NCSAM: Trust abused - looking at threats from the insideby Steve Ragan - Oct 4 2010, 13:00
To kick off The Tech Herald’s coverage of National Cyber Security Awareness Month, we start by looking at threats from the inside. To do this, we spoke to Noa Bar Yosef, the senior security strategist at Imperva.
Often when a company suffers a loss as the direct result of a breach, the first reaction from the public is to look for external threats. For most organizations, the first reaction is to look within, starting a breach investigation by clearing those with access first. This seems like an obvious flow to an investigation, but it isn’t always the case, and when an insider causes the damage, the cleanup can be painful.
Abused trust often starts with a change. For some, this change is mounting pressure over bills, or pressure to compete with other employees. Sometimes, abused trust is due to greed, and the chance to do something that seems minor in return for a quick payoff. Take for example the Disney employee who was charged with the task to publish financial earnings, later convicted of insider trading.
Then there is the worst kind of insider threat, one that comes as an act of revenge. Such as an employee who was recently fired, or one that knows the axe is coming. In these cases, the employee will simply snatch all of the information they can, and hope to use it as leverage down the line. Some don’t see this as theft. They worked at a business for years, so the work is theirs to keep.
“An employee leaving the company - whether this was a termination by the company or the sense to leave, [might] attempt to access all documents considered to be under [their] ownership,” Yosef explained.
Managers are fighting an invisible threat. No business wants to hold their employees at a distance, making it clear that if there is any trust at all placed in them, it’s miniscule. You have to trust them. Still, there have been plenty of cases where trust has been abused. So what are the signs of an insider threat?
One is the access itself. If an organization notices sudden spikes in downloads from the file server, or abnormal traffic to an internal development server, this is a red flag, Yosef explained. Such was the case of a DuPont employee who was indicted in 2007, after walking off with $400 million dollars worth of company data.
An organization should also notice activities during questionable times. For example, why would a DMV worker be accessing records during the weekend, given that the branch is closed?
Unauthorized attempts to reach departmentalized data should be questioned. Such as developers trying to access HR systems, even suspicious failed activities, like a high number of invalid login attempts.
Considering the aforementioned red flags, one would think that catching insider fraud would be easy. It’s an established fact that employees are monitored to some degree within an organization, but the larger the network, the harder it is to see everything. Remember, abnormal actions stand out. More often that not, you have to ask, what about normal actions?
“Often, access to the confidential company data may be rightfully obtained in order to perform a job. It could be for example that a salesperson downloaded the complete customer-base to [their] laptop to work offline,” Yosef said.
This is where policy enforcement comes into play, and strict controls when dealing with asset management and employee access. Should it take seven days to terminate an employee’s access to the VPN? Should you allow them to drop off their laptop on Monday or take it from them on Friday?
So assume the worst happens. What should an organization be looking for after a breach if they think the problem started on the inside?
“In order to perform a proper analysis of a breach, the groundwork should hopefully be in place. The groundwork, in this case, is monitoring of data access. This is the monitoring of every individual’s access to the sensitive data, including those privileged users who have the authority to access the data,” Yosef explained.
Some questions to answer include, who accessed the data? Was it someone from accounting or someone from HR? Did they have expected access to this data? When and how was the data accessed?
Of course, it’s not enough for companies to complete the investigation, present a report summary, and close off the case, Yosef added. Rather, the insights of such a breach should be taken into consideration in order to avoid a similar breach from reoccurring.
“This means not only to strengthen the specific control which was abused, since a different one could be exploited at a later stage. Rather, a full-fledged security process should be put in place as part of the company’s security initiative to make sure they avoid the next insider threat.”
If you manage access controls, how do you do it? What are your red flags when dealing with internal threats? We know no business is the same, so any variation and “pro tips” you can share will help everyone.