SlideShare ist ein Scribd-Unternehmen logo

Sivasubramanian Securing The Enterprise From The Malicious Insider

V
Vinoth Sivasubramanan

My First Publication with ISSA , received a lot of good comments , Felt so happy.

1 von 4
Downloaden Sie, um offline zu lesen
ISSA The Global Voice of Information Security ISSA Journal | December 2008 Securing the Enterprise from the Malicious Insider By Vinoth Sivasubramanian – ISSA member, United Arab Emirates chapter Insider attacks can be foiled by following a layered defense mechanism consisting of policies and procedures, technical controls, and employee awareness and training. • 79% reported their company employs temporary The threat of attack from insiders workers who have access to critical areas is real and substantial. • 37% stumbled into an area they were unauthorized to access I Insider attacks can be foiled by following a layered defense nsiders are generally people who work or have a rela- mechanism consisting of policies and procedures, techni- tionship within an organization, including employees, cal controls, and employee awareness and training. For this contractors, business partners, subcontractors, and con- management should look beyond information technology sultants. Insiders have a significant advantage over others and study the corporate culture – its people and geographi- who might want to harm the organization: they can bypass cal domains – to combat the malicious insider and keep data physical and technical security measures designed to prevent safe. unauthorized access. Mechanisms such as firewalls, intru- sion detection/prevention, and electronic building access Research shows that insiders who commit crimes are mostly systems are implemented primarily to defend against exter- disgruntled employees who act out of revenge to some extent. nal threats. However, insiders are not only aware of security Examples include termination, disputes with the employer, policies within the organization but may also be aware of any new supervisors, transfers or demotions, economic condi- security flaws in the systems. A survey conducted by RSA in tions, dissatisfaction, and a history of personal frustrations 2008 discovered that over 50 percent of polled employees cir- with salaries and bonuses. Detection of the attacks have been cumvent IT security policies to get their jobs done. Respon- generally manual and reactive, not proactive. In most cases dents reported the following: system logs were used to identify the instances of attacks: re- mote access logs, database logs, application logs, system logs, • 94% were familiar with their organizational security network logs, and email logs. Some privileged and techni- policies, yet 53% felt the need for working around cal users, knowing that logs could be used for identification, them would tamper with the logs. • 64% emailed work documents to their homes • 5% held a door open for someone they did not rec- Strategies for managing insider threats ognize Technical solutions alone cannot always detect or discover • 43% switched jobs internally, and still had accounts insider threats or address them appropriately. Insider threats which they no longer needed are personnel threats – first and foremost – not technical threats. Human beings require human resource security so- lutions. http://www.rsa.com/press_release.aspx?id=9703. 33
Securing the Enterprise from the Malicious Insider | Vinoth Sivasubramanian ISSA Journal | December 2008 Insider threats and external threats should be managed co- operatively, as part of a comprehensive security program. Having a proper code of ethics and However, a special focus on insiders may help organizations close the gap between external and internal security pre- having it signed will help employess paredness. understand what they are to do and Let us now focus on the various approaches required to com- what they are not to do. bat internal threats. Enterprise-wide risk assessment istrators as well as any privileged user activity. Users must Risk is a combination of threat, vulnerability, and mission also be trained on the protection of their system passwords impact; therefore, introduce periodic risk assessments in the and acceptable computer usage policy. workplace. Refine and maintain the plans periodically to re- duce the risks from both internal as well as external sources. Written code of ethics Perform penetration testing to check if the risk assessment Have a written code of ethics. It should be prominent and plan is really working and to identity other potential areas of duly signed by each user of privileged accounts, if not all em- weakness. ployees. Having a proper code of ethics and having it signed will help employees understand what they are to do and what Strong security policies and procedures they are not to do. This should make them more ethically This is the first step in combating insider and external threats: aware and responsible and ensure they understand that viola- develop strong security policies in line with the business of tions would lead to