Insiders pose the top corporate security threat today. Recent reports indicate that insider breaches have risen from 80% to 86% of all incidents, with more than half occurring after employee termination. Not surprisingly, internal employees who are authorized to access company systems are most likely to be linked to fraud or a security breach -- and of all employees, IT staff members have the most resources to do so. Accordingly, IT audits focus on several areas to identify risks.Employee fraud is built on a triangle -- opportunity, motive, and rationalization. Effective controls require attention to all three angles. Here are some ways to implement these controls and reduce the opportunities your staff has to defraud you.
Note: This information is also available as a PDF download.
#1: IT security policies
Review IT security policies that address accounts and users with privileged access, such domain administrators, application administrators, and DBAs. Ensure that policies exist and are clear on how access is requested, justified, and approved, and make sure they're regularly reviewed. Without this, there is little basis for management of privileged access. Policies for managing privileged accounts aren't complete without related reporting. Audit reports for privileged passwords often cover such topics as when passwords are updated, any update failures, and which individual identities performed tasks under a shared account.
Policies should have the goal of being able to stop user activities that are clearly indefensible. Ensure that all employees, contractors, and other users are aware of their responsibility to comply with the IT security policies, practices, and relevant guidance that is appropriate to their role.
#2: "Super user" accounts and access
It is important to know the level of exposure your organization has related to access. Determine the population of accounts and users with privileged access. Obtain a list of all accounts with elevated access to networks, applications, data, and admin functions. Include all computer (machine to machine) accounts, which are often overlooked. With this, ensure access is reviewed and deemed appropriate with proper approvals. A good practice is to review access on a regular basis and determine that the "owners" of the data and systems have been explicitly approved.
#3: Account and password configuration standards
Ensure that all administrative accounts are updated according to policy. Default password settings on a specific device should not exist. There is ample information available to those who are resourceful enough about default account names and their default passwords. Some security accounts are created with the password the same as the account name. This is an area of really low-hanging fruit. Password expiration is important, but it's also wise to disable certain accounts that are known to be temporary. Contractors' and consultants' accounts are often available long after their work is complete.
#4: Controlled access to passwords
Manage access to passwords whose accounts have elevated and administrative access. This may sound like stating the obvious, but sharing access to, and communication of, passwords is not always controlled. Offline records or open access, such as e-mails containing passwords, should not exist. Even an encrypted file of passwords is not recommended. In the worst case, the password to the file of passwords is not controlled.
#5: Service accounts, aka "machine" accounts
Service accounts can be implemented with elevated access and used in nefarious ways. These accounts are not typically assigned to human users and not included in traditional approval or password management processes. These accounts can be easier to hide than non-human access tracking. Ensure all service accounts have only necessary access. These accounts should also be reviewed on a periodic basis, as they often have super user capabilities. There are often too many of them; accounts exist that are not being used.
#6: High risk users and roles
Some organizations actively monitor certain roles where business risks are higher to identify potentially "unacceptable" behavior. Many businesses have critical roles where risks of crime are higher. For example, a purchasing manager may have access to sensitive data that he or she is planning to take to a new job with a competitor. In this case, access is authorized, but there may be misuse. Rotating jobs and duties and mandating time off is often a solution in high risk areas. IT security pros often meet the high risk criteria.
#7: Security awareness program
Any employee or user can pose a threat. It is imperative to implement a security awareness program that addresses all of the above topics and that it is enforceable. Many simple solutions exist for ensuring all users have read and consented to policies. A tool for this is a sign-on message that is presented at login, requiring the user to confirm his or her consent in the form of an Accept check box. Ongoing awareness activities help enforce policies.
#8: Background screening
Background screeners ask carefully worded questions to reveal red flags about specific behaviors and attitudes such as:
- Irregular work history -- Questionable reasons for leaving jobs, long periods of unemployment
- Dishonesty -- Misrepresentations in facts, such as education, licensure, or previous employment
- Character/attitude problems -- Poor relationships with coworkers and/or supervisors
- Behaviors such as frustration, problems with authority, suspicion or paranoia, or inability to accept change
#9: Event logging
Security event management (SEM) provides significant real-time visibility of use and activities. Accurate and complete records of users and their activities are essential for incident analysis and development of additional security measures. Of key importance are the methods used to gain access, the extent of access, and past activities. To ensure that adequate records exist, consider improving logging usage information for higher risk areas and services.
Managers should be familiar with the different storage devices used and also have an adequate level of knowledge of "fingerprints" if there is any suspicion. These can be headers, cookie data, usage data, hidden OS data, etc. It is easy to acquire confidential files from company systems and place them on flash drives, which can be disguised as a normal fountain pen, digital watch, digital camera, personal digital assistant (PDA), or cell phone. Some investigators do nothing but collect and analyze information from cell phones, since they contain voice mail, text messages, address files, phone numbers, and a log of calls missed, received, and made. If there is any suspicion of criminal activity, evidence should be preserved and guarded until its fate is determined.
- Threat from Within: Managing Insider Data Security Risks
- An Introduction to Insider Threat Management
- With Employees Like These, Who Needs Enemies?