Tuesday, November 10, 2009

Identifying and Countering the Insider Threat

What is the insider threat?
The insider threat is that posed by employees, contractors, and visitors that are granted too much trust. In some cases that trust is almost naively granted.
Anyone within an organization could have the motivation, access to resources, and the tools to steal information, or even destroy critical resources.
While often overlooked, the insider threat actually outweighs the threats from cyber criminals, hackers and the random malware that most organizations concentrate on.
It is the insider that understands where the keys to the kingdom are hidden.
When I was engaged in white-hat hacking for one of the Big Four audit firms it would take me about two days within a bank, railroad, or utility to figure out how I could steal from them or their customers.
And, that was with information I gleaned from inside staff. We assume that the employer - employee contract is enough to curtail bad behavior.
But, ask anyone who manages staff involved in handling cash and you will understand the threat posed by employees. Look at the controls, cameras, even the lack of pockets in Casino operations.
Next time you go to a bank check out those video cameras.
They are there to keep the tellers honest. To understand the level of controls needed to protect your assets you have to think of your data, communications, and processes as if they were cash.
What is the threat?
The threat is that you could lose mission critical business functions, intellectual property such as trade secrets, source code, and customer contacts.
You could suffer financial losses from disclosure requirements in the case of loss of credit card or other data, and the subsequent PR fiasco. The losses could far outweigh the cost of simple preventative measures.
What are privileged users and privileged accounts, and how do they represent a problem?
Privileged accounts are convenient short cuts. There are two major categories. Privileged accounts owned by administrators and those accounts used by programs or servers to communicate with one another.
Think about it. You are designing a new web application that requires the web front end to access a database.
Do you bother with the complexity of passing login credentials for every authorized user back to the database server?
Or, do you create one super user, the web server, and allow it to make any query at all with rudimentary logging at the data base server? For server administration there is a similar short cut.
Multiple people on multiple shifts need to get access to servers to back them up, reboot them, patch them, etc. Isn’t it easier to create one superuser account that everyone uses for those tasks?
And of course when installing a new application do you grant that application so called “least privilege” or do you avoid the cumbersome task of determining what processes and functions each new application will need to execute and just give it superuser status? I think you know the answer.
You take the simple, get-it-to-work, path. What you end up with is no accountability, no logging of individual behavior, no control.
You grant plausible deniability to anyone who abuses those access privileges. Perhaps one of the biggest concerns is privileged account access for databases.
Database Admins have to do so many tasks on their servers, from maintaining them to manipulating the data in their stores that it is extremely cumbersome to ask them to have unique passwords for different tasks.
After all they know the user name and password of the web server that has to access that database. So even if you give them individual accounts they still login with the elevated credentials of the web server.
Getting a grip on the privileged user account is one of the key challenges in securing an environment from insider threats.
Who should be responsible for mitigating the insider threat?
Responsibility for mitigating the insider threat resides with several groups. The business risk from insiders should be one of the primary concerns of executive stakeholders especially financial management.
The CFO’s office has the experience with enforcing financial controls that is directly applicable to the types of concerns and counter measures needed now that so many employees are empowered to access critical data.
Simple things like separation of accounts payable and accounts receivables duties were figured out over a hundred years ago. Applying the same thought to data handling is required.
HR is usually responsible for task such as back ground checks, creating and publishing acceptable use policies and ultimately enforcing them. But the greatest number of tasks fall on IT.
Designing, deploying and enforcing access controls, determining the best tools and technologies to monitor, alert, and block malicious activity falls to the IT department which means ultimately the CIO.
Most organizations have separate security groups whose resources have been tied up with managing desktop anti-virus, tracking down and cleaning up worm infections, and managing firewalls and logs for compliance.
Those groups have to take on the additional burden of access controls and activity monitoring.
It is the only way to ensure that there is some hope of surviving an attack from an insider. In many cases the tools for granular access controls and even monitoring are already available –they just have to be used.
What are organizations doing about the insider threat?
Organizations that have realized that it is time to start responding to the insider threat are following these steps:
1. Updating policies and republishing them. And getting end user buy-in.
2. Deploying or turning on activity monitoring tools
3. Using fine grain access controls and identity management
Usually these steps are taken after an incident has occurred.
A disgruntled employee leaves a logic bomb that destroys data, or simply leaves without revealing the passwords to the routers and firewalls the way an employee of the City of San Francisco did in 2008 It is during the triage phase of dissecting just what happened that organizations realize that they need to do more about locking down their systems.
Often they will create an incident response team to coordinate the reaction to future problems while simultaneously instituting new controls.
