The threat posed by authorized personnel is well documented by research and court cases. According to ACFE, U.S. organizations lose an estimated $652 billion to fraud annually. Unfortunately, insider threat is not limited to fraud. There is also sabotage, negligence, human error and exploitation by outsiders to consider. If you have not taken a hard look at insider threat controls in your organization, now is the time.
I. Classification and Impact
Analysis
Start by classifying critical information by
confidentiality, integrity and availability with associated impact ratings. NIST SP 800-60 provides sample information categories and
impact definitions.
| Data Type | Confidentiality | Integrity | Availability |
| Trade Secrets | High | High | Medium |
| Human Resources | High | Medium | Low |
| Financial | High | High | Medium |
Now that your data has been defined and classified by CIA rating, identify system boundaries. Boundaries should include systems, data flow, networks, people and hard copy printouts.
II. Identification of Baseline
Controls
Next, establish baseline control standards that map to
impact categories. NIST SP 800-53 provides baselines broken into high, medium and low control appendixes. The Australian NSW
Baseline Controls and PCI Data Security Standards are also well-written. In some
cases, baseline controls will be procedural versus technological (e.g. storing
sensitive documents under lock and key and using a cross-cut shredder to dispose
of them). Insiders are familiar with internal controls and may find a way around
a single or poorly implemented control. Pay particular attention to the control
categories that follow.
Human Resources
Human resources personnel
should follow well-defined in-processing and out-processing procedures. Conduct
criminal background investigations, credit checks and employment verification
for all personnel, including contractors, temporary staffing and cleaning crews.
Periodically repeat background checks for people in highly-sensitive positions.
Require all personnel to sign a document stating they have read and understand
the information security policies. Ensure third party contractors and service
providers comply with your security requirements (e.g. employment and
background checks of new personnel). Establish an anonymous fraud, waste and
abuse reporting mechanism. Many crimes committed by insiders were suspected by
employees. Alert information security personnel when an employee is identified
as troubled or disgruntled.
Security Awareness Program
All personnel
must become familiar with security policies and procedures. Establish a
comprehensive awareness program to include annual security training with a
testing component, e-mail tips, posters, a letter of support from senior
management, self-assessment surveys, awareness luncheons, and a security web
site. Better yet, supplement training with awareness briefings. Briefings give
personnel the opportunity to ask questions and put the information security team
in the position of advocating security initiatives.
Access Control
Accesses should be issued
based upon a person's need-to-know in routine performance of their duties. When
possible, issue accesses based upon role. Take into consideration IT roles such
as developers, system and application administrators, etc. Define roles within
accounting and payroll. All access requests should be formally documented and
approved by a direct supervisor. For access to sensitive systems, require
approval of a data owner as well. Two-person integrity controls should be
implemented to secure extremely sensitive information (e.g. trade secrets).
Configure building access cards to restrict personnel to the areas and time
periods required in performance of their duties. Each quarter ask managers to
formally sign-off on the privileges of their direct reports. As employees
transition to new positions, they may retain accesses from their previous role.
Separation of duties should be used as an additional control.
Here are a few examples: Separate roles should be required to create an account
and write a check. Developers should not have access to production systems. Code
reviews should be performed by someone other than the author of the code.
Administrators should not be the only group reviewing logs. For more
information, see the ISACA separation of duties matrix.
Establish
applications that provide a view into sensitive data versus the ability to
download the entire database. Use terminal servers to provide remote access to
data and systems while preventing file downloads (e.g. when developing
software).
Administrators
Administrators have complete
control over systems and applications. Prohibit use of default administrative
accounts to facilitate accountability. Ensure Windows domain administrators use
unique accounts tied to their name and the default administrator account is
deleted from servers during the installation process. Configure UNIX and Linux
systems to force administrators to login as themselves, then use the switch
users (su) command to access root-level administrative privileges. Application
administrators and operations personnel may need access to a few root-level
commands in performance of their duties. Use software to delegate specific root
privileges to them (e.g. sudo, RBAC, RSBAC or Power Broker). Encrypt databases
to prevent system administrators and anyone with access to a backup tape from
viewing sensitive information.
Workstations
Laptops can store large
amounts of sensitive information and are frequent targets of thieves. Issue
laptops based upon business need and with consideration of the type of
information typically processed. The U.S. government has recently mandated
laptop encryption and two-factor authentication. It makes sense to follow their
lead. Configure bios passwords as an additional control.
Restrict
workstation administrative access to the desktop team. This privilege can be
used to install unlicensed software or circumvent security controls (e.g.
disable anti-virus software or reverse system hardening configurations).
Exceptions should be limited to personnel with a well-defined need for
administrative privileges in performance of their duties, including formal
sign-off by their manager.
Finally, restrict who has access to use UBS
storage devices. They can be used to download sensitive data and may also act as
an avenue to introduce viruses into the network.
Network Security
Configure firewalls by
security best practices. Restrict outbound traffic to common services such as
HTTP and HTTPS. Use application proxies to limit traffic to designated protocols.
