Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Sivasubramanian Securing The Enterprise From The Malicious Insider
1. ISSA The Global Voice of Information Security ISSA Journal | December 2008
Securing the Enterprise from
the Malicious Insider
By Vinoth Sivasubramanian – ISSA member, United Arab Emirates chapter
Insider attacks can be foiled by following a layered defense mechanism consisting of policies
and procedures, technical controls, and employee awareness and training.
• 79% reported their company employs temporary
The threat of attack from insiders workers who have access to critical areas
is real and substantial. • 37% stumbled into an area they were unauthorized
to access
I
Insider attacks can be foiled by following a layered defense
nsiders are generally people who work or have a rela-
mechanism consisting of policies and procedures, techni-
tionship within an organization, including employees,
cal controls, and employee awareness and training. For this
contractors, business partners, subcontractors, and con-
management should look beyond information technology
sultants. Insiders have a significant advantage over others
and study the corporate culture – its people and geographi-
who might want to harm the organization: they can bypass
cal domains – to combat the malicious insider and keep data
physical and technical security measures designed to prevent
safe.
unauthorized access. Mechanisms such as firewalls, intru-
sion detection/prevention, and electronic building access Research shows that insiders who commit crimes are mostly
systems are implemented primarily to defend against exter- disgruntled employees who act out of revenge to some extent.
nal threats. However, insiders are not only aware of security Examples include termination, disputes with the employer,
policies within the organization but may also be aware of any new supervisors, transfers or demotions, economic condi-
security flaws in the systems. A survey conducted by RSA in tions, dissatisfaction, and a history of personal frustrations
2008 discovered that over 50 percent of polled employees cir- with salaries and bonuses. Detection of the attacks have been
cumvent IT security policies to get their jobs done. Respon- generally manual and reactive, not proactive. In most cases
dents reported the following: system logs were used to identify the instances of attacks: re-
mote access logs, database logs, application logs, system logs,
• 94% were familiar with their organizational security
network logs, and email logs. Some privileged and techni-
policies, yet 53% felt the need for working around
cal users, knowing that logs could be used for identification,
them
would tamper with the logs.
• 64% emailed work documents to their homes
• 5% held a door open for someone they did not rec- Strategies for managing insider threats
ognize Technical solutions alone cannot always detect or discover
• 43% switched jobs internally, and still had accounts insider threats or address them appropriately. Insider threats
which they no longer needed are personnel threats – first and foremost – not technical
threats. Human beings require human resource security so-
lutions.
http://www.rsa.com/press_release.aspx?id=9703.
33
2. Securing the Enterprise from the Malicious Insider | Vinoth Sivasubramanian ISSA Journal | December 2008
Insider threats and external threats should be managed co-
operatively, as part of a comprehensive security program. Having a proper code of ethics and
However, a special focus on insiders may help organizations
close the gap between external and internal security pre- having it signed will help employess
paredness. understand what they are to do and
Let us now focus on the various approaches required to com- what they are not to do.
bat internal threats.
Enterprise-wide risk assessment istrators as well as any privileged user activity. Users must
Risk is a combination of threat, vulnerability, and mission also be trained on the protection of their system passwords
impact; therefore, introduce periodic risk assessments in the and acceptable computer usage policy.
workplace. Refine and maintain the plans periodically to re-
duce the risks from both internal as well as external sources.
Written code of ethics
Perform penetration testing to check if the risk assessment Have a written code of ethics. It should be prominent and
plan is really working and to identity other potential areas of duly signed by each user of privileged accounts, if not all em-
weakness. ployees. Having a proper code of ethics and having it signed
will help employees understand what they are to do and what
Strong security policies and procedures they are not to do. This should make them more ethically
This is the first step in combating insider and external threats: aware and responsible and ensure they understand that viola-
develop strong security policies in line with the business of tions would lead to legal/disciplinary action.
the organization and enforce them strictly. This will be the
benchmark to check if a violation has taken place.