These three steps, new policies, activity monitoring, and fine grain access controls are just the beginning.
Next is to deploy systems to enforce those policies which involves new network devices, as well as stronger authentication.
Along with that level of investment comes the alerting, reporting, and response capabilities mandated by compliance requirements.
Use these three steps to get started but be aware that there is more investment needed before you will have countered the insider threat.
How can traditional security management tools be used to counter the insider threat?
Let’s look at the minimum tools that you might have at hand: firewall policy management, IDS, and some sort of way to control configurations and anti-virus on the desktop.
You might also have a Security Information management system in place to handle the millions of alerts from your Intrusion Detection System.
Some quick first steps. First make sure that your remote access VPN server is in a firewalled segment of your network, a DMZ.
Then tighten up your firewall rules. When I say deny all except that which is explicitly allowed I mean it! In particular deny carte blanche access to your remote users.
Second, turn on logging at the firewall for connections such as ftp or telnet if you absolutely need those services.
Now, the next step is to get your IDS to help you. What you need is to alert on types of behavior and applications that indicate insider abuse.
File transfers, use of scanning tools, unusual behavior at odd times of day. If you have a Security Information System that can filter logs and alerts use it to give you better pattern recognition.
Finally, use your desktop configuration tools to lock down desktops. Do not allow installation of applications like BitTorrent, Skype, Lophtcrack, things that an inside hacker can use to cause harm.
You can do a lot to counter the inside thrat with tools at hand. You just have to use them.
What part does identity and access management play in mitigating the insider threat?
Identity and Access Management tools are the single most valuable defense you have against the insider threat.
IAM can encompass many components including authentication (biometrics, smartcards, One Time Password tokens) provisioning (assigning and revoking access), granular entitlements, alerting, reporting, and compliance.
Without the authentication aspect users become comfortable with what amounts to anonymous access.
They become aware of the fact that they can browse pornography, access documents, host unauthorized tools and applications (Skype, BitTorrent, games) without fear of repercussion.
Without an Identity and Access Management system in place you lose control of who has access to what.
After deploying a stronger authentication system and a way to manage it you finally have granular control over what people do on your networks and a means to enforce the policies that regulation and security best practices require.
I visited one State Government that had NEVER revoked a user ID.
There were thousands of people that could still access State systems if they were on the inside of the network.
You cannot begin to get control over privileged accounts, IT administrators, or even software licensing costs until you enable an effective Identity and Access Management solution.
If you have a lot of remote users and no IAM you have opened yourself up to 24X7 abuse of your systems.
So, start with an Identity and Access management system, build in strong authentication where you want to element deniability, and begin building a response to the insider threat.
Is encryption a tool that can protect against insider abuse of data?
Short answer yes, long answer no. Encryption, of course, prevents many embarrassing data loss incidents.
If an insider thought that he or she could grab a backup tape of customer data for instance, encryption would foil that attempt.
And certainly encrypted hard drives on laptops will avoid the data loss issues around laptop theft. But the insider threat is almost impossible to counter using traditional encryption policies and practices.
The insider is already trusted with access to critical information. They are an employee or contractor whose job requires them to use that data. If they want to steal it they can.
Say you had a complete Digital rights management system in place (DRM). No document could be opened, copied, printed or forwarded without explicit permission. Great. But the insider can see that data.
Imagine someone sitting in the telesales operations bull pen.
He could copy data from the customer records he dealt with. He could text credit card numbers to an accomplice.
He could use a camera to take screen shots of the data.
Encryption, while a critical element for data protection, is not an effective measure for countering the insider threat.
How can we manage entitlements?
Entitlements are the connection between users and allowed access. Who has authorized access to which services? It can even go down to the data level: who has rights to what documents, tables, information?
Defining and enforcing entitlements is the hardest part of cracking down on the insider threat. When responding to a new set of threats or an escalation in threats I always advise keeping it simple.
In the case of user access to data and applications the most common enforcement point is at the existing directory where groups are defined.
As a first step create a group for each function in the organization: Sales, HR, Finance, manufacturing, Doctors, nurses, pharmacists, and so on…
Define which systems they, at a minimum, need to access to get their jobs done. Go ahead and implement that course-grain level of entitlements.
Then, build a user administrated tool for requesting and receiving exceptions. Ideally, this would be automated and then reviewed regularly.
So, yes there is a risk that a sales person may request access to say finance data, but he or she does so at their own risk of being called out for inappropriate access.
The key tool for accomplishing all of this is an Identity and Access Management system.