legal/disciplinary action. the organization and enforce them strictly. This will be the benchmark to check if a violation has taken place. Separation of duties and privileges If all employees are adequately trained in security awareness, Monitor data in rest and in motion and responsibility of critical functions is divided among em- Few organizations know where all their data resides: multiple ployees, the possibility that one individual could commit servers, personal computers, laptops, USB devices, etc. Orga- fraud or sabotage without the co-operation of others is very nizational data is both at rest and in motion. There are simply limited. Effective separation of duties requires the implemen- too many methods of data storage and too many methods of tation of least privilege by authorizing people access only to data transmission – you need to keep track and know where the resources they need to do their jobs. your data is. Conforming to regulations like SOX and HIPAA will help, as they regulate strong data controls. Strict account management policies No matter how vigilant employees are in trying to protect Manage end-devices their computers, a compromised computer could wreak hav- End devices like USB drives, PDAs, Smart phones, MP3 oc as privileged data can be viewed by non-privileged/unau- players, and DVD/CD drives are generally ignored, but they thorized personnel. Therefore, have strict account manage- constitute an easy means of data loss wherein the insider can ment policies such as automatic system lock of the screens simply plug in an USB device, transfer the data, and calmly if system is idle, password complexity, and password change walk out. Proper mechanisms should be in place to monitor enforcement. which end devices are being connected to the system or to critical assets, disabling wherever necessary. CCTV Implement closed circuit cameras so that insider interven- Periodic security awareness sessions tion in sensitive areas can be monitored and corrected. Store A comprehensive written security policy is great but inef- the monitored data and destroy it once corrective actions fective if not properly communicated. Involve all employees have been taken or after an audit has been performed. Alter- and design engaging training programs with mock sessions natively, the data can be archived and stored at some other like dumpster diving, do-me-a-favor, desktop snooping, location for further use. coffee break analysis—friendly encounters with employees or contractors during breaks or lunch; people generally let Log, monitor, and audit down their guard in situations outside of the work environ- Log all activities on all computers and on all systems. Let us- ment—shoulder surfing, keyboard logging, USB, CD and ers be aware that logs will be analyzed periodically for insider DVD dropping, and confidential documents left in the print- threat analysis. This should be an effective deterrent, espe- er dock. Make employees fully aware of the impacts an ac- cially for the highly privileged user aware that his activities cidental security threat could pose to the organization. They are being logged and audited on a regular basis. should also be properly notified that their systems are being monitored, especially network, system, and security admin- 34
Securing the Enterprise from the Malicious Insider | Vinoth Sivasubramanian ISSA Journal | December 2008 Defend against malicious code Many organizations defend malicious code using antivirus/ Organizations must commit time and IDS/IPS/firewalls. While these defense mechanisms are use- resources to training supervisors so ful against external infections, the internal threat is often overlooked. Organizations must build and maintain hard- they are able to identify changes in an ware and software on a standard corporate benchmark. An employee’s behavior. organization can have several combinations of hardware and software, depending upon the nature of job performed. Identify these and benchmark them. Once this is done, the former employers. Organizations must commit time and re- configurations can then be compared with the benchmark, sources to training supervisors so they are able to identify and discrepancies can be checked for malicious behavior. changes in an employee’s behavior. Given that financial gain Deviations from the benchmark can be logged and investi- is the primary motive for stealing, employees must be moni- gated if necessary. Computer configurations do not remain tored for sudden changes in their financial positions. A for- unchanged for extended periods of time, so this should be mal grievance mechanism should be implemented by the hu- done regularly. Most importantly, the person identifying any man resources department so that an employee’s grievances changes on systems must not be the one performing changes are reconciled as soon as possible. on the system (separation of duties). Deactivate all accounts following exit Remote attacks When an employee’s employment is terminated, whether un- Insiders most often attack organizations remotely using