Is Your Organization Protected Against Insider Threat and IT Sabotage?

Insiders, by virtue of their easy access to organizations' information, systems, and networks, pose a significant risk to employers. Every day, there's a new shocking headline concerning a major network security breach caused (knowingly or unknowingly) by a corporate insider. And the number of security breaches that start from within keep growing - particularly in this down economy, as the number of disgruntled employees escalates. You'd think that large organizations in particular would be rushing to protect themselves from such headlines and liability, but they just aren't getting the message. Nor are they taking the necessary steps to protect themselves from a policy and technical standpoint.

Insider threats are a complex scenario in that they are the root cause of many breaches, through a wide variety of methods.  Some insider threats are malicious, but the majority of threats are due to the commission of dangerous and thoughtless activities that expose an organization's infrastructure to attack-both internally and externally.  Both categories of threats can be controlled and the damage contained if an organization takes the necessary steps to educate their staff, but they also need to implement appropriate hardware and software technology to deal with real-world security threats. 

Understanding the Insider Threat

Unfortunately, most organizations concentrate on external threats posed by their web sites that face the outside world. Companies have also become adept at protecting their email servers from outsiders.  When it comes to insider threats, however, most organizations let down their guards and in some cases remove virtually all security controls within their environment.  The net result is that a single compromised machine has free access to all of the resources in an organization.  Most businesses simply don't appreciate how easily machines can become compromised and act as unrestrained proxies for external hackers, criminals or competitors.

For organizations, these insiders include every employee.  According to a new Deloitte survey of CISOs, "Protecting What Matters: The Sixth Annual Global Security Survey," only 36 percent of respondents expressed confidence that their organizations are prepared to prevent or block cyber-attacks from internal threats.  These inside threats might include the CEO who insists that there be no security on his/her machine, and then allows their child to use their system at home and it gets infected, thereby bringing the infection back into the clean network.  It can be the IT staff who are negligent in setting up password policies or failing to use two-factor authentication on sensitive resources, or simply not providing appropriate security firewall -- all because it creates too much work for them.  Or, it can the everyday office worker who surfs to an appealing web site, accepts an offer, and turns their machine into a Trojan horse that infects every other machine (all without knowing this is even happening).  There's also the case of the malicious or nervous employee that is concerned about their job and is seeking "insurance" by snooping through the network, or by planning logic bombs to destroy the company network that cannot be turned off unless that employee is paid off. Even IT managers can depart an organization with the secrets to how systems and applications work, or simply refuse to document the infrastructure they manage to assure their job security.

A determined malicious insider can't be completely stopped, but their access and damage can be contained to an acceptable level.  This is a matter of balancing the cost and complexity of implementing appropriate security technology, as well as security policies (i.e., password length, history, maximum age), against the value of assets being protected.  It is easy for organizations to go overboard and implement high security on trivial assets, just as it is more common to have no security based on everyone trusting everyone (the zero cost/complexity solution).

Common Sense Steps to Thwarting Insider Attacks

Let's make the assumption that every machine in the company could be compromised and every employee is malicious.  Organize data and systems physically and logically so that they are secured in a manner appropriate to the sensitivity of the information contained in the systems.  Turn on auditing appropriate to the resources being monitored and invest in software to actively monitor the logs and alert when unusual activities are detected.  Backup everything that is critical and have a real disaster recovery plan.  Utilize third-party penetration testing organizations to check the internal and external security of the organization. Scan all machines regularly for foreign and unauthorized software and remove unknown and unauthorized product immediately.  And finally, make sure that Microsoft Update services are always running on all systems.

Ultimately, proactive monitoring of systems for unusual activities, securing all systems, changing passwords regularly and assuming the worst at all times can protect an organization best.  For the most part, it is a matter of education and reeducation when an insider makes a mistake and exposes the organization to threats.  For malicious internal users, it is a matter of periodically checking your security settings on systems, not allowing unlimited exposure to high "privileged" accounts, physically isolating systems and monitoring users' physical access via recorded cameras in server rooms.

In the case of administrator or root passwords, these should not be known to anyone within the IT department.  A fire call or privileged account password management system should be employed to only allow authorized users limited time access to these accounts with appropriate workflow sign-off before the account access is granted.  Users should never be granted administrator privileges to their local systems.  The IT department should not be allowed to set up machines with a common password, and ultimately, there should be no common accounts that provide universal access to all or many systems.

Firewalls, intrusion detection systems, and electronic building access systems can also be implemented, primarily to defend against external threats. Other third-party technologies do exist to protect organizations form the insider threat.

These external threat systems are the same needed for internal threats; assume that similar attacks from outside on the Internet will occur on the internal network.  It is only prudent to implement firewalls and VPNs within the corporate network to isolate key resources from unlimited access.  Key systems must be locked away so that they may not be tampered with physically.  Multiple physical networks should be implemented so that sensitive traffic is physically isolated (security beyond VLANS). Two-factor authentication should be implemented for VPN access and for access to sensitive systems.  Encryption technology can be used to secure internal traffic when possible and practical.  System MAC address and certificates should be verified before machines can connect to the network (this eliminates people bringing in their home systems and infecting the network).  And wireless technology should not be connected to the corporate network.

Accountability and Moving Forward

To really protect an organization from the insider threat, you have to begin from the top down, and really educate C-level executives in the practices and patterns necessary to make IT a competitive advantage, rather than a cost center.  There needs to be both financial and public accountability for the investment/lack thereof in securing information.  C-level executives should not be given a passing grade just because they signed off on a huge budget for their financial auditors.

In the case of firms and professionals hired to provide security auditing for companies and fail, their identities and faults should be publicly disclosed and their reputations tarnished or burnished based on how well they secure and educate their customers, rather than by how much they can bill their clients for their services.  In the recent case of job site, in which hackers broke into the online recruitment site's password-protected resume library, the name of the firm responsible for its security was never disclosed.  Similarly, in the Heartland exploit, there was no disclosure of the firm responsible for auditing their security.  In both of these cases, no CEOs lost their jobs and there has been no public consequence for the CSO or CIO involved.  Clearly there is little consequence to C-level executives or their high-priced auditing firms for completely blowing their security management.

Can malicious or reckless insiders be stopped? Yes, but insider threats can only be prevented through a layered defense of policies, procedures, and technical controls. Therefore, management must pay close attention to many aspects of its organization, including its business policies and procedures, organizational culture, and IT environment.