The number of annual security incidents caused by insider threats is increasing. InThe CERT Guide to Insider Threats, Capelli et al write, “Insider threats are an intriguing and complex problem. Some assert that they are the most significant threat faced by organizations today.”
Disgruntled system administrators damage data and systems, skilled professionals steal intellectual property, and less skilled employees use information to achieve political or financial objectives. Any of these can constitute a critical national defense breach or breach of public trust.
To defend against completion of damage or theft, an organization must hold every employee responsible for detecting and reporting both behavior and technical evidence indicating a possible employee defection from policy and compliance. Further, technical controls help monitor suspected offenders and the network overall for evidence of criminal behavior.
In a 2008 article I wrote for CBS Interactive/TechRepublic, I listed employee characteristics that warn of potential defection from organizational and social policy and norms, including:
- Appearing intoxicated at the office
- Actual or threatened use of force or violence
- Pattern of disregard for rules and regulations
- Attempts to enlist others in illegal or questionable activity
- Pattern of lying and deception of co-workers or supervisors
- Argumentative or insulting behavior toward work associates
- Attempts to circumvent or defeat security or auditing systems
In general, any negative change in an employee’s behavior is concerning. Further, actions taken by management can trigger a borderline defector to cross into criminal behavior. For example, an already disgruntled employee might feel justified in stealing and selling intellectual property after being passed over for promotion. Any potential problem-employees are candidates for additional monitoring.
Terminating an employee is one way to deal with a potential problem. However, we often value employees who are simply going through rough personal times. Further, termination without prior efforts to resolve issues can result in litigation. It is often better to remediate than quickly terminate.
First, we should ensure all employees understand organizational policies regarding use of information resources and workplace behavior. Second, any policy violation should result in quick response by management. The response should match the level of the offense. Further, every employee, without exception, should understand the consequences of defection.
Finally, problem employees often do not engage in inappropriate behavior in front of management. This means we must train employees, as well as managers, to detect suspect behavior and report it. Since many employees would rather not become personally involved, an anonymous tip line is a possible solution. For example, a large organization for which I worked had a toll-free number any employee could call to report policy violations or any other concern or complaint. Weekly, a compliance committee met to go over all reports, and there were many. Anything that appeared critical did not wait for the weekly meeting but was handled immediately.
While behavior monitoring can alert us to many incidents, it often fails when dealing with network and server administrators who go rogue. In addition, we can easily miss behavior signals when an employee does her best to hide them. When behavior monitoring fails or is insufficient, technical monitoring should fill the gap.
For non-administrators, we control how much information an employee can access (and what he can do with it) by enforcing need-to-know, least privilege, and separation of duties. Organizations enforce all three by properly managed authorization policies and processes.
The first two are closely related. Need-to-know restricts the information a user can access only to that required for daily task completion. Least privilege controls what a person can do with the information accessed. For example, need-to-know might allow me to see electronic information classified as top secret, but least privilege would prevent me from changing or deleting it unless my role in the organization requires it. Together, they strictly limit insider threat damage.
Separation of duties, when properly implemented, prevents any one person from performing all tasks associated with a critical process. If in place and working, separation of duties prevents a software developer from creating malware and placing it in a production environment. In other words, developers should not be able to place their work into production systems.
Finally, organizations must control the movement of sensitive information. If not possible using direct means, such as data rights management, then through indirect means. One of the most effective indirect monitoring methods is NetFlow analysis. NetFlow, emerging as the IPFIX standard, collects network traffic flow information at various points across the network. Information gathered and aggregated to an analysis and management server provides insight into anomalous traffic flow. If, for example, an employee decides to copy a large number of documents to an Internet location, NetFlow statistics would alert security to unusual behavior at one or more points on the network. This near-real-time identification of bad things happening on the network enables quick and effective response: stopping the document transfer or mitigating its effects on the organization.
In addition to NetFlow, security information and event management (SIEM) provides additional information about anomalous server or network behavior. SIEM solutions gather logs from various devices and systems, aggregating them into a correlation server. An event correlation application then mines unusual patterns or patterns known to be related to malicious behavior. Questionable activity is reported to security via email, SMS, or a Web portal.
Finally, employment termination and job change processes must include immediate revocation of all rights and privileges to previously accessed information resources. During a job change, removing all access and then granting access for the new role is a good approach. Failure to adequately perform these tasks is a significant cause of insider incidents… especially those caused by administrators.
While the previous controls also work for malicious activities by administrators, they tend to fall short. Administrators can alter logs or create backdoor accounts for use after hours or post termination. Monitoring and separation of duties can help eliminate these vulnerabilities.
Administrator monitoring must extend to changes applied to special purpose files. One example includes log changes. Operating systems or other third-party solutions can track changes to logs, including who made the change and when. Security teams can identify unplanned changes and respond appropriately. This also applies to other files that might contain critical system management information and applications in the production environment.
In addition to file changes, any creation of a privileged account should raise a warning. For example, one security team ran a script every morning to determine if any accounts had been added to any Windows Active Directory administrator group. If so, the addition was reviewed against change management documentation to ensure it was approved. Any questionable account was removed and the offending employee was reported to his manager. A periodic audit of all privileged accounts, whether disabled or active, is another good way of identifying possible rogue IDs.
Sharing of administrator passwords also requires special attention. Each time a shared admin account is used, log it. Each time an administrator leaves the organization, change all shared passwords. If your budget allows, consider implementing a privileged password management solution that logs who checks out shared account passwords and changes the passwords after use.
Insider threats are real, and they will eventually cause an incident in every organization. Proper preparation, training, and vigilance can prevent or mitigate related negative consequences.
Note: The above article is part of a shared content agreement between Hack Read and InfoSec Institute.
By: Tom Olzak