Separation of duties and privileges
If all employees are adequately trained in security awareness,
Monitor data in rest and in motion and responsibility of critical functions is divided among em-
Few organizations know where all their data resides: multiple ployees, the possibility that one individual could commit
servers, personal computers, laptops, USB devices, etc. Orga- fraud or sabotage without the co-operation of others is very
nizational data is both at rest and in motion. There are simply limited. Effective separation of duties requires the implemen-
too many methods of data storage and too many methods of tation of least privilege by authorizing people access only to
data transmission – you need to keep track and know where the resources they need to do their jobs.
your data is. Conforming to regulations like SOX and HIPAA
will help, as they regulate strong data controls.
Strict account management policies
No matter how vigilant employees are in trying to protect
Manage end-devices their computers, a compromised computer could wreak hav-
End devices like USB drives, PDAs, Smart phones, MP3 oc as privileged data can be viewed by non-privileged/unau-
players, and DVD/CD drives are generally ignored, but they thorized personnel. Therefore, have strict account manage-
constitute an easy means of data loss wherein the insider can ment policies such as automatic system lock of the screens
simply plug in an USB device, transfer the data, and calmly if system is idle, password complexity, and password change
walk out. Proper mechanisms should be in place to monitor enforcement.
which end devices are being connected to the system or to
critical assets, disabling wherever necessary.
CCTV
Implement closed circuit cameras so that insider interven-
Periodic security awareness sessions tion in sensitive areas can be monitored and corrected. Store
A comprehensive written security policy is great but inef- the monitored data and destroy it once corrective actions
fective if not properly communicated. Involve all employees have been taken or after an audit has been performed. Alter-
and design engaging training programs with mock sessions natively, the data can be archived and stored at some other
like dumpster diving, do-me-a-favor, desktop snooping, location for further use.
coffee break analysis—friendly encounters with employees
or contractors during breaks or lunch; people generally let
Log, monitor, and audit
down their guard in situations outside of the work environ- Log all activities on all computers and on all systems. Let us-
ment—shoulder surfing, keyboard logging, USB, CD and ers be aware that logs will be analyzed periodically for insider
DVD dropping, and confidential documents left in the print- threat analysis. This should be an effective deterrent, espe-
er dock. Make employees fully aware of the impacts an ac- cially for the highly privileged user aware that his activities
cidental security threat could pose to the organization. They are being logged and audited on a regular basis.
should also be properly notified that their systems are being
monitored, especially network, system, and security admin-
34
3. Securing the Enterprise from the Malicious Insider | Vinoth Sivasubramanian ISSA Journal | December 2008
Defend against malicious code
Many organizations defend malicious code using antivirus/ Organizations must commit time and
IDS/IPS/firewalls. While these defense mechanisms are use- resources to training supervisors so
ful against external infections, the internal threat is often
overlooked. Organizations must build and maintain hard-
they are able to identify changes in an
ware and software on a standard corporate benchmark. An employee’s behavior.
organization can have several combinations of hardware
and software, depending upon the nature of job performed.
Identify these and benchmark them. Once this is done, the former employers. Organizations must commit time and re-
configurations can then be compared with the benchmark, sources to training supervisors so they are able to identify
and discrepancies can be checked for malicious behavior. changes in an employee’s behavior. Given that financial gain
Deviations from the benchmark can be logged and investi- is the primary motive for stealing, employees must be moni-
gated if necessary. Computer configurations do not remain tored for sudden changes in their financial positions. A for-
unchanged for extended periods of time, so this should be mal grievance mechanism should be implemented by the hu-
done regularly. Most importantly, the person identifying any man resources department so that an employee’s grievances
changes on systems must not be the one performing changes are reconciled as soon as possible.
on the system (separation of duties).