their der favorable circumstances or not, all shared accounts and legitimate access provided by the organization which had privileged access should be deleted or disabled. This must not been revoked upon their termination. While remote ac- then be verified by the system owner so that the employers cess can greatly enhance employee productivity, special care can be assured that nothing has been compromised. should be given to critical data. Insiders have admitted that it is easy for them to conduct attacks remotely from home or to Effective back up and testing copy data to their personal computers.2 It is, therefore, a good Despite all precautions implemented by the organization, it is practice for organizations not to give remote access to critical still possible that insiders will attack. Therefore organizations data. If access is necessary, proper authorization, account- should prepare for the worst case scenario – e.g., destruction ing, and authentication controls must be in place. When a of vital data by privileged users such as a database admin- privileged user terminates his employment, it is often a good istrator/system administrator who deletes an entire table in practice to change the authentication and authorization pass- the database, impacting confidentiality, integrity, and avail- words for all remote connections and shared accounts. ability – and have a proper backup and recovery mechanism in place. Research has shown that effective backup and recov- Monitor and respond to employee behaviors ery mechanisms make the difference between several hours Probably one of the best methods of dealing with mali- of downtime to restore systems, weeks of manual data entry cious insiders is to proactively address employee behaviors, when no backup is available, or months/years to reconstruct beginning with the hiring process. A consistent practice of the data to its original form. performing background checks and evaluating individuals If possible multiple backup copies should be stored in offsite based on the information received is vital. A background in- locations with different custodians. In the event of a com- vestigation must include uncovering criminal convictions or promise, having multiple individuals lessens the risk of all activities, verifying credentials and past employment refer- the individuals being involved in the sabotage. The system ences, and discussing the prospective employee’s competence admin and data custodian(s) must ensure that the tapes/de- and approach to dealing with problems in the workplace with vices on which backup are performed are protected from data destruction and tampering. 2 www.cert.org/archive/pdf/CommonSenseInsiderThreatsV2.--0708.pdf. Threat Source Risk Factor Impact Controls and measures Action Online replication at a offsite location with a proper backup administrator Investigation followed by Database Administrator 1 High, loss of credibility terminations and/or other necessary System monitoring and database legal procedures as per the country monitoring High, loss of business sensitive data Log and monitor all the activities of Terminate or initiate necessary Help Desk Executive to competitors which leads to many the help desk personnel under the 1 actions as per organizational policy others supervision of multiple supervisors Table 1 – Sample insider threat plan 35
Securing the Enterprise from the Malicious Insider | Vinoth Sivasubramanian ISSA Journal | December 2008 Document insider threats and controls Let us all remember that insider threats have a direct impact on stake holders and customers who have entrusted the secu- Clearly and effectively document, communicate, and main- rity team with their most valuable data. The insider threat is, tain an updated insider threat plan and the procedures to fol- therefore, an obligation which can no longer be ignored. low. Ensure everyone in the organization is cognizant of the plan, eliminating any accusations of discrimination. Table References is a sample insider threat plan. —www.cert.org Conclusion —www.rsa.com There are no quick fixes for managing the malicious insider. —www.nebraskacert.org It is complex, time-consuming, and requires significant se- nior management buy in. The process begins with the fact About the Author that internal threats exist and must be addressed. Next, se- Vinoth Sivasubramanian, CEH, ISO 27001 nior management must understand and agree that the or- LA, is an information standards manager ganization needs protection from insider threats and must at UAE Exchange Centre LLC and is re- take it as a matter of utmost concern. Security requires time sponsible for the IT policies of the enter- and money, and any security program will fail without senior prise. Vinoth has six years of information management support. Once the support is in place, all the security experience in telecommunications, above mitigation mechanisms should begin and be continu- finance, and consulting. He is a founding ally updated. member of ISSA UAE and can be reached at vinoth.sivasubra- manian@gmail.com. 36

