› return to original page


Reframing the Insider Threat 
By Eugene Tyrrell, CISSP


External attacks -- hacker exploits, bot attacks and virus outbreaks -- all make sensational headlines. It is undeniable that these are significant and real threats. However, the threat from insiders is equally significant, costly, and real. In this paper we explore the insider threat, reframing the traditional concept of the insider, and presenting some no-nonsense, cost effective ways to mitigate the threats posed by insiders.

Background: There are many studies that contrast insider and outsider threats. Most often, they examine which is more common or more costly. The conclusions vary, often seeming to support the position of a particular vendor, sponsor or constituency. One thing is certain; insider threats are prevalent and costly.

An insider threat is a business concern. Compromised information assets can damage a brand, a company's reputation, and even its value. They undermine customer confidence, violate compliance requirements, and result in financial loss. Often the insider is well positioned to perpetrate these acts and inflict damage - easily, and without detection.

As we will see, a primary issue of the insider threat is trust. Trust is essential for any organization or culture to function. Therefore, the insider threat is a people and process issue. Despite the glamour of applying technical solutions, technology will not fully solve the problem. Furthermore, distrust is not a solution. Approaching the problem from a perspective of pervasive distrust will create a culture of paranoia and can ultimately result in an even greater insider threat.

The good news is that mitigating the insider threat does not require capital intensive technology investments. It does, however, require a shift in awareness and accountability through training and the integration of processes that effectuate trust and individual responsibility.

Reframing the Threat: In the brick and mortar world it was easy: employees were insiders - everyone else was an outsider. In the information age it is more complicated. Company borders are increasingly blurred. Partners, vendors, and subcontractors all share information and often have unprecedented access to internal resources. People who work outside an organization, who may even have their loyalties to outside organizations, have become insiders. This is true for information networks, too. There can be no automatic assumption that some networks are "trusted" and others are not. In the same way that outside people have become insiders, so have outside networks.

Define: In order to address the possibility of insider threats, the first task is to define properly the insiders and the possible threats.

  • An insider is any individual or party that receives or influences privileged information or accesses internal resources;
  • The acts can be malicious, non-malicious, intentional, or even unintentional.

Inventory: The second task is to inventory the potential exposures. At a minimum, any activity that could harm the company, its employees or its clients, and expose the company to legal liabilities is considered an exposure. These include intellectual property theft, damage to company reputation, theft or manipulation of company financial or strategic information, theft or altering of client information, inappropriate use or destruction of company resources, ill-informed activities, sabotage, and inflicting harm to people or their reputations.

Understand: Finally, it is essential to understand the motives, scenarios, and environments that may lead to these acts or even provoke them. Insider threats are more likely with:

  • Unexpected or unfriendly termination
  • Troubled companies, such as bankruptcy
  • Untrained personnel
  • Environments with poor accountability
  • Desire for restitution
  • Financial motivation
  • Disgruntled personnel
  • Poor subcontractor controls
  • Social engineering naiveté

The Numbers: Here are some recent observations:

  • Insider threats are prevalent: Of approximately 100 corporate breaches, that were disclosed publicly over the past twelve months, fifty percent were from the inside. Of those fifty about half were thefts of information by employees. ("The Insider Threat," Steve Hamm. Business Week. January 20, 2006).
  • … and clever: A sophisticated ring of nine people, including seven senior employees, were arrested for selling the account and personal information for 670,000 customers form Bank of America, Wachovia, Commerce Bancorp and PNC. (Ibid).
  • There are many opportunities for these threats: A recent study in Europe by McAfee revealed the following about personnel:
    • Twenty-one percent let family and friends use company laptops and PCs to access the Internet.
    • Fifty-one percent connect their personal gadgets to their work PCs.
    • Sixty percent store personal information on their work PCs.
    • Sixty-two percent admitted to have only limited knowledge about information security.
    • Fifty-one percent did not know how to update their virus protection.
      (http://www.theregister.co.uk/2005/ 12/15/mcafee_inernal_security_survey)
  • Companies are often poorly prepared for these insider threats: According to the 2005 Global Security Survey of companies by Deloitte Touche Tohmatsu:
    • Thirty-five percent of respondents had experienced an internal security breaches within the past twelve months.
    • Many security breaches were the result of human error and negligence and are due to weak operational practices.
    • Experienced hackers attest to the fact that it is more effective to prey on the people and process weaknesses than trying to crack today's sophisticated technical solutions. Effective threat vectors include phishing, pharming, fraudulent web sites and social engineering.
    • Only sixty-five percent of the organizations have trained their employees on how to identify and report any suspicious activities.
    • A mere six percent of respondents provide security awareness training as part of their new hire orientations.
      ("2005 Global Security Survey". Deloitte Touche Tohmatsu. 2005)