It ensures that the user associated with each set of credentials is who they say they are and then allows the access based on first course grain and eventually fine grain policies.
What about employee awareness training?
Contrary to many areas of info security the insider threat can be countered, in part, by employee training.
But I am not advocating once a year three day seminars on the evils of short passwords and the dangers of a Kevin Mitnick in your front lobby.
Normally the benefits from security awareness training are as ethereal as a mal-formed packet. The investment and loss of productivity from these training programs is never revovered.
But, countering the insider threat is different. You are not educating insiders to change their behavior from bad to good, you are warning them not to change their behavior from good to bad. You do this in two ways.
First, you republish your organization’s acceptable use and confidentiality policies and require everyone to acknowledge receipt. Make it simple and to the point. Company information is company information.
Violators will be punished. Second, as part of your activity monitoring, you alert the insider every time they attempt to violate the policy.
Browsing to an inappropriate web site, using Skype or AIM, using web based email from work.
Let them know that you are watching them.
The very best counter to the insider threat is the cyber equivalent of the camera over your shoulder. Just as cameras can prevent shoplifting, visible activity monitoring can prevent data theft.
Are there any times that the insider threat is greatest?
Yes, there are specific times that the insider threat is greatest. Change is bad for the smooth flow of business processes.
When switching over from one system to another things fall through the cracks. So mergers and acquisitions pose a special threat.
There are new insiders to deal with, some of whom may not like the new regime.
Economic disruption leads to an increase in malicious insider activity as well. If an organization announces cut backs and layoffs that is when insiders start to think about their own needs over those of their employer.
Who has not made a backup of their records, customer contacts, and email when they suspect that they may lose their jobs?
Engineers are pack rats. They save everything. Salespeople consider the records of their interaction with customers to be theirs and if they find a new job they are going to want to have those records. Obviously the motivation that creates a “disgruntled” employee is fed by announcements of layoffs.
As organizations struggle to survive they tend to make insiders feel insecure. It is natural for insiders to take steps to protect their livelihood.
There may be an increased likelihood of data being stolen and sold. Remember the incident at Countrywide where the insider started to sell loan application information to an identity thief?
Unfortunately, an economic downturn is not the best time to propose investments in better security so you may be stuck with insufficient controls just when you need them the most.
What are the first steps an organization should take to mitigate the insider threat?
Assuming you are like most organizations, the way you deployed networks, applications, and new services was wide open.
When you rolled out your CRM solution for instance the main task was to get everyone, especially the salesforce, to use it religiously.
You cannot derive full benefit from a CRM application unless everyone uses it all the time.
Imposing access controls on what people can do with it (like download the entire customer list) inhibits people from using it.
You want everyone to share information since that has immediate benefits in improved productivity, faster time to market, and profitability.
But no controls has led to the current situation of exposure to abuse by insiders.
So the first step in mitigating the insider threat is to re-publish your acceptable use policy and get everyone’s buy in.
That policy should state that all activity on all systems is monitored and logged.
The second step is to make sure that you really are monitoring and logging all activity. As you look at your logs you will quickly realize that there are many activities on your systems that cannot be traced back to an individual.
Start with those. Slowly start building in more granular controls until you eliminate these anonymous activities one at a time.
The third step will require the most investment. That is to deploy stronger authentication. Usernames and passwords do not cut it.
Not only can a malicious insider deny their activity with the excuse that their credentials must have been used by somebody else, but the insider could truly steal someone else’s credentials to access the system they are abusing.
Strong authentication must be tied to the individual. A smart card or one time password token makes it much harder to deny an action, and the insider knows this.
Are there situations that cannot be addressed by IT?
Of course the insider threat transcends IT and controls. Look at how much information is in paper form, or look at the business processes that cannot be controlled.
The CFO and the CEO of Satyam colluded for years to hide what amounted to a billion dollars of vapor assets. And who is in more of a trusted, privileged position in an organization than the CEO and CFO?
Would better controls have prevented Enron? The disgruntled employee that goes “postal” and causes physical mayhem.
The bank teller that pockets cash deposits. The fraudulent accident claims or discrimination suits.
The insider that copies and faxes the secret formula for Coke.
All of these just highlight the wisdom in putting in controls that are commensurate with the power granted to employees.
Think how easy it is for a trusted insider to spill information about a new product, a new TV show, the next great design to come out of Detroit or Milan, the next version of an iphone, or laptop.
Building, earning, and enforcing trust is a bigger issue than IT alone can handle.
IT risks are not the only risks. And IT controls are not the answer to eliminating all risk from insider actions.

No comments:

Post a Comment