Incident Response, