could lose mission critical business functions, intellectual property such as trade secrets, source code, and customer contacts.

You could suffer financial losses from disclosure requirements in the case of loss of credit card or other data, and the subsequent PR fiasco. The losses could far outweigh the cost of simple preventative measures.

What are privileged users and privileged accounts, and how do they represent a problem?

Privileged accounts are convenient short cuts. There are two major categories. Privileged accounts owned by administrators and those accounts used by programs or servers to communicate with one another.

Think about it. You are designing a new web application that requires the web front end to access a database.

Do you bother with the complexity of passing login credentials for every authorized user back to the database server?

Or, do you create one super user, the web server, and allow it to make any query at all with rudimentary logging at the data base server? For server administration there is a similar short cut.

Multiple people on multiple shifts need to get access to servers to back them up, reboot them, patch them, etc. Isn’t it easier to create one superuser account that everyone uses for those tasks?

And of course when installing a new application do you grant that application so called “least privilege” or do you avoid the cumbersome task of determining what processes and functions each new application will need to execute and just give it superuser status? I think you know the answer.

You take the simple, get-it-to-work, path. What you end up with is no accountability, no logging of individual behavior, no control.

You grant plausible deniability to anyone who abuses those access privileges. Perhaps one of the biggest concerns is privileged account access for databases.

Database Admins have to do so many tasks on their servers, from maintaining them to manipulating the data in their stores that it is extremely cumbersome to ask them to have unique passwords for different tasks.

After all they know the user name and password of the web server that has to access that database. So even if you give them individual accounts they still login with the elevated credentials of the web server.

Getting a grip on the privileged user account is one of the key challenges in securing an environment from insider threats.

Who should be responsible for mitigating the insider threat?

Responsibility for mitigating the insider threat resides with several groups. The business risk from insiders should be one of the primary concerns of executive stakeholders especially financial management.

The CFO’s office has the experience with enforcing financial controls that is directly applicable to the types of concerns and counter measures needed now that so many employees are empowered to access critical data.

Simple things like separation of accounts payable and accounts receivables duties were figured out over a hundred years ago. Applying the same thought to data handling is required.

HR is usually responsible for task such as back ground checks, creating and publishing acceptable use policies and ultimately enforcing them. But the greatest number of tasks fall on IT.

Designing, deploying and enforcing access controls, determining the best tools and technologies to monitor, alert, and block malicious activity falls to the IT department which means ultimately the CIO.

Most organizations have separate security groups whose resources have been tied up with managing desktop anti-virus, tracking down and cleaning up worm infections, and managing firewalls and logs for compliance.

Those groups have to take on the additional burden of access controls and activity monitoring.

It is the only way to ensure that there is some hope of surviving an attack from an insider. In many cases the tools for granular access controls and even monitoring are already available –they just have to be used.

What are organizations doing about the insider threat?

Organizations that have realized that it is time to start responding to the insider threat are following these steps:

1. Updating policies and republishing them. And getting end user buy-in.
2. Deploying or turning on activity monitoring tools
3. Using fine grain access controls and identity management

Usually these steps are taken after an incident has occurred.

A disgruntled employee leaves a logic bomb that destroys data, or simply leaves without revealing the passwords to the routers and firewalls the way an employee of the City of San Francisco did in 2008 It is during the triage phase of dissecting just what happened that organizations realize that they need to do more about locking down their systems.

Often they will create an incident response team to coordinate the reaction to future problems while simultaneously instituting new controls.

These three steps, new policies, activity monitoring, and fine grain access controls are just the beginning.

Next is to deploy systems to enforce those policies which involves new network devices, as well as stronger authentication.

Along with that level of investment comes the alerting, reporting, and response capabilities mandated by compliance requirements.

Use these three steps to get started but be aware that there is more investment needed before you will have countered the insider threat.

How can traditional security management tools be used to counter the insider threat?

Let’s look at the minimum tools that you might have at hand: firewall policy management, IDS, and some sort of way to control configurations and anti-virus on the desktop.

You might also have a Security Information management system in place to handle the millions of alerts from your Intrusion Detection System.

Some quick first steps. First make sure that your remote access VPN server is in a firewalled segment of your network, a DMZ.

Then tighten up your firewall rules. When I say deny all except that which is explicitly allowed I mean it! In particular deny carte blanche access to your remote users.

Second, turn on logging at the firewall for connections such as ftp or telnet if you absolutely need those services.

Now, the next step is to get your IDS to help you. What you need is to alert on types of behavior and applications that indicate insider abuse.

File transfers, use of scanning tools, unusual behavior at odd times of day. If you have a Security Information System that can filter logs and alerts use it to give you better pattern recognition.

Finally, use your desktop configuration tools to lock down desktops. Do not allow installation of applications like BitTorrent, Skype, Lophtcrack, things that an inside hacker can use to cause harm.

You can do a lot to counter the inside thrat with tools at hand. You just have to use them.

What part does identity and access management play in mitigating the insider threat?

Identity and Access Management tools are the single most valuable defense you have against the insider threat.

IAM can encompass many components including authentication (biometrics, smartcards, One Time Password tokens) provisioning (assigning and revoking access), granular entitlements, alerting, reporting, and compliance.

Without the authentication aspect users become comfortable with what amounts to anonymous access.

They become aware of the fact that they can browse pornography, access documents, host unauthorized tools and applications (Skype, BitTorrent, games) without fear of repercussion.

Without an Identity and Access Management system in place you lose control of who has access to what.

After deploying a stronger authentication system and a way to manage it you finally have granular control over what people do on your networks and a means to enforce the policies that regulation and security best practices require.

I visited one State Government that had NEVER revoked a user ID.

There were thousands of people that could still access State systems if they were on the inside of the network.

You cannot begin to get control over privileged accounts, IT administrators, or even software licensing costs until you enable an effective Identity and Access Management solution.

If you have a lot of remote users and no IAM you have opened yourself up to 24X7 abuse of your systems.

So, start with an Identity and Access management system, build in strong authentication where you want to element deniability, and begin building a response to the insider threat.

Is encryption a tool that can protect against insider abuse of data?

Short answer yes, long answer no. Encryption, of course, prevents many embarrassing data loss incidents.

If an insider thought that he or she could grab a backup tape of customer data for instance, encryption would foil that attempt.

And certainly encrypted hard drives on laptops will avoid the data loss issues around laptop theft. But the insider threat is almost impossible to counter using traditional encryption policies and practices.

The insider is already trusted with access to critical information. They are an employee or contractor whose job requires them to use that data. If they want to steal it they can.

Say you had a complete Digital rights management system in place (DRM). No document could be opened, copied, printed or forwarded without explicit permission. Great. But the insider can see that data.

Imagine someone sitting in the telesales operations bull pen.

He could copy data from the customer records he dealt with. He could text credit card numbers to an accomplice.

He could use a camera to take screen shots of the data.

Encryption, while a critical element for data protection, is not an effective measure for countering the insider threat.

How can we manage entitlements?

Entitlements are the connection between users and allowed access. Who has authorized access to which services? It can even go down to the data level: who has rights to what documents, tables, information?

Defining and enforcing entitlements is the hardest part of cracking down on the insider threat. When responding to a new set of threats or an escalation in threats I always advise keeping it simple.

In the case of user access to data and applications the most common enforcement point is at the existing directory where groups are defined.

As a first step create a group for each function in the organization: Sales, HR, Finance, manufacturing, Doctors, nurses, pharmacists, and so on…

Define which systems they, at a minimum, need to access to get their jobs done. Go ahead and implement that course-grain level of entitlements.

Then, build a user administrated tool for requesting and receiving exceptions. Ideally, this would be automated and then reviewed regularly.

So, yes there is a risk that a sales person may request access to say finance data, but he or she does so at their own risk of being called out for inappropriate access.

The key tool for accomplishing all of this is an Identity and Access Management system.

It ensures that the user associated with each set of credentials is who they say they are and then allows the access based on first course grain and eventually fine grain policies.

What about employee awareness training?

Contrary to many areas of info security the insider threat can be countered, in part, by employee training.

But I am not advocating once a year three day seminars on the evils of short passwords and the dangers of a Kevin Mitnick in your front lobby.

Normally the benefits from security awareness training are as ethereal as a mal-formed packet. The investment and loss of productivity from these training programs is never revovered.

But, countering the insider threat is different. You are not educating insiders to change their behavior from bad to good, you are warning them not to change their behavior from good to bad. You do this in two ways.

First, you republish your organization’s acceptable use and confidentiality policies and require everyone to acknowledge receipt. Make it simple and to the point. Company information is company information.

Violators will be punished. Second, as part of your activity monitoring, you alert the insider every time they attempt to violate the policy.

Browsing to an inappropriate web site, using Skype or AIM, using web based email from work.

Let them know that you are watching them.

The very best counter to the insider threat is the cyber equivalent of the camera over your shoulder. Just as cameras can prevent shoplifting, visible activity monitoring can prevent data theft.