Empfohlen

3rd Annual CISO Round Table
3rd Annual CISO Round Table3rd Annual CISO Round Table
3rd Annual CISO Round TableVinoth Sivasubramanan
 
Sivasubramanian Risk Management In The Web 2.0 Environment
Sivasubramanian Risk Management In The Web 2.0 EnvironmentSivasubramanian Risk Management In The Web 2.0 Environment
Sivasubramanian Risk Management In The Web 2.0 EnvironmentVinoth Sivasubramanan
 
Presentación hardware
Presentación hardwarePresentación hardware
Presentación hardware123robinson
 
Security kaizen cloud security
Security kaizen cloud securitySecurity kaizen cloud security
Security kaizen cloud securityVinoth Sivasubramanan
 
Web application security
Web application securityWeb application security
Web application securityJin Castor
 
The notorious nine_cloud_computing_top_threats_in_2013
The notorious nine_cloud_computing_top_threats_in_2013The notorious nine_cloud_computing_top_threats_in_2013
The notorious nine_cloud_computing_top_threats_in_2013Vinoth Sivasubramanan
 
Linux Firewall - NullCon Chennai Presentation
Linux Firewall - NullCon Chennai PresentationLinux Firewall - NullCon Chennai Presentation
Linux Firewall - NullCon Chennai PresentationVinoth Sivasubramanan
 
Business Continuity Management - Best Practice Across Industries
Business Continuity Management - Best Practice Across IndustriesBusiness Continuity Management - Best Practice Across Industries
Business Continuity Management - Best Practice Across IndustriesVinoth Sivasubramanan
 

Empfohlen

3rd Annual CISO Round Table
3rd Annual CISO Round Table3rd Annual CISO Round Table
3rd Annual CISO Round TableVinoth Sivasubramanan
 
Sivasubramanian Risk Management In The Web 2.0 Environment
Sivasubramanian Risk Management In The Web 2.0 EnvironmentSivasubramanian Risk Management In The Web 2.0 Environment
Sivasubramanian Risk Management In The Web 2.0 EnvironmentVinoth Sivasubramanan
 
Presentación hardware
Presentación hardwarePresentación hardware
Presentación hardware123robinson
 
Security kaizen cloud security
Security kaizen cloud securitySecurity kaizen cloud security
Security kaizen cloud securityVinoth Sivasubramanan
 
Web application security
Web application securityWeb application security
Web application securityJin Castor
 
The notorious nine_cloud_computing_top_threats_in_2013
The notorious nine_cloud_computing_top_threats_in_2013The notorious nine_cloud_computing_top_threats_in_2013
The notorious nine_cloud_computing_top_threats_in_2013Vinoth Sivasubramanan
 
Linux Firewall - NullCon Chennai Presentation
Linux Firewall - NullCon Chennai PresentationLinux Firewall - NullCon Chennai Presentation
Linux Firewall - NullCon Chennai PresentationVinoth Sivasubramanan
 
Business Continuity Management - Best Practice Across Industries
Business Continuity Management - Best Practice Across IndustriesBusiness Continuity Management - Best Practice Across Industries
Business Continuity Management - Best Practice Across IndustriesVinoth Sivasubramanan
 
2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by HubspotMarius Sescu
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTExpeed Software
 
Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsProduct Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsPixeldarts
 
How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthThinkNow
 
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfAI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfmarketingartwork
 
Skeleton Culture Code
Skeleton Culture CodeSkeleton Culture Code
Skeleton Culture CodeSkeleton Technologies
 
PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024Neil Kimberley
 
Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)contently
 
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024Albert Qian
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsKurio // The Social Media Age(ncy)
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Search Engine Journal
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summarySpeakerHub
 
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd Clark Boyd
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next Tessa Mero
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentGoogle's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentLily Ray
 
How to have difficult conversations
How to have difficult conversations How to have difficult conversations
How to have difficult conversations Rajiv Jayarajah, MAppComm, ACC
 
Introduction to Data Science
Introduction to Data ScienceIntroduction to Data Science
Introduction to Data ScienceChristy Abraham Joy
 
Time Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesTime Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesVit Horky
 
The six step guide to practical project management
The six step guide to practical project managementThe six step guide to practical project management
The six step guide to practical project managementMindGenius
 
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...RachelPearson36
 

Weitere ähnliche Inhalte

Empfohlen

2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by HubspotMarius Sescu
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTExpeed Software
 
Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsProduct Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsPixeldarts
 
How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthThinkNow
 
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfAI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfmarketingartwork
 
PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024Neil Kimberley
 
Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)contently
 
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024Albert Qian
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsKurio // The Social Media Age(ncy)
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Search Engine Journal
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summarySpeakerHub
 
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd Clark Boyd
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next Tessa Mero
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentGoogle's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentLily Ray
 
Time Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesTime Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesVit Horky
 
