Hardware optimize

The barbarians are already inside the gates: Mitigating insider threats

An organization's security spending ROI may not be related to traditional controls. Instead, dollars you spend to manage employee behavior might be better spent.

Information security.  It used to mean keeping the “barbarians” on the other side of our wall and moat. You know, that perimeter we so painstakingly built with all the newest technology. Most of us now understand that it takes much more. So we’ve built internal controls to strengthen security around systems, storage devices, etc. But this is often still not enough to stop a breach.

Our security controls are typically designed to keep unauthorized entities (humans and software) from reaching our information assets. The problem today is that many of our trusted users are behaving in ways that put our data, and our organizations, at risk.

The challenge

First, let’s put to rest any doubt in your mind that this is a problem in your organization. According to Dawn Cappelli, technical manager for the threat and incident management division of the Software Engineering Institute CERT program, “…insider attacks continue to be seen as a bigger problem than anything that might come from the outside” (Brenner, 2010, p. 2). Dollars spent to prevent breaches and other information asset related incidents caused by employees may have a larger ROI than those spent on traditional controls.

There are three basic ways our employees put our organizations at risk: data leakage, data theft, and system vandalism. Data leakage is a common enemy of security managers. It enables data breaches by moving sensitive information from trusted locations to storage with ineffective or absent security controls.

For example, users often want to take data home to meet a tight project deadline. Copying files to a thumb drive or other mobile storage device is the fastest way to get what they need and make it home in time for dinner. In many cases, they just moved information from highly secured locations to unsecured, unencrypted devices. And we know these devices are never lost or stolen…

Data theft is what we normally think of when we hear about a breach. But why would a trusted employee, someone who has possibly worked for us for years, decide to steal our data? There are a number of reasons why this might happen, including:

  • Being passed over for promotion.
  • Getting even on the way out the door after being fired, including accessing the network from home because termination processes failed or don’t exist.
  • Taking intellectual property to a new employer.
  • Because they will be paid by attackers who just don’t want to tackle the really nice security framework you’ve constructed.

System vandalism is closely related to the reasons disgruntled employees steal data. In some cases, systems are locked down, data erased, or destructive applications are left behind after sensitive information is copied to the thumb drive already safely in the employee’s backpack.

The solution

Controls associated with the basic concepts of limiting damage caused by employees should already be in place; allow them only to have the rights and privileges absolutely necessary to do their jobs (least privilege), restrict them only to see information necessary for their piece of business operation (need-to-know), and prevent any one employee from performing all the tasks associated with critical processes (separation of duties). I like to add to this list something that many organizations are beginning to practice: only keep sensitive information in company systems that is absolutely necessary to continue business operations. Get rid of everything else.

These controls are a good start, but how do we make sure employees properly handle the information to which they must have access? This gets a little harder to enforce. Some recommended prevention controls include:

  • Restricted use of mobile storage.  Mobile storage devices come in many forms, including: thumb drives, phones, and USB hard drives.  If you can’t convince management to use technology to prevent use of these devices, then at least make sure they are secure. Encrypting USB devices is easier today because of additions to operating systems (Windows 7) and security suites like McAfee.  (For more information on this topic, see Windows 7: Mobile Data Protection with Bitlocker To Go.)
  • Effective termination processes.  Never… let me say that again… never allow an employee to return to his or her desk unescorted after they’ve been terminated. In addition, terminate all access to information assets while the employee is meeting with management to get the bad news. In support of this process, ensure all employees leaving on their own are locked out of remote access as quickly as possible after they leave on their last day.
  • Provide a method for employees to report suspicious peer or subordinate behavior. Most employees are honest and above the types of activities we’re examining here. Many are also willing to report unusual behavior that might indicate that  a peer is about to do something you would rather they didn’t. Provide a way for employees to anonymously report these incidents. Further, train managers on how to identity potential problems. (For more information on this topic, see Prevent your employees from “going rogue.”)
  • Perform initial and regular background checks of employees in sensitive positions. Many organizations perform background checks before sending an offer letter. However, ensuring employee suitability to handle sensitive assets usually stops there. Related to the previous bullet, organizations should consider periodic checks for employees with access to highly sensitive information.
  • Block use of data sharing sites. A large number of online solutions exist that allow employees to share large files while bypassing other controls, like email attachment size limits. One example, and a service I often use, is TransferBigFiles.com.
  • Look for unusual access patterns. In the whitepaper, Stopping insider attacks: how organizations can protect their sensitive information, IBM (2006, p.7) recommends starting by creating a baseline of normal user behavior in each system.  This is followed by integrating the following information into you log management system and alerting on anomalies:
    • Initial connection—date and time of logon, IP addresses involved, and connection frequency
    • Data access—requests for data, organized according to specific type
    • Application usage—frequency and duration
    • Overall usage—total session time and overall data usage requests
  • Filtering of moving information.  And when everything else is in place, make sure your trusted and honest employees are not making mistakes about how they handle information, including

The final word

No article can list all the ways an employee can find to leak or steal your data. Each organization is unique.  The information here is a good beginning. However, only your vigilance and creativity will successfully thwart the barbarians inside the gates.

About

Tom is a security researcher for the InfoSec Institute and an IT professional with over 30 years of experience. He has written three books, Just Enough Security, Microsoft Virtualization, and Enterprise Security: A Practitioner's Guide (to be publish...

4 comments
BillGates_z
BillGates_z

Hmmm... sis I see "Don'yt be an ***hole to your employess." om that list?

jkameleon
jkameleon

Who Controls the Controllers?

QAonCall
QAonCall

Create specific rules around explicit deny. Add the 'users' to this group as they are added to the retired/terminited/quit list. This will ensure they lose all proveleges as soon as the information is known. EVEN if they somehow breach security prior to shutting everything down, they will not get access to anything, and their SID will get them nothing. The issue with mutliple login sessions allows many users to have more than one session. It is no longer enough to just walk them out. A proactive approach is to add them to this reqstricted group immediately, and then push the policy update. This will add an additional level of security, until all sessions and accesses (physical and virtual) can be completely controlled, then ended. Many time this will also allow admins to ensure that there are no logic bombs etc.

kwilson
kwilson

One thing I've noticed that admins need to be careful about is terminating someone's privileges too far in advance of an employee's actual termination. I've seen accounts locked out prior to the "talk and walk" with HR. In one case the employee was locked out several hours before she was actually terminated. She sat in her cubicle unable to do anything for several hours before she was summoned to HR.