In Part 1 of this two-part series, I explored the three primary types of insider threats: theft of intellectual property by its creators, fraud by non-management personnel in critical need of cash, and damage to information resources by IT administrators. In Part 2, we examine what to look for in employee behavior as signals that something bad has or will happen. We also look at timing and controls for mitigating insider risk.

The signs

Most employees provide unintentional signals when they’re under significant pressure or when they perceive management is abusing them. Figure A is a list of possible signs that an employee is about to go rogue. In short, any significant change in behavior can be a sign that an employee’s loyalty is waning, including (from Prevent your employees from “going rogue“):

  • Appearing intoxicated at work
  • Sleeping at the desk
  • Unexplained, repeated absences on Monday or Friday
  • Pattern of disregard for rules
  • Drug abuse
  • Attempts to enlist others in questionable activities
  • Pattern of lying and deception of peers or managers
  • Talk of or attempt to harm oneself
  • Writing bad checks
  • Failure to make child support payments
  • Attempts to circumvent security controls
  • Long-term anger or bitterness about being passed over for promotion
  • Frustration with management for not listening to what the employee considers grave concerns about security or business processes
Figure A from Prevent your employees from “going rogue

Employees often behave themselves in front of their managers. Consequently, a problem employee’s peers are the best monitoring tool an organization has. Train all employees to watch for signs of discontent. Providing a means of anonymously reporting peers to management is often the best approach to dealing with concerns many employees have of “not getting involved” or being labeled a tattletale.

Designing the right controls

As with any threat, the controls framework must consist of administrative, physical, and technical components.  The overall control design should enforce separation of duties, least privilege, and need-to-know.  A miss in any of these areas weakens your ability to deal with inevitable insider threats.

Administrative controls

Policies form the foundation. Clear statements of management intent serve two purposes. First, they make it clear to all employees what is and is not acceptable behavior and the consequences of behaving in unacceptable ways. Second, when supported by well-documented standards, guidelines, and procedures, they provide all employees with the capability to identify anomalous behavior in their peers, subordinates, and supervisors. Policies define acceptable behavior and enable every employee to detect rogue behavior.

The two objectives of policies described above are achieved only if all employees are aware of management’s expectations and how they affect each employee’s day-to-day work environment. Security training and continuous awareness activities fill this need.

Physical controls

Physical controls serve to deter, delay, detect, and respond to unauthorized personnel. Further, they control who can access physical resources (e.g., servers, routers, and switches) and when. The use of electronic physical controls adds logging and near-real-time oversight to physical access.

In many organizations, physical security is managed outside the security team. This does not mean, however, that security managers should simply ignore it. Any physical access to information resources circumvents most, if not all, technical controls. Understanding how to conduct a physical security gap analysis is the first step in engaging in the physical controls discussion.

Technical controls

Technical controls include identity management, authentication, authorization, and accountability. These control categories work together to reach the following access control objectives:

  • Identity management ensures each person and computer is assigned a meaningful set of attributes for use in the authentication and authorization steps. The identity provides a subject (an entity attempting to access a resource) with a manageable, trackable presence across an enterprise.
  • Authentication is the process of making an entity prove it is who or what it claims to be. Common controls include passwords, biometrics, and smartcards.
  • Authorization is the process of using the subject’s attributes to determine what it can access (need-to-know), what it can do with what it accesses (least privilege), and when access is allowed. In addition, authorization enforces both static and dynamic separation of duties. Separation of duties prevents any single subject from performing all tasks associated with a business process.
  • Accountability includes auditing, monitoring, and ensuring security teams understand what subject accessed a critical resource, when the resource was accessed, and what was done. In addition to monitoring authorized access, security teams should receive alerts when the number of unauthorized access attempts exceeds a predefined threshold.

Separation of duties and least privilege are two primary constraints limiting what an insider can achieve. For example, an organization in which separation of duties and least privilege are enforced makes it difficult for a payroll clerk to commit fraud. The clerk wouldn’t be able to modify employee records AND enter time worked information AND approve payroll AND print checks/perform electronic transfers AND pick-up or distribute payments. To execute all of these tasks would require collusion: enlisting others in the theft.

Another example of separation of duties is preventing developers from placing new or modified applications into production. All code changes should be governed by a strict, closely managed, and distributed change management system. This helps prevent a developer or administrator from placing damaging code into production systems.

When assessing least privilege, consider whether the organization should allow copying of information to mobile storage devices (e.g., thumb drives, laptops, smartphones, etc.). Is it really necessary for everyone to remove information from within your organization’s trust boundary? Similarly, what is the risk associated with allowing employees to access personal email accounts and file transfer services (e.g., while at the office? Actually, it depends.

Monitoring and filtering

When attempting to detect internal threat actions, start with a good security information and event management (SIEM) system. The SIEM solution looks for anomalous behavior based on activity across one or more devices. It supports prevention and response controls and processes. Finally, be sure to enable logging for access to your valuable files, financial systems, and other critical systems.

Filtering solutions support monitoring in two ways. First, all data transfers are checked for sensitive information. With some systems, application of business policies prevents or restricts certain types of transfers. Filtering is also a great method of tracking what goes out via email. In any case, alerting is key when a questionable transfer occurs: including a large file transfer at an odd time or between questionable locations.

NetFlow analysis supports filtering and logging solutions by identifying unusual activity across network segments and between systems. Often, it ships with the SIEM solution, so an organization doesn’t have to purchase an additional product. Once tuned to accept normal traffic patterns, it is a valuable tool for identifying anomalous data transfers.

Second, we can simply deny employees access to Internet locations used for extracting stolen data. Products like Websense or OpenDNS allow organizations to control access to external email and data transfer/storage sites. Blocking access is critical if no filtering solution exists. It is also critical during an employee’s transition.


According to the CERT Insider Threat Center, most thefts of intellectual property occur during the month before and the month after an employee leaves the company. This timeline also applies to IT insiders placing time bombs, back doors, etc., into production systems. Regardless of whether or not anyone reports one or more of the behaviors listed earlier, it is simply good security to check the past behavior of an employee once he or she gives notice.

Behavior checking should include accounts created, files accessed, data transfers completed, and any other activity relevant to moving data out of your network. Checking for unusual or seldom used administrator accounts is important.  However, organizations shouldn’t wait until someone gives notice before they audit privileged accounts. This should be part of normal auditing processes.

Finally, fraud usually takes place over long periods having nothing to do with when an employee leaves. In fact, leaving employment denies an insider access to the collusion-based network necessary to continue the flow of ill-gotten gains. Auditing and employee education are the best monitoring tools available for fraudulent behavior in process.

The final word

Trusted employees can go rogue for a number of reasons, some of which have nothing to do with how they’re treated at the office. While the reasons might vary, the insider-driven financial damage suffered by businesses each year demonstrates the need for closer monitoring of all key employees. I am not implying all employees are dishonest. However, the time will come when someone you trust crosses the line.

Detecting those that plan to do harm is often very difficult unless employee awareness, monitoring, alerting, and response are in place. Further, consider detailed analysis of a departing employee’s system and network behavior in accordance with clearly documented and distributed policies.