Practical Approaches to Mitigation: Technology cannot solve the problem, because the problem is often one of people and processes. For example, in May, 2005 Verisign performed an unscientific experiment in San Francisco's financial district. Verisign offered 272 people on the street a 3$ Starbucks gift card for their passwords. Sixty-six percent traded their passwords, and seventy percent of the rest were willing to provide clues to their passwords. One executive who was too busy to stop and reveal his password later sent an administrative assistant back to make the trade.

This is one illustration. There are many others. All of them illustrate that security has to be built into the fabric of the company. It bears repeating that the solution involves people and process and that technology alone cannot prevent, mitigate, or annul an insider threat.

Approaches to people and process should include:

People:

  • Senior management must actively commit to an ongoing information security program.
  • The insider threat must be redefined to include third parties that have access to internal resources and information.
  • There must be a well-publicized zero tolerance posture for compromises of information resources.
  • People must be held accountable. Standards must be uniformly enforced for everyone- no exceptions.
  • Security awareness must be a priority.
    • Insiders must understand the value of information.
    • Everyone's responsibilities for handling company resources must be explained in succinct, understandable, non-technical approaches and must be documented.
    • Appropriate and inappropriate behaviors must be spelled out and enforced.
    • Regulatory compliance requirements must be widely understood.
  • Insiders must understand and use the controls that have been established.
  • A 'champion' should be assigned the responsibility to ensure that mitigating the insider threat is integrated in to the culture of the company through its people and its processes.
  • The company must adopt a preemptive, proactive position to defending against the insider threat.
  • Most important, all actions must be taken from the perspective of encouraging and promoting a climate of trust, versus one of apprehension, oppression, paranoia and distrust.

Processes:

  • Security policies must be established, documented, and followed by everyone.
  • Activities should be monitored, logged and reviewed periodically. These include logon attempts, account privileges, Internet access, and system activities.
  • A tip hotline should be established for reporting suspicious activities or compromises. A third party should be used to ensure anonymity and the integrity of the process.
  • Effectiveness of controls should be tested regularly.
  • An information classification program should be established.
  • All insiders should be subject to formal background screening.
  • All insiders should be required to formally acknowledge their responsibilities by signing the company's Acceptable Use policy.
  • Third parties must be required to sign comprehensive non-disclosure and Acceptable Use agreements.
  • Security awareness must be an ongoing process.
  • Education and training must be a priority.
  • All information and computing resources must be assigned an owner, who is responsible for classifying and ensuring proper handling throughout the lifecycle.
  • Processes for identifying and monitoring high risk situations and individuals should be established.
  • Rotation of duties should be employed, particularly whenever the potential for fraud is high.
  • Account management must be taken seriously, by at least the following:
    • Reviewing all accounts quarterly and removing obsolete accounts.
    • Reassessing access privileges when someone changes roles.
    • Disabling accounts upon termination, whether of employees or third parties
    • Employing the principle of least privilege

Summary: The insider threat is real. However the good news is it can be effectively reduced without significant capital investment. It is a well known maxim that security is a process not a product. Through proactive management - reframing the problem, increasing commitment and awareness, and implementing processes to promote accountability, organizations can reduce the insider threat risk and build a cooperative, secure corporate culture.

To learn more about Polar Cove and SAS 70 preparation, please write to the author, etyrrell@polarcove.com or to info@polarcove.com


© 2006    Polar Cove