Are there any times that the insider threat is greatest?

Yes, there are specific times that the insider threat is greatest. Change is bad for the smooth flow of business processes.

When switching over from one system to another things fall through the cracks. So mergers and acquisitions pose a special threat.

There are new insiders to deal with, some of whom may not like the new regime.

Economic disruption leads to an increase in malicious insider activity as well. If an organization announces cut backs and layoffs that is when insiders start to think about their own needs over those of their employer.

Who has not made a backup of their records, customer contacts, and email when they suspect that they may lose their jobs?

Engineers are pack rats. They save everything. Salespeople consider the records of their interaction with customers to be theirs and if they find a new job they are going to want to have those records. Obviously the motivation that creates a “disgruntled” employee is fed by announcements of layoffs.

As organizations struggle to survive they tend to make insiders feel insecure. It is natural for insiders to take steps to protect their livelihood.

There may be an increased likelihood of data being stolen and sold. Remember the incident at Countrywide where the insider started to sell loan application information to an identity thief?

Unfortunately, an economic downturn is not the best time to propose investments in better security so you may be stuck with insufficient controls just when you need them the most.

What are the first steps an organization should take to mitigate the insider threat?

Assuming you are like most organizations, the way you deployed networks, applications, and new services was wide open.

When you rolled out your CRM solution for instance the main task was to get everyone, especially the salesforce, to use it religiously.

You cannot derive full benefit from a CRM application unless everyone uses it all the time.

Imposing access controls on what people can do with it (like download the entire customer list) inhibits people from using it.

You want everyone to share information since that has immediate benefits in improved productivity, faster time to market, and profitability.

But no controls has led to the current situation of exposure to abuse by insiders.

So the first step in mitigating the insider threat is to re-publish your acceptable use policy and get everyone’s buy in.

That policy should state that all activity on all systems is monitored and logged.

The second step is to make sure that you really are monitoring and logging all activity. As you look at your logs you will quickly realize that there are many activities on your systems that cannot be traced back to an individual.

Start with those. Slowly start building in more granular controls until you eliminate these anonymous activities one at a time.

The third step will require the most investment. That is to deploy stronger authentication. Usernames and passwords do not cut it.

Not only can a malicious insider deny their activity with the excuse that their credentials must have been used by somebody else, but the insider could truly steal someone else’s credentials to access the system they are abusing.

Strong authentication must be tied to the individual. A smart card or one time password token makes it much harder to deny an action, and the insider knows this.

Are there situations that cannot be addressed by IT?

Of course the insider threat transcends IT and controls. Look at how much information is in paper form, or look at the business processes that cannot be controlled.

The CFO and the CEO of Satyam colluded for years to hide what amounted to a billion dollars of vapor assets. And who is in more of a trusted, privileged position in an organization than the CEO and CFO?

Would better controls have prevented Enron? The disgruntled employee that goes “postal” and causes physical mayhem.

The bank teller that pockets cash deposits. The fraudulent accident claims or discrimination suits.

The insider that copies and faxes the secret formula for Coke.

All of these just highlight the wisdom in putting in controls that are commensurate with the power granted to employees.

Think how easy it is for a trusted insider to spill information about a new product, a new TV show, the next great design to come out of Detroit or Milan, the next version of an iphone, or laptop.

Building, earning, and enforcing trust is a bigger issue than IT alone can handle.

IT risks are not the only risks. And IT controls are not the answer to eliminating all risk from insider actions.

This post is also available in a video Q&A I did with Terry Sweeny at Internet Evolution. The insider threat is top of mind this week as I prepare for hosting another Xceedium webinar on Thursday. (Noon EST. Sign up here) Questions 2. and 8. relate directly to Xceedium’s Gatekeeper appliance.

Announcing the birth of Cyber Defense Weekly, a newsletter created to give participants in this new category a comprehensive summary of the week’s news, product announcements, and escalations in cyber threats.

Simply provide your email address here to become a subscriber.

Comments and input are welcome as always on this critical new category.

Richard Stiennon, security expert and industry analyst, is known for shaking up the industry and providing actionable guidance to vendors and end users. He recently re-launched the security blog ThreatChaos.com and is the founder of IT-Harvest, an independent analyst firm that researches the 1,200 IT security vendors. He was Chief Marketing Officer for Fortinet, Inc. the leading UTM vendor. Prior to that he was VP Threat Research at Webroot Software. Before Webroot, Mr. Stiennon was VP Research at Gartner Inc. where he covered security topics including firewalls, intrusion detection, intrusion prevention, security consulting, and managed security services for the Security and Privacy group. He is a holder of Gartner’s Thought Leadership award and was named “One of the 50 most powerful people in Networking” by NetworkWorld Magazine.

