At a time when many organizations are being bombarded on every side, they sometimes forget about the inside. Because so much has been said about the dangers imposed by malicious outsiders and insiders intent on wreaking havoc and reaping money, the non-malicious insider threat remains somewhat unspoken.
I recently wrote a whitepaper outlining the threat posed by well-meaning insiders. See it here.
The well-meaning insider represents a weak link in the security posture of many organizations and few seem to realize the critical role they play in keeping information safe. A survey of office employees in North America and Europe, for example, found that 78 percent think that their IT department solely holds the responsibility for information confidentiality. To be able to fully protect against threats resulting from such misconceptions, companies must identify who constitutes a risk, as well as why and how they might be a threat. Not all insider risk profiles constitute the same type of threat, so security has to be tailored to their particular characteristics.
Well-meaning insiders fall in to the following categories:
- The underminers take the path of least resistance and ignore the spirit of security to make their working lives easier. Creating easy passwords is an example of this. Sharing passwords is another common problem.
- The overly-ambitious employees knowingly take risks to purposefully bypass bureaucratic security processes in order to be more effective in achieving what they think are organizational goals. Encryption, for example, might be overlooked because the employee thinks it’s too cumbersome.
- The socially engineered are those employees, usually in low paid positions at the public facing end of the organization, who are prone to being duped by malicious outsiders into sharing sensitive information or even giving out access codes to systems.
- The data-leakers are the growing cadre of ‘whistleblowers’ who, for various ethical or unethical reasons, leak to the public via social network technology, such as wiki-leaks, information they feel that the public should be informed about.
- The data spillers are employees who have legitimate access to information or databases, but are prone to spill data because of (sometimes routine) organizational practices not checked by lax IT policies. Data spillers may:
- Accidentallydiscloseinformation by losing a laptop or smartphone, else a CD-Rom or USB drive. While such incidents (often unreported) represent a statistical outlier, they do garner much attention—both from other organizations and media outlets.
- Take data out of the secure environment to use out of the office and not deleting it.
- Leave data on discarded computers.
- Not carefully manage data shared with third parties.
- Send unsecured data through public delivery systems.
- Not review and update access inventories or email distribution lists
Resolving these problems can happen through increased IT intervention and employee education. In both cases, the goal is to preserve both human and technological resources. For instance, demonizing these insiders and treating them as willfully malicious will not improve situations. It will either cause a loss of talent or a loss of good relations. Training and educating as well as establishing a culture of security through improved and automated IT will reduce risk and maintain effectiveness.
The well-meaning insider is a different type of problem to the malicious outsider. Both can result in data loss and information breaches, but the motivations and relationships to the company vary widely. Because the industry has focused on outsider threats, many companies are unprepared and even unaware of who may be causing the loss of sensitive information. This issue can be addressed. To get more information on the who, how and why of the well-meaning insider – along with recommendations on how to deal with them effectively – read the whitepaper, Organization Security and the Insider Threat: Malicious, Negligent and Well-Meaning Insiders.
About the Author
David S. Wall (BA, MA, M Phil, PhD, FRSA, AcSS) is Professor of Criminology at Durham University where he conducts research and teaches in the fields of cybercrime, policing and intellectual property crime. He has published a wide range of articles and books on these subjects which include amongst others: Cybercrime: the Transformation of Crime in the Information Age (Polity, 2007).
… or “Who will watch the watchers?” In a recent case a malicious insider has admitted, not of stealing information – but of, in effect, adding to it. As an IT insider he had access to the systems which dealt with loyalty cards and set up a number of bogus accounts and then filled them with points… that he could later spend.
A great deal of time and effort goes into protecting systems at the endpoint or servers in the datacentre and companies now at least acknowledge the insider threat… but when it comes to applications there is still a naivety of “all our people are good”. Which brings us to who is watching the people who are supposed to be watching the systems? Unfortunately there is very little that can be done to stop the determined malicious insider – after all they have the access to the systems given to them and often they carry out tasks they are supposed to, given that they have the authorisation to do so. However, this is where good application design and usage policies can help. For a start, all administrators should have their own usernames and passwords – no sharing. There should also be good logs / audit trails, especially for functionality requiring additional privileges. Finally, there needs to be some means of reviewing the log files – either automatically or manually… and preferably not by one individual (otherwise they could become the malicious insider). Often just informing people that this functionality and policy is in place will deter the potential casual insider… and for those who are not deterred at least you now have some evidence.
