Incident Response, Network Security, TDR

Lessons on insider threats

In the past two years, two rogue traders, Jerome Kerviel at Société Générale, and then just recently, Kweku Adoboli at UBS, cost their respective financial institutions more than $9B by making unauthorized trades.

And let's not forget Julian Assange. WikiLeaks gave new meaning to the concept of insider threat by providing a convenient vehicle to empower staff at government agencies and public/private corporations to quickly and instantly hand over their privileged information to the world.

Insider threats are becoming a global phenomenon. Every company in every part of the world is subject to some level of insider threat. And guess what? Insider villains are just as unidentifiable in the U.K. as they are in the United States. They appear just as innocuous in Poughkeepsie as they do in Perth.

Yet despite these costly, high-profile breaches, hacker attacks are far more publicized than insider attacks. Last summer Anonymous and LulzSec attacks splashed news headlines, and undoubtedly more people could name Anonymous than they could Kweku Adoboli.

As I meet with executives of large corporations, they have one request of our company: Keep us out of the Wall Street Journal. Don't let me be the CEO who lost all of my customer's credit card data.

The richness and sensitivity of this information, much of it personal to the consumer, has led to a series of legislative efforts to ensure it is secured. The enactments of Sarbanes –Oxley, PCI-DSS, Basel II and a host of standards throughout the world have emphasized the importance, and indeed require us to secure the assets of our customers.

Billions of dollars have been spent over the last few decades on corporate information technology security in order to “keep the bad guys out,” but it turns out the bigger threat was and always has been, found within the network perimeter. The so-called “insider threat,” the trusted employee, contractor or partner, that can cost an organization more on a daily and/or per-incident basis than any outside hacker could hope for.

Whether we like it or not, “good people can do bad things” intentionally, accidentally, or indirectly.

If you have employees with excessive privileges or access to sensitive data, then they are at risk of intentionally, accidentally or indirectly misusing that privilege and potentially stealing, deleting or modifying the data. There is a very fine line between intent and action, especially when excessive privileges on IT resources are involved.

In April 2011, a former network security engineer at Gucci America was indicted on charges that he illegally accessed the company's network and deleted documents shortly after he was fired, costing Gucci nearly $200,000 in damages. Using an account he secretly created while working at the company, the former employee allegedly later accessed Gucci's network and deleted virtual servers, shut down storage areas and wiped corporate mailboxes.

Employee terminations are, unfortunately, a necessary evil for corporations. The Gucci America case, and many others like it, calls attention to the importance of having policies and procedures in place to ensure terminated employees no longer have access to company information and resources. Email, network and application accounts must be swiftly deactivated. Employees granted administrative privileges while at the company could also pose an even greater threat. 

Human nature is the weakest link when it comes to the intersection of people, processes and technology. And, all too often it's the tendency of almost the entire IT industry – vendors, analysts and press – to ignore this.

You can't rely on everyone being a saint or competent all of the time. It's not just malicious malcontents intent on destroying the system who can cause havoc, but also the negligent, misinformed and downright nosey who can compromise sensitive data. In most situations it's more often than not the case that such people have way too much privilege access – admin rights on the desktop, root password on server – for the role they are required to play.

It would be nice if every villain inside your organization walked around wearing a big sign that broadcasts "bad guy looking to do bad things," but alas it is only in cartoons and movies where you can always find the stereotypical bad guy.

In real-life enterprises, insiders look like you and me – just regular employees doing their job and collecting their paycheck. That's why securing the perimeter within is so important.


Brian Anderson is CMO at BeyondTrust. Brian co-authored the first definitive book on insider threat mitigation with BeyondTrust CEO John Mutch, called Preventing Good People from Doing Bad Things.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.