Establish separate rules to limit outbound file transfers to an authorized set of
users and systems. Restrict accesses between offices to specific systems, ports
and protocols. Use network segregation to restrict access to systems hosting
sensitive data based (e.g. DMZs, extranets and VLANs). Block peer-to-peer file
sharing services, instant messenger and services that allow unauthorized external
access to the corporate network (e.g. GoToMyPC, pcAnywhere and Citrix Online).
Block external e-mail web sites as well. All e-mail should be conducted using company
systems. If an employee needs access to one of the above services, confirm the
business requirement and create a specific rule to meet their needs. Finally,
scan outgoing e-mail for sensitive information such as project codenames.. An SSL
scanner should also be used to scan encrypted traffic streams.
Social Engineering
Con artists may attempt
to extract information from authorized personnel or get them to take actions on
their behalf. There are three basic methods to address this threat: (1) raise
awareness of the techniques used by social engineers, (2) establish well-defined
processes to protect sensitive data and valuable assets, and (3) provide an
escalation path.
Backups
Conduct restore tests of critical
systems at least annually. Disgruntled employees have been known to sabotage or
blackmail companies by corrupting critical data and waiting for the change to
spread through off-site backup rotation. Take backups of workstations to provide
a record of employee activity. Encrypt backup tapes and e-vaulting data to keep
sensitive information confidential while off-site.
Audit Trails and Monitoring
So far we have
primarily addressed preventive controls. Detective controls are necessary
because authorized personnel need privileges to get their jobs done. That brings
us to audit trails and monitoring. Configure audit trails for each system
component (e.g. network devices, operating systems, commercial software and
custom applications). Learn the logging capabilities of each component and
configure it to record significant events. Log actions taken by any individual
with administrative privileges (e.g. execution of commands and access
to audit trails). Audit trails must be protected by file permissions and
synchronized in real-time to a central log server to prevent modification. Once
centralized, logs should be reviewed by automated processes with notification
sent to the appropriate personnel. Database administrators have access to
sensitive information, so they must be monitored as well. Use intrusion detection software to
identify suspicious activity. Implement file integrity software to monitor
configuration files and sensitive data.
III. Implementation
Layer on
baseline controls in accordance with CIA information ratings. This step ties
the organization's business risks into information security controls. Many
organizations are challenged with regulatory compliance and implementation of
security best practices. Do not loose track of the big picture, controls are
meant to insulate the business from unacceptable risk. The simple process of
applying controls based upon data sensitivity and impact ratings will address
most compliance concerns. Any deviation from baseline controls should require
a formal exception approved by information security management and the
business.
IV. Audit
An audit function is required
to ensure sensitive data and valuable assets are appropriately safeguarded. Take
a hard look at who has access to sensitive data and whether those accesses are
appropriate. The audit function should also monitor systems and insiders to
detect illicit activity. Review audit trails searching for security events and
abuse of privileges. Verify directory permissions, payroll controls and
accounting system configurations. Confirm backup software is appropriately
configured and backups complete without error. Review network shares for
sensitive information stored with wide-open permissions. Conduct office space
reviews to determine if security policies and procedures are followed in
practice (e.g. sensitive material is not left unattended, workstation screens
are locked and laptops are secured).
Ensure accesses are systematically rescinded when personnel leave the organization
or their role changes. Obtain a list of current personnel from human resources
and compare it to active accounts (e.g. network accounts, remote access and
local accounts on servers). Stand-alone applications must be checked as well
(e.g. voicemail and company directories).
Review physical security access
logs. Pay particular attention to employee visits after-hours and on the
weekends. If suspicious activity is detected, cross reference video surveillance
feed and system audit trials.
Conduct the assessments identified above at
least quarterly. Automate auditing as much as possible to conserve resources and
detect security violations as they occur. For more information, see the IIA GTAG
Continuous Auditing Guide.
This article scratches the surface of insider threat mitigation. For more information, see the US-CERT Common Sense Guide to Prevention and Detection of Insider Threats. The ACM Occupational Fraud & Abuse Report provides examples of how fraud is committed and guidance for preventing and detecting it. The Yahoo insider-threat group is a good resource to keep up with current events and new developments.
As you can see the threat from within is very real. Trust is necessary but it must be controlled and monitored.
_____________________________________________________________________________________________________________Gideon T. Rasmussen is a Charlotte-based certified information security professional with a background in fortune 50 and military organizations. His website is http://www.gideonrasmussen.com.
References:
1. ACFE Occupational Fraud & Abuse Report
2. NSA INFOSEC Assessment
Methodology (IAM)
3. Dawn
Cappelli: Preventing Insider Sabotage
4. Kelly Martin: U.S.
Gov't Mandates Laptop Security
5. Sharon Gaudin: Case Study of Insider
Sabotage
Copyright © 2006 TechTarget (SearchSecurity.com) All Rights Reserved.
Reprinted with Permission