* * *

Stay Informed With ISR News Feeds and Email Alerts Here:

The Publisher gives permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author and to Information-Security-Resources.com

These icons link to social bookmarking sites where readers can share and discover new web pages.
  • TwitThis
  • LinkedIn
  • Google Bookmarks
  • Digg
  • StumbleUpon
  • YahooBuzz
  • del.icio.us
  • Wikio
  • Propeller
  • Facebook
  • MySpace
Share |


Filed under: Breach, D&O Liability, FEATURE ARTICLE, Financial, Government, ISR News, Insider Threat, Military, PCI, Richard Stiennon, Sarbanes-Oxley, Uncategorized, due diligence, hackers, healthcare, identity-theft, malware, national security, privacy 

Tags: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Comments

5 Comments on Identifying and Countering the Insider Threat

  1. InfoBore 45 « ubiwar . conflict in n dimensions on Fri, 11th Sep 2009 1:56 am

    2. [...] Identifying and Countering the Insider Threat – Richard Stiennon, Information Security Resources [...]

  2. Danny Lieberman on Fri, 11th Sep 2009 2:41 am

    3. Richard,

    Your article is disappointing to say the least. It’s disappointing for three reasons:

    1. Shallow rehash of popular media fluff
    2. Missing some of the main issues
    3. Being totally wrong on others.

    Let’s take it one by one:

    1. Fluff
    “While often overlooked, the insider threat actually outweighs the threats from cyber criminals, hackers and the random malware that most organizations concentrate on”

    You don’t bring any evidence for this statement. As a research analyst, I would expect some independent numbers behind the statement. Au contraire Richard - according to our data security practice of over 5 years (and according to the Verizon business report the past 2 years) with customers in US, Europe and Middle East - insider threats are a rare, high-impact event that almost always involve internal contributing factors - system/software vulnerabilities and an external factor - competitor or business partner or criminal.

    2. Missing issues
    You talk about HR and IT. The truth is that there is a fundamental management disconnect between HR and IT (HR hires but has no accountability when an employee is involved in a security breach and gets fired) IT has some of the data and almost never shares it with HR. I suggest calling for higher levels of HR accountability for trusted insider events and would be more impressed if firms like Hannaford that had a major data loss event fired their HR manager for incompetence and their involvement with hiring an incompetent IT security team.

    3. Being totally wrong
    IAM (Identity and access managent) “the single most valuable defense you have against the insider threat.”

    By definition, IAM is an irrelevant security countermeasure against a the threat of a trusted insider that was granted access. In 100 percent of the cases we investigated in our data security practice - the client’s permissions systems were working properly, the trusted insiders involved all had been granted appropriate rights, they did not perform any elevation of privilege exploits - they simply took data that they had appropriate access to. Directors of new product development, system managers, sales managers - each and every one that took and/or abused data did so with appropriate permissions.

    With all the vendor rush to push products - it’s not surprising that the media is full of data security legends and popular science. I only wonder which client was paying IT Harvest to write this piece.

    Best regards

    Danny Lieberman
    http://www.software.co.il/wordpress Data security experts in Europe

  3. Stiennon on Fri, 11th Sep 2009 6:15 am

    4. Daniel:

    Let me bring you up to date on the situation: It seems the favorite conspiracy theory of those who oppose my views is that I state them at the behest of a paying client. If you want to illicit a heated response from me just accuse me of slanting my opinions in favor of a paying client. I have been accused of such at high level meetings at the Pentagon in front of video cameras. The accusations always come from vendors. They are frustrated that I do not like their products. I see you are a reseller and successful security consultant. I guess my statements on the insider threat did not support your business model which appears to be closely coupled with Fidelis Security Systems, a Data Leak Prevention System. I specifically left a DLP discussion out of my thoughts because they are expensive, hard to deploy (need security consultants to help), and do not solve the problem.

    I see you are relatively new to the security industry. You will have to learn to discern paid research from non-paid research. I can tell you that if *I* write something for pay it is very clear.

    You may have picked up on the tone of this piece on the insider threat. Does it seem to be basic and addressing people that may be new to the topic? Well it is. If you follow this link you will realize that what you are commenting on is my script for this video tutorial: http://www.internetevolution.com/tutorial_mitigatingtheinsiderthreat.asp

    I did that for Internet Evolution. IBM was *their* sponsor for that series. Not mine.

    Now to your heartfelt criticism.