The six step guide to practical project management
The six step guide to practical project managementThe six step guide to practical project management
The six step guide to practical project managementMindGenius
 
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...RachelPearson36
 

Empfohlen (20)

2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPT
 
Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsProduct Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage Engineerings
 
How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental Health
 
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfAI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
 
Skeleton Culture Code
Skeleton Culture CodeSkeleton Culture Code
Skeleton Culture Code
 
PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024
 
Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)
 
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie Insights
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary
 
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentGoogle's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search Intent
 
How to have difficult conversations
How to have difficult conversations How to have difficult conversations
How to have difficult conversations
 
Introduction to Data Science
Introduction to Data ScienceIntroduction to Data Science
Introduction to Data Science
 
Time Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesTime Management & Productivity - Best Practices
Time Management & Productivity - Best Practices
 
The six step guide to practical project management
The six step guide to practical project managementThe six step guide to practical project management
The six step guide to practical project management
 
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
 

Sivasubramanian Securing The Enterprise From The Malicious Insider

  • 1. ISSA The Global Voice of Information Security ISSA Journal | December 2008 Securing the Enterprise from the Malicious Insider By Vinoth Sivasubramanian – ISSA member, United Arab Emirates chapter Insider attacks can be foiled by following a layered defense mechanism consisting of policies and procedures, technical controls, and employee awareness and training. • 79% reported their company employs temporary The threat of attack from insiders workers who have access to critical areas is real and substantial. • 37% stumbled into an area they were unauthorized to access I Insider attacks can be foiled by following a layered defense nsiders are generally people who work or have a rela- mechanism consisting of policies and procedures, techni- tionship within an organization, including employees, cal controls, and employee awareness and training. For this contractors, business partners, subcontractors, and con- management should look beyond information technology sultants. Insiders have a significant advantage over others and study the corporate culture – its people and geographi- who might want to harm the organization: they can bypass cal domains – to combat the malicious insider and keep data physical and technical security measures designed to prevent safe. unauthorized access. Mechanisms such as firewalls, intru- sion detection/prevention, and electronic building access Research shows that insiders who commit crimes are mostly systems are implemented primarily to defend against exter- disgruntled employees who act out of revenge to some extent. nal threats. However, insiders are not only aware of security Examples include termination, disputes with the employer, policies within the organization but may also be aware of any new supervisors, transfers or demotions, economic condi- security flaws in the systems. A survey conducted by RSA in tions, dissatisfaction, and a history of personal frustrations 2008 discovered that over 50 percent of polled employees cir- with salaries and bonuses. Detection of the attacks have been cumvent IT security policies to get their jobs done. Respon- generally manual and reactive, not proactive. In most cases dents reported the following: system logs were used to identify the instances of attacks: re- mote access logs, database logs, application logs, system logs, • 94% were familiar with their organizational security network logs, and email logs. Some privileged and techni- policies, yet 53% felt the need for working around cal users, knowing that logs could be used for identification, them would tamper with the logs. • 64% emailed work documents to their homes • 5% held a door open for someone they did not rec- Strategies for managing insider threats ognize Technical solutions alone cannot always detect or discover • 43% switched jobs internally, and still had accounts insider threats or address them appropriately. Insider threats which they no longer needed are personnel threats – first and foremost – not technical threats. Human beings require human resource security so- lutions. http://www.rsa.com/press_release.aspx?id=9703. 33