ID fraud in the UK has increased by nearly a third (31.79 per cent) in 2009, according to a new report from CIFAS, the UK’s Fraud Prevention Service, as compromised identity details continue to be sold over the internet. The report points to an increase in gangs using collusive staff within organisations to steal personal data online for criminal gain. The CIFAS findings are gathered from its 265+ members across industries including banking, retail and telecoms.
Businesses need to be better protected against the dangers of the enemy within, particularly in industries such as finance and banking, where the value of the personal data held in online databases can be incredibly high. Our recent State of Enterprise Security report found that 40 per cent of businesses experienced a high number of internal, malicious attacks in 2009. In addition, a great deal of damage was also done unintentionally by staff, with 39 per cent of IT managers surveyed saying it’s a ‘high’ or ‘extremely high’ problem.
IT security was, for many years, focused on protecting against external threats and attacks. While those threats still remain, a more insidious threat – the malicious insider – has been steadily rising. The fact that cybercriminals are so well networked within UK businesses in order to bring about this kind of ID fraud, points to their increased professionalism and savvyness.
Symantec recommends that companies assess their policies and processes around employee access to sensitive data ensuring that they are appropriate for the employee’s position and are enforced and regularly reviewed. It advises that data loss prevention (DLP) solutions that offer protection at the endpoint, network and storage levels can also help.
Andy Ng, Data Loss Prevention Consulting Manager for EMEA
The BBC has posted a story about a major phishing scam which has targeted the global carbon market. An estimated 250,000 permits worth around €3 million have been stolen this week forcing emissions trading registries in several EU countries to close on Tuesday.
Up until now phishing scams have been more commonly associated with consumers but criminals are increasingly turning to the private sector.
Businesses need to get serious about training staff on the risks of phishing attacks. There is a natural tendency for workers to click without thinking when using a work computer and this scam has brought home the very real risks.
As the business world leaves the excess of the Christmas party season behind, many employees will approach the New Year with the aim of leaving their current job behind. January is notoriously the time for fresh starts with as many as one in three employees making it their resolution to find a new job. In order to ensure confidential data does not depart with them, so its crucial that those in management begin taking steps to secure corporate information now.
The lack of prospects in 2009 resulting from the recession meant that many people stayed in jobs which they would otherwise have left. With the first signs beginning to emerge that 2010 might herald a turnaround in the job market, it is certain that many will be eager for the opportunity to move elsewhere.
Unfortunately we see that that many employees will take confidential information with then when they leave. Company documents, passwords and online information are often seen as being ‘fair game’ when leaving an organisation, with few feeling guilty about retaining access to information or databases that they’ve used for years. Well meaning employees can also take sensitive information with them by simply forgetting to hand a memory stick back or wipe their personal mobile device before leaving. It is important that companies have policies in place to protect against such ‘accidental theft’ as well.
The vast majority of ex-employees will not take information out of any malicious intent but simply to retain access to data they feel they created, or passwords that will allow them to maintain access to paid for databases. However, regardless of their intent, employees do not own this company data and by taking simple moves such as regularly changing passwords and tracking the internal movements of confidential documents, companies can ensure their information is protected not just from external attack but also from past employees.
The recent story of an employee selling mobile phone records to the competition highlights, once again, that we live in changing times. All data has a value to someone, and today some people aren’t afraid of the consequences of doing something bad with it – these are the malicious insiders. They have rightful access to the data as part of their job, but they don’t do the right things with it.
While many will reel in (fake) horror at the prospect of an employee doing something bad with the data that they have been entrusted with, the reality is that the vast majority don’t know what happens to their data. Technology exists to prevent data loss, but it can also be used to watch for anomalous usage. For example, if someone usually looks up one customer record at a time but then looks up a thousand, it can be flagged up for investigation. There are probably several valid reasons that this occurred, perhaps they had been asked to run a new report – but perhaps not. With the ICO gaining it’s teeth, it is time to take a proactive approach to protecting data – inside as well as outside the corporation.