    Fluff? Well, maybe. You trying writing a speech about the topic. It is VERY boring to rattle off statistics.

    Substance? You will note that I am indeed a big proponent of IAM. OF course all of your clients already have Identity and Access Management (sounds like you are referring to Windows Active Directory). But can they track who has accessed what data? Is it granular? Do they use strong authentication? One time password tokens?

    While you may be called in on cases where trusted insiders exfiltrate data they have every right to access I doubt very much that you were called in by Goldman Sachs when Sergey Aleynikov stole their trading algorithms. Or how about Jérôme Kerviel at Societe Generale?

    DLP solutions are in their infancy. Defending against the insider is complicated and requires many components to counter. DLP can be one of those components, but strong authentication, behavior monitoring, and access controls are the first steps.

    You say “By definition, IAM is an irrelevant security countermeasure”. Well it is not a countermeasure at all. IAM is a security measure, one that is required if you are going to control access to your data and resources.

    You go on to say “firms like Hannaford that had a major data loss event fired their HR manager for incompetence and their involvement with hiring an incompetent IT security team.”

    I don’t understand your anger at HR departments. No, they are not responsible for the competence of their IT security departments. That is like blaming HR for the troubles of the Finance industry.

    Unless you have worked with the people at Hannaford and can attest to some level of incompetence in their IT and HR staffs I would not libel them in a public forum as you just did. Even then I think I would have kept my mouth shut.

  4. Adam Sculthorpe on Fri, 11th Sep 2009 9:36 am

    5. In just about every ‘costly’ incident I’ve investigated a proactive human approach could have prevented it, where no technology could. Protecting against threats from the most privileged insiders requires a very different approach than the one used to take care of the majority of staff.

    Security specialists should be tasked with knowing the people with highly privileged access very well, and I mean ‘know’ them. This is a basic first step in preventing the most catastrophic of incidents but often overlooked by ‘technology focused’ security departments.

    These security specialists should work closely with HR, they need to be trusted and informed of employee issues that could evolve into malicious attacks (policy needs to support this). For certain roles they should sit in on job interviews, background checks are not good enough.

    They should be skilled in interview / interrogation and elicitation techniques and have highly developed communication skills right up to board level reporting and presentation. They should have training and access to monitoring and logging technologies and be involved intimately in all internal investigations.

    More important than anything else they need to clearly understand security risks begin and end with people, not technology.

  5. Danny Lieberman on Wed, 16th Sep 2009 12:44 am

    6. Richards,

    Regarding unnecessary rhetoric and keeping mouth shut well - point taken.

    I’m not sure what “relatively new to the security industry” means. I’ve been involved in secure online payments processing since 1998 and with data security with a focus on data loss prevention since 2003. I’ve been in the IT industry on all sides of the fence for 30 years so I think I have some perspective.

    I apologize for the personal attack. It was not my intent to personally attack a person I do not know. For the record - I am not a vendor trying to push a product agenda. My first allegiance is to my clients.

    Now to the substance:

    Re HR - I would advocate for HR to share accountability for data breach events together with IT and internal audit (if the company has an internal auditor). HR is human resource management from recruiting through career development and succession planning - I am simply suggesting that HR be part of the data security setup at a company since the trusted insider and her manager are human resources.

    Re IAM - it is clear that strong authentication, password management, biometrics (where needed), strong rights management and separation of duties are a fundamental condition for data security.

    However - IAM provides the means for the trusted insider crime which makes it part of the problem as well.

    Companies issue users legitimate user accounts with the rights to access certain data, applications, databases and file services. Insiders have knowledge of how the system works, the business processes, the company culture and how people interact. They know who manages the rights management systems and who grants systems permissions. With the right knowledge and social connections, means can be obtained even if they were not originally granted by design in the IAM system.

    Now we all know that IAM systems are far from perfect in practice. Employees are provided rights to access files and servers and applications as part of their job. Since getting the job done is top priority - access rights are usually over-provided since it’s a lot easier to provide group read/write to a directory then to start writing out ACLs for every file and sub-directory.

    (For this reason by the way, I am skeptical of DLP solutions that rely on file and directory scanning….)

    Then there are temporary rights that become permanent, people who leave and passwords that stay, sharing credentials just to access the system this one time,,,,and then there are PostITs.

    DLP is definitely not a silver bullet - it is one more security countermeasure alongside awareness, policy enforcement, monitoring, patch management and a company culture of protecting information assets. DLP complements IAM.

    Danny Lieberman

Tell me what you're thinking...
and oh, if you want a pic to show with your comment, go get a gravatar!