  • 2. Securing the Enterprise from the Malicious Insider | Vinoth Sivasubramanian ISSA Journal | December 2008 Insider threats and external threats should be managed co- operatively, as part of a comprehensive security program. Having a proper code of ethics and However, a special focus on insiders may help organizations close the gap between external and internal security pre- having it signed will help employess paredness. understand what they are to do and Let us now focus on the various approaches required to com- what they are not to do. bat internal threats. Enterprise-wide risk assessment istrators as well as any privileged user activity. Users must Risk is a combination of threat, vulnerability, and mission also be trained on the protection of their system passwords impact; therefore, introduce periodic risk assessments in the and acceptable computer usage policy. workplace. Refine and maintain the plans periodically to re- duce the risks from both internal as well as external sources. Written code of ethics Perform penetration testing to check if the risk assessment Have a written code of ethics. It should be prominent and plan is really working and to identity other potential areas of duly signed by each user of privileged accounts, if not all em- weakness. ployees. Having a proper code of ethics and having it signed will help employees understand what they are to do and what Strong security policies and procedures they are not to do. This should make them more ethically This is the first step in combating insider and external threats: aware and responsible and ensure they understand that viola- develop strong security policies in line with the business of tions would lead to legal/disciplinary action. the organization and enforce them strictly. This will be the benchmark to check if a violation has taken place. Separation of duties and privileges If all employees are adequately trained in security awareness, Monitor data in rest and in motion and responsibility of critical functions is divided among em- Few organizations know where all their data resides: multiple ployees, the possibility that one individual could commit servers, personal computers, laptops, USB devices, etc. Orga- fraud or sabotage without the co-operation of others is very nizational data is both at rest and in motion. There are simply limited. Effective separation of duties requires the implemen- too many methods of data storage and too many methods of tation of least privilege by authorizing people access only to data transmission – you need to keep track and know where the resources they need to do their jobs. your data is. Conforming to regulations like SOX and HIPAA will help, as they regulate strong data controls. Strict account management policies No matter how vigilant employees are in trying to protect Manage end-devices their computers, a compromised computer could wreak hav- End devices like USB drives, PDAs, Smart phones, MP3 oc as privileged data can be viewed by non-privileged/unau- players, and DVD/CD drives are generally ignored, but they thorized personnel. Therefore, have strict account manage- constitute an easy means of data loss wherein the insider can ment policies such as automatic system lock of the screens simply plug in an USB device, transfer the data, and calmly if system is idle, password complexity, and password change walk out. Proper mechanisms should be in place to monitor enforcement. which end devices are being connected to the system or to critical assets, disabling wherever necessary. CCTV Implement closed circuit cameras so that insider interven- Periodic security awareness sessions tion in sensitive areas can be monitored and corrected. Store A comprehensive written security policy is great but inef- the monitored data and destroy it once corrective actions fective if not properly communicated. Involve all employees have been taken or after an audit has been performed. Alter- and design engaging training programs with mock sessions natively, the data can be archived and stored at some other like dumpster diving, do-me-a-favor, desktop snooping, location for further use. coffee break analysis—friendly encounters with employees or contractors during breaks or lunch; people generally let Log, monitor, and audit down their guard in situations outside of the work environ- Log all activities on all computers and on all systems. Let us- ment—shoulder surfing, keyboard logging, USB, CD and ers be aware that logs will be analyzed periodically for insider DVD dropping, and confidential documents left in the print- threat analysis. This should be an effective deterrent, espe- er dock. Make employees fully aware of the impacts an ac- cially for the highly privileged user aware that his activities cidental security threat could pose to the organization. They are being logged and audited on a regular basis. should also be properly notified that their systems are being monitored, especially network, system, and security admin- 34
  • 3. Securing the Enterprise from the Malicious Insider | Vinoth Sivasubramanian ISSA Journal | December 2008 Defend against malicious code Many organizations defend malicious code using antivirus/ Organizations must commit time and IDS/IPS/firewalls. While these defense mechanisms are use- resources to training supervisors so ful against external infections, the internal threat is often overlooked. Organizations must build and maintain hard- they are able to identify changes in an ware and software on a standard corporate benchmark. An employee’s behavior. organization can have several combinations of hardware and software, depending upon the nature of job performed. Identify these and benchmark them. Once this is done, the former employers. Organizations must commit time and re- configurations can then be compared with the benchmark, sources to training supervisors so they are able to identify and discrepancies can be checked for malicious behavior. changes in an employee’s behavior. Given that financial gain Deviations from the benchmark can be logged and investi- is the primary motive for stealing, employees must be moni- gated if necessary. Computer configurations do not remain tored for sudden changes in their financial