The theft or misuse of corporate assets by a trusted individual poses challenges, but there are strategies and tools to put in place, reports David Cotriss.
How big a problem is the threat from insiders?
“Bigger than most people realize because many times they can't tell if they have an issue,” says Craig Shumard, principal of Philadelphia-based Shumard and Associates, a strategic security consulting firm, and former vice president of security at Cigna Insurance. Insider threats are often under-reported, he says, because companies do not want it known that they've become victims of such attacks. At other times, an enterprise may be unaware it has been compromised.
There's a widely reported mythology that insider-spawned breaches occur far less frequently than external attacks, says James Quin, lead research analyst at Ontario, Canada-based Info-Tech Research Group. When his organization interviewed companies about the issue, the survey found that the accepted wisdom proved not to be true. Quin says that while the prevalence of malicious insider incidents is indeed quite low, erroneous or accidental breaches are “happening with alarming frequency.” That is, although insiders are to blame for some malicious activity, add to that the high rate of employees unintentionally causing a data leakage incident, and the tally for insider culpability mounts.
The problem is exacerbated by the fact that companies are not prepared or equipped to deal with such incidents. “We're finding that organizations don't have an insider threat program in place,” says Dawn Cappelli, technical manager at the Computer Emergency Response Team (CERT) Insider Threat Center, a research-and-development entity at Carnegie Mellon University's Software Engineering Institute in Pittsburgh. CERT is working with the federal government and private companies to design a prevention and mitigation program. Most corporations, she says, are focused on protecting their networks from outside threats, but they don't yet have anyone in charge for insider threat mitigation. This situation must change, with one person given authority and responsibility for dealing with insider threats. To succeed, that person must have the backing of general counsel because of privacy issues, and they must work well with IT and human resources.
Cappelli adds that in last year's “Cyber Security Watch” survey from Deloitte, 46 percent of respondents said insider attacks were more costly to their organization than external attacks. Yet most companies that have purchased software tools that are marketed as internal attack mitigation solutions are using them only to address external attacks.
“What you need to worry about is how to keep your employees happy.”
– Andy Ellis, CSO, Akamai Technologies
While the incidence of insider incidents has stabilized over the past few years, the opportunities have increased because of greater use of third-party contractors, the bring-your-own-device (BYOD) phenomenon, and the co-mingling of personal and business data spurred by the popularity of smartphones and tablets. Today, attacks can be launched at handheld devices, and this vector has become a major source of data leakage. Furthermore, despite all the new tools that have been developed over the past few years, “25 to 30 percent of threats cannot be controlled by technology,” says Shumard.
It is not feasible to completely stop malicious data leakage, agrees Quin. “Technology cannot address everything,” he says. “You can't stop people writing things down with a pencil and a piece of paper.”
As well, privileged users can insert malicious code almost anywhere without it being flagged as anomalous activity, he says. They have the ability to override system controls without detection.
“You can't stop insider threats,” says Andy Ellis, CSO at Cambridge, Mass.-based Akamai Technologies, which provides a platform for conducting business online. “What you need to worry about is how to keep your employees happy. What are you doing for employee retention? A lot of insider threats come from unhappy employees. How do you prevent the trusted insider from doing something that threatens the company?”
For Ellis, the threat fell close to home. Akamai was the victim of a foiled attempt by a former employee to spy on the company. Elliot Doxer pleaded guilty last year to a charge of foreign economic espionage for providing trade secrets to an FBI agent posing, over a two-year period, as an Israeli intelligence officer. When Doxer contacted the Israeli consulate and offered to give it confidential information in exchange for money, the consulate contacted the FBI.
To best thwart the malicious attacker, Shumard recommends looking at anomalous behavior. “Take people who hold the same position who have the same job rules and access,” he says. “Why does one employee log-on at 4 in the morning and log-off at 10 at night, while other employees log on at 8 in the morning and log off at 4 in the afternoon? Why would one person download 2,400 documents in a day while the others are downloading 20 or 30? There might be a valid reason for this, such as a special project, but these are indicators of possible malicious behavior.”
Meanwhile, many companies tend to ignore accidental data leaks, even though they can prove costly. Two-thirds of all insider threats are unintentional, says Quin. For example, sending an email to an entire list instead of one intended recipient, or hitting “reply all” instead of “reply,” could have severe consequences.
“Companies have to start contemplating solutions to correct this,” he says. “We haven't done a good job of educating employees about appropriate custodial care of data.”
Shumard agrees. “Sometimes it's just people not understanding proprietary information or a highly sensitive piece of information,” he says. He recommends that companies hold security awareness training for all employees. “Education is important because people have to understand the rules and abide by them.”
Be proactive, says Ellis. He follows Akamai employees on LinkedIn because if there is suddenly a flurry of new connections, it's likely that an individual is looking for a new job. Depending on the access that person has to sensitive information, he says the prudent approach is to take some preventative action.
However, Ellis also says organizations must weigh the cost of prevention tools versus the value of the potentially leaked information. And, he says sometimes a corporation is paying for technology that slows down the speed of innovation.
The sensible methodology, according to CERT, is to use a combination of technical and non-technical potential indicators of malicious activity to identify individuals who may be more likely to commit an unauthorized act. By monitoring and controlling outbound traffic, an organization can greatly increase its chances of mitigating malicious activity.
Data leakage: Prevention
To thwart the inevitability of attacks from within, CERT recommends that companies log all downloads and set alerts when critical information is copied to removable media. Other recommended actions are:
Photo: Inside the network operations command center at Akamai in Cambridge, Mass., Nicole Fusco, network operations engineer, looks for anomalous activity, perhaps indicating inappropriate employee practice.