Protecting Against Insider Threat
Are Insiders Really a Threat?The threat of attack from insiders is real and substantial. The 2006 E-Crime Watch Survey conducted by the United States Secret Service (USSS), the SEI CERT Program, and CSO Magazine, found that in cases where respondents could identify the perpetrator of an electronic crime, 32% were committed by insiders.
The impact from insider attacks can be devastating. One complex case of financial fraud committed by an insider in a financial institution resulted in losses of almost $700 million. Another case involving a logic bomb written by a technical employee working for a defense contractor resulted in $10 million in losses and the layoff of 80 employees.
Over the past several years, CERT has been conducting a variety of research projects on insider threat. One of the conclusions reached is that insider attacks have occurred across all organizational sectors, often causing significant damage to the affected organizations. These acts have ranged from low-tech attacks, such as fraud or theft of proprietary information, to technically sophisticated crimes that sabotage the organization’s data, systems, or network. Damages are not only financial; widespread public reporting of the event can also severely damage the organization’s reputation.
Insiders have a significant advantage over others who might want to harm an organization. Insiders can bypass physical and technical security measures designed to prevent unauthorized access. Mechanisms such as firewalls, intrusion-detection systems, and electronic building-access systems are implemented primarily to defend against external threats.
However, not only are insiders aware of the policies, procedures, and technology used in their organizations, but they are often also aware of their vulnerabilities, such as loosely enforced policies and procedures or exploitable technical flaws in networks or systems.
Partnering with the USSS, CERT has been conducting the Insider Threat Study, gathering extensive insider threat data from more than 150 case files of crimes involving most of the nation’s critical infrastructure sectors. To date, researchers have published two reports documenting the results of the study: Insider Threat Study: Illicit Cyber Activity in the Banking and Finance Sector and Insider Threat Study: Computer System Sabotage in Critical Infrastructure Sectors.
This study shows that use of widely accepted best practices for information security could have prevented many insider attacks or detected them earlier. Rather than requiring new practices or technologies for prevention of insider threats, the research instead identifies existing best practices critical to the mitigation of the risks from malicious insiders.
Who Is The Suspicious Insider?
Disgruntled technical staff members, both before and after termination, must be recognized as potential threats for insider IT sabotage. Data pertaining to fraud and information theft suggest that organizations must exercise some degree of caution with all employees. Current employees in practically any position have used legitimate system access to commit these types of crimes. (Of special note is that almost half of the employees who stole information while still employed had already accepted other job offers.) Unfortunately, there is no profile of an insider who poses a threat to an organization; the threat can be recognized based only on a combination of patterns of behavior and online activity.
Can Insiders Be Stopped?
Insiders can be stopped, but stopping them is complex. Insider attacks can be prevented only through a layered defense strategy consisting of policies, procedures, and technical controls. Therefore, management must pay close attention to many aspects of an organization, including its business policies and procedures, organizational culture, and technical environment. Managers must look beyond information technology to the organization’s overall business processes and the interplay between those processes and the technologies used.
Too often organizations allow the quality of their practices to erode as no malicious activity is detected over time. One of the vulnerabilities posed by insiders is their knowledge of exactly this: the quality of their organization’s defenses. Based on our research to date, the practices outlined below are the most important for mitigating insider threats.
Practices for Preventing Insider Attacks
The following 13 practices for preventing insider attacks will provide an organization with defensive measures that could prevent or facilitate early detection of many of the insider attacks other organizations have experienced. This is an overview of the best practices covered in the "Common Sense Guide to Prevention and Detection of Insider Threats, 1st Edition; see the complete document for more details.
Practice 1: Institute periodic enterprise-wide risk assessments.
It is difficult for an organization to determine the proper balance between trusting its employees, providing them access to achieve the organization’s mission, and protecting itself from those same employees. Access combined with knowledge of the organization’s vulnerabilities in both technology and business processes gives insiders the ability to carry out malicious activity against their employers. An organization must protect itself from both insiders and outsiders using risk-management principles. The organization must take an enterprise-wide view of information security, first determining its critical assets, then defining a risk-management strategy for protecting those assets from both insiders and outsiders.
Practice 2: Institute periodic security awareness training for all employees.
A culture of security awareness must be instilled in the organization so that all employees understand the need for policies, procedures, and technical controls. The first line of defense from insider threats is the employees themselves. All employees in an organization must understand that security policies and procedures exist, that there is a good reason that they exist, that they must be enforced, and that there can be serious consequences for infractions. Each employee must be aware of the organization’s security policies and the process for reporting policy violations.
Practice 3: Enforce separation of duties and least privilege.
If all employees are adequately trained in security awareness, and responsibility for critical functions is divided among employees, the possibility that one individual could commit fraud or sabotage without the cooperation of another individual within the organization is limited. Effective separation of duties requires the implementation of least privilege, that is, authorizing people only for the resources they need to do their jobs.
Practice 4: Implement strict password and account-management policies and practices.
No matter how vigilant employees are in trying to prevent insider attacks, if the organization’s computer accounts can be compromised, insiders have an opportunity to circumvent both manual and automated mechanisms in place to prevent insider attacks.
Practice 5: Log, monitor, and audit employee online actions.
If account and password policies and procedures are enforced, an organization can associate online actions with the employee who performed them. Logging, periodic monitoring, and auditing provide an organization the opportunity to discover and investigate suspicious insider actions before more serious consequences ensue.
Practice 6: Use extra caution with system administrators and privileged users.
Typically, logging and monitoring is performed by a combination of system administrators and privileged users. Therefore, additional vigilance must be applied to those users.
Practice 7: Actively defend against malicious code.
System administrators or privileged users can deploy logic bombs or install other malicious code on the system or network. These types of attacks are stealthy and therefore difficult to detect in advance, but practices can be implemented for early detection.
Practice 8: Use layered defense against remote attacks.
If employees are trained and vigilant, accounts are protected from compromise, and employees know that their actions are being logged and monitored, disgruntled insiders will hesitate to attack systems or networks at work. Insiders tend to feel more confident and less inhibited when they have little fear of scrutiny by coworkers; therefore, remote-access policies and procedures must be designed and implemented very carefully.
Practice 9: Monitor and respond to suspicious or disruptive behavior.
In addition to monitoring online actions, organizations should closely monitor other suspicious or disruptive behavior by employees in the workplace. Policies and procedures should be in place for employees to report such behavior when they observe it in coworkers, with required follow-up by management.
Practice 10: Deactivate computer access following termination.
When an employee terminates employment, whether the circumstances were favorable or not, it is important that the organization have in place a rigorous termination procedure that disables all of the employee’s access points to the organization’s physical locations, networks, systems, applications, and data.
Practice 11: Collect and save data for use in investigations.
Should an insider attack, it is important that the organization have evidence to identify the insider and follow up appropriately.
Practice 12: Implement secure backup and recovery processes.
Despite all of the precautions implemented by an organization, it is still possible that an insider will attack. Therefore, it is important that organizations prepare for that possibility by implementing secure backup and recovery processes that are tested periodically.
Practice 13: Clearly document insider threat controls.
As an organization acts to mitigate insider threat, clear documentation will help to ensure fewer gaps for attack, better understanding by employees, and fewer misconceptions that the organization is acting in a discriminatory manner.