positions. A for- unchanged for extended periods of time, so this should be mal grievance mechanism should be implemented by the hu- done regularly. Most importantly, the person identifying any man resources department so that an employee’s grievances changes on systems must not be the one performing changes are reconciled as soon as possible. on the system (separation of duties). Deactivate all accounts following exit Remote attacks When an employee’s employment is terminated, whether un- Insiders most often attack organizations remotely using their der favorable circumstances or not, all shared accounts and legitimate access provided by the organization which had privileged access should be deleted or disabled. This must not been revoked upon their termination. While remote ac- then be verified by the system owner so that the employers cess can greatly enhance employee productivity, special care can be assured that nothing has been compromised. should be given to critical data. Insiders have admitted that it is easy for them to conduct attacks remotely from home or to Effective back up and testing copy data to their personal computers.2 It is, therefore, a good Despite all precautions implemented by the organization, it is practice for organizations not to give remote access to critical still possible that insiders will attack. Therefore organizations data. If access is necessary, proper authorization, account- should prepare for the worst case scenario – e.g., destruction ing, and authentication controls must be in place. When a of vital data by privileged users such as a database admin- privileged user terminates his employment, it is often a good istrator/system administrator who deletes an entire table in practice to change the authentication and authorization pass- the database, impacting confidentiality, integrity, and avail- words for all remote connections and shared accounts. ability – and have a proper backup and recovery mechanism in place. Research has shown that effective backup and recov- Monitor and respond to employee behaviors ery mechanisms make the difference between several hours Probably one of the best methods of dealing with mali- of downtime to restore systems, weeks of manual data entry cious insiders is to proactively address employee behaviors, when no backup is available, or months/years to reconstruct beginning with the hiring process. A consistent practice of the data to its original form. performing background checks and evaluating individuals If possible multiple backup copies should be stored in offsite based on the information received is vital. A background in- locations with different custodians. In the event of a com- vestigation must include uncovering criminal convictions or promise, having multiple individuals lessens the risk of all activities, verifying credentials and past employment refer- the individuals being involved in the sabotage. The system ences, and discussing the prospective employee’s competence admin and data custodian(s) must ensure that the tapes/de- and approach to dealing with problems in the workplace with vices on which backup are performed are protected from data destruction and tampering. 2 www.cert.org/archive/pdf/CommonSenseInsiderThreatsV2.--0708.pdf. Threat Source Risk Factor Impact Controls and measures Action Online replication at a offsite location with a proper backup administrator Investigation followed by Database Administrator 1 High, loss of credibility terminations and/or other necessary System monitoring and database legal procedures as per the country monitoring High, loss of business sensitive data Log and monitor all the activities of Terminate or initiate necessary Help Desk Executive to competitors which leads to many the help desk personnel under the 1 actions as per organizational policy others supervision of multiple supervisors Table 1 – Sample insider threat plan 35
  • 4. Securing the Enterprise from the Malicious Insider | Vinoth Sivasubramanian ISSA Journal | December 2008 Document insider threats and controls Let us all remember that insider threats have a direct impact on stake holders and customers who have entrusted the secu- Clearly and effectively document, communicate, and main- rity team with their most valuable data. The insider threat is, tain an updated insider threat plan and the procedures to fol- therefore, an obligation which can no longer be ignored. low. Ensure everyone in the organization is cognizant of the plan, eliminating any accusations of discrimination. Table References is a sample insider threat plan. —www.cert.org Conclusion —www.rsa.com There are no quick fixes for managing the malicious insider. —www.nebraskacert.org It is complex, time-consuming, and requires significant se- nior management buy in. The process begins with the fact About the Author that internal threats exist and must be addressed. Next, se- Vinoth Sivasubramanian, CEH, ISO 27001 nior management must understand and agree that the or- LA, is an information standards manager ganization needs protection from insider threats and must at UAE Exchange Centre LLC and is re- take it as a matter of utmost concern. Security requires time sponsible for the IT policies of the enter- and money, and any security program will fail without senior prise. Vinoth has six years of information management support. Once the support is in place, all the security experience in telecommunications, above mitigation mechanisms should begin and be continu- finance, and consulting. He is a founding ally updated. member of ISSA UAE and can be reached at vinoth.sivasubra- manian@gmail.com. 36