Deactivate all accounts following exit
Remote attacks When an employee’s employment is terminated, whether un-
Insiders most often attack organizations remotely using their der favorable circumstances or not, all shared accounts and
legitimate access provided by the organization which had privileged access should be deleted or disabled. This must
not been revoked upon their termination. While remote ac- then be verified by the system owner so that the employers
cess can greatly enhance employee productivity, special care can be assured that nothing has been compromised.
should be given to critical data. Insiders have admitted that it
is easy for them to conduct attacks remotely from home or to Effective back up and testing
copy data to their personal computers.2 It is, therefore, a good Despite all precautions implemented by the organization, it is
practice for organizations not to give remote access to critical still possible that insiders will attack. Therefore organizations
data. If access is necessary, proper authorization, account- should prepare for the worst case scenario – e.g., destruction
ing, and authentication controls must be in place. When a of vital data by privileged users such as a database admin-
privileged user terminates his employment, it is often a good istrator/system administrator who deletes an entire table in
practice to change the authentication and authorization pass- the database, impacting confidentiality, integrity, and avail-
words for all remote connections and shared accounts. ability – and have a proper backup and recovery mechanism
in place. Research has shown that effective backup and recov-
Monitor and respond to employee behaviors ery mechanisms make the difference between several hours
Probably one of the best methods of dealing with mali- of downtime to restore systems, weeks of manual data entry
cious insiders is to proactively address employee behaviors, when no backup is available, or months/years to reconstruct
beginning with the hiring process. A consistent practice of the data to its original form.
performing background checks and evaluating individuals If possible multiple backup copies should be stored in offsite
based on the information received is vital. A background in- locations with different custodians. In the event of a com-
vestigation must include uncovering criminal convictions or promise, having multiple individuals lessens the risk of all
activities, verifying credentials and past employment refer- the individuals being involved in the sabotage. The system
ences, and discussing the prospective employee’s competence admin and data custodian(s) must ensure that the tapes/de-
and approach to dealing with problems in the workplace with vices on which backup are performed are protected from data
destruction and tampering.
2 www.cert.org/archive/pdf/CommonSenseInsiderThreatsV2.--0708.pdf.
Threat Source Risk Factor Impact Controls and measures Action
Online replication at a offsite location
with a proper backup administrator Investigation followed by
Database Administrator 1 High, loss of credibility terminations and/or other necessary
System monitoring and database legal procedures as per the country
monitoring
High, loss of business sensitive data Log and monitor all the activities of Terminate or initiate necessary
Help Desk Executive to competitors which leads to many the help desk personnel under the
1 actions as per organizational policy
others supervision of multiple supervisors
Table 1 – Sample insider threat plan
35
4. Securing the Enterprise from the Malicious Insider | Vinoth Sivasubramanian ISSA Journal | December 2008
Document insider threats and controls Let us all remember that insider threats have a direct impact
on stake holders and customers who have entrusted the secu-
Clearly and effectively document, communicate, and main- rity team with their most valuable data. The insider threat is,
tain an updated insider threat plan and the procedures to fol- therefore, an obligation which can no longer be ignored.
low. Ensure everyone in the organization is cognizant of the
plan, eliminating any accusations of discrimination. Table References
is a sample insider threat plan.
—www.cert.org
Conclusion —www.rsa.com
There are no quick fixes for managing the malicious insider. —www.nebraskacert.org
It is complex, time-consuming, and requires significant se-
nior management buy in. The process begins with the fact About the Author
that internal threats exist and must be addressed. Next, se- Vinoth Sivasubramanian, CEH, ISO 27001
nior management must understand and agree that the or- LA, is an information standards manager
ganization needs protection from insider threats and must at UAE Exchange Centre LLC and is re-
take it as a matter of utmost concern. Security requires time sponsible for the IT policies of the enter-
and money, and any security program will fail without senior prise. Vinoth has six years of information
management support. Once the support is in place, all the security experience in telecommunications,
above mitigation mechanisms should begin and be continu- finance, and consulting. He is a founding
ally updated. member of ISSA UAE and can be reached at vinoth.sivasubra-
manian@gmail.com.
36