A hack of the console of Twitter has been reported, enabling the attacker to have access to celebrity accounts (and the rest of our less celebrity accounts as well). However, what this really brings to the fore is that if you can gain access to the root of the application, the administrator, then all the data held there is within your grasp. OK, so it should be tougher to get access at this level but if you do, then you have absolute control. Of course, the assumption is that the administrator is ‘good’, but what if they weren’t? We have seen cases where phone records of celebrities have been examined and sold by system administrators – so there is a need for more security and a separation of administrator and data with much greater auditing and analysis of the associated log files.
While we are on the subject… what if the database held biometric information… and the hacker had replaced a celebrities information with their own? They could have become, in the eyes of a machine, that person. The introduction of chip and pin has reduced fraud – but it has also enabled impersonation… it seems that people frequently give their PINs to other people in order to get cash from cashpoints… or pay for groceries. As far as the person at the till in concerned, the person has paid – end of story. Not even a brief check that the name matches the person on the other side of the counter… as we trust more and more to technology, we assume the integrity of the system and the administrator.
Quis custodiet ipsos custodes?
News this week has said that the US power grid has been hacked by cyber-spies – which is all rather worrying. It used to be that Critical National Infrastructure (CNI) was owned by the government – it made sense, they were looking out for their citizens etc, etc and importantly, things like security were given a high priority. However, that has changed and now they are owned by shareholders and so the emphasis is often more on profit and so security tends to play second fiddle to remaining competitive and making money. Add to this the fact that the Internet has enabled remote monitoring (less people, but more cyber-risk) and you can start to see the problem. A hacker today can be sitting in London, controlling a bot network in Russia and targeting America and in the click of a mouse could be targeting Australia routing through China. It’s almost too easy. There is a need to revisit CNI, look at how they can be attacked in the 21st Century and take suitable precautions.
The problem is not just CNI, companies and governments are increasingly putting in ‘secret’ or ‘secure’ networks, which in theory don’t connect to the Internet. Unfortunately some are finding problems they hadn’t foreseen – firstly virus infections. If you don’t get security updates then the network becomes a breeding ground for worms like Conficker which propagate using USB sticks and other routes. So, what – ‘it’s not attached to the Internet’… ah, there’s the other problem. Eventually, and it doesn’t seem to take long, someone installs a bridge between the ‘secret’ network and the corporate network and then the data can leak out. Why does the bridge get installed? Simple… time and money – with very little thought to the risks and consequences.
With a frightening increase in malware around, assumptions on security for CNI and internal secure networks needs to be revisited. Just because you don’t think your network is at risk, doesn’t mean it isn’t. In an economic downturn, the information you have and ignore might just be valuable enough for someone to steal and sell. Now is not the time to take shortcuts and reduce IT security.
A former Intel employee has been charged with attempting to steal $1Billion worth of information. Wow. Turns out that while he had resigned and officially left, he still had access to the computer systems – and guess what… he decided to copy stuff, which he freely admits he would use to further his career in the future.
While I have written about the decline of implicit trust before, this is yest another case, although this time it shows up a poor corporate process relating to shutting out individuals from company systems when they leave.
I was with a customer this week and they are about to change their policy on password changes to every two weeks. Every two weeks… we change our passwords every three months and even then I can have problems trying to (a) find something that fits the policy, uppercase, lowercase, numeric, punctuation, not this or that and then (b) remembering it… let alone having to do it every two weeks. The reason that passwords used to have to be changed frequently was because companies were not good at shutting people out of systems when they left… but now there is no excuse.
Time to revisit that employee leaver policy… and examine how you can prevent falling foul of a malicious insider – after all he was just copying restricted data onto removable media… something technology can help you spot.
So just how important can one person be? If they happen to the the IT administrator and they have a grudge, then perhaps the answer will scare you. In a recently reported incident one employee locked out a whole city from the computer system – and then refused to hand over the password. Implicit Trust fails once more. If that had been your company what would you have done? In this case they threw the individual in jail and are waiting… and trying to crack the password themselves!
More to the point, what could you do to prevent it from happening? This is a tough one – obviously you could have audit trails (but if you can’t log in, then how can you find the information), perhaps you could have a secret backdoor (not such a good idea – some cyber-criminal will find it), perhaps you can have policies and procedures (not that they help when you are locked out)… so what to do? Maybe the best thing to do is to ask your IT administrators how they would solve the problem – they will no doubt come up with a solution that would work for you and your network. If you think using this case might be a little close to the mettle, then how about framing it as an ‘accident’ when everyone gets locked out – it’s own form of ‘disaster’.