Information security. It used to mean keeping the "barbarians" on the other side of our wall and moat. You know, that perimeter we so painstakingly built with all the newest technology. Most of us now understand that it takes much more. So we've built internal controls to strengthen security around systems, storage devices, etc. But this is often still not enough to stop a breach.
Our security controls are typically designed to keep unauthorized entities (humans and software) from reaching our information assets. The problem today is that many of our trusted users are behaving in ways that put our data, and our organizations, at risk.
First, let's put to rest any doubt in your mind that this is a problem in your organization. According to Dawn Cappelli, technical manager for the threat and incident management division of the Software Engineering Institute CERT program, "…insider attacks continue to be seen as a bigger problem than anything that might come from the outside" (Brenner, 2010, p. 2). Dollars spent to prevent breaches and other information asset related incidents caused by employees may have a larger ROI than those spent on traditional controls.
There are three basic ways our employees put our organizations at risk: data leakage, data theft, and system vandalism. Data leakage is a common enemy of security managers. It enables data breaches by moving sensitive information from trusted locations to storage with ineffective or absent security controls.
For example, users often want to take data home to meet a tight project deadline. Copying files to a thumb drive or other mobile storage device is the fastest way to get what they need and make it home in time for dinner. In many cases, they just moved information from highly secured locations to unsecured, unencrypted devices. And we know these devices are never lost or stolen…
Data theft is what we normally think of when we hear about a breach. But why would a trusted employee, someone who has possibly worked for us for years, decide to steal our data? There are a number of reasons why this might happen, including:
- Being passed over for promotion.
- Getting even on the way out the door after being fired, including accessing the network from home because termination processes failed or don't exist.
- Taking intellectual property to a new employer.
- Because they will be paid by attackers who just don't want to tackle the really nice security framework you've constructed.
System vandalism is closely related to the reasons disgruntled employees steal data. In some cases, systems are locked down, data erased, or destructive applications are left behind after sensitive information is copied to the thumb drive already safely in the employee's backpack.
Controls associated with the basic concepts of limiting damage caused by employees should already be in place; allow them only to have the rights and privileges absolutely necessary to do their jobs (least privilege), restrict them only to see information necessary for their piece of business operation (need-to-know), and prevent any one employee from performing all the tasks associated with critical processes (separation of duties). I like to add to this list something that many organizations are beginning to practice: only keep sensitive information in company systems that is absolutely necessary to continue business operations. Get rid of everything else.
These controls are a good start, but how do we make sure employees properly handle the information to which they must have access? This gets a little harder to enforce. Some recommended prevention controls include:
- Restricted use of mobile storage. Mobile storage devices come in many forms, including: thumb drives, phones, and USB hard drives. If you can't convince management to use technology to prevent use of these devices, then at least make sure they are secure. Encrypting USB devices is easier today because of additions to operating systems (Windows 7) and security suites like McAfee. (For more information on this topic, see Windows 7: Mobile Data Protection with Bitlocker To Go.)
- Effective termination processes. Never… let me say that again… never allow an employee to return to his or her desk unescorted after they've been terminated. In addition, terminate all access to information assets while the employee is meeting with management to get the bad news. In support of this process, ensure all employees leaving on their own are locked out of remote access as quickly as possible after they leave on their last day.
- Provide a method for employees to report suspicious peer or subordinate behavior. Most employees are honest and above the types of activities we're examining here. Many are also willing to report unusual behavior that might indicate that a peer is about to do something you would rather they didn't. Provide a way for employees to anonymously report these incidents. Further, train managers on how to identity potential problems. (For more information on this topic, see Prevent your employees from "going rogue.")
- Perform initial and regular background checks of employees in sensitive positions. Many organizations perform background checks before sending an offer letter. However, ensuring employee suitability to handle sensitive assets usually stops there. Related to the previous bullet, organizations should consider periodic checks for employees with access to highly sensitive information.
- Block use of data sharing sites. A large number of online solutions exist that allow employees to share large files while bypassing other controls, like email attachment size limits. One example, and a service I often use, is TransferBigFiles.com.
- Look for unusual access patterns. In the whitepaper, Stopping insider attacks: how organizations can protect their sensitive information, IBM (2006, p.7) recommends starting by creating a baseline of normal user behavior in each system. This is followed by integrating the following information into you log management system and alerting on anomalies:
- Initial connection—date and time of logon, IP addresses involved, and connection frequency
- Data access—requests for data, organized according to specific type
- Application usage—frequency and duration
- Overall usage—total session time and overall data usage requests
- Filtering of moving information. And when everything else is in place, make sure your trusted and honest employees are not making mistakes about how they handle information, including
- Scan and filter outgoing email
- Use extrusion defense controls
- Scan and filter data copied across the network (See Improve Data Protection Processes with Content Discovery, Monitoring, and Filtering.)
- Scan enterprise storage and report on possible information stored in locations lacking the right amount of security (See Prepare for e-discovery requests: How to avoid disastrous legal sanctions and fines.)
The final word
No article can list all the ways an employee can find to leak or steal your data. Each organization is unique. The information here is a good beginning. However, only your vigilance and creativity will successfully thwart the barbarians inside the gates.
Tom is a security researcher for the InfoSec Institute and an IT professional with over 30 years of experience. He has written three books, Just Enough Security, Microsoft Virtualization, and Enterprise Security: A Practitioner's Guide (to be published in Q1/2013). Before joining the private sector, he served 10 years in the United States Army Military Police with four years as a military police investigator. He has an MBA and CISSP certification. He is also an online instructor for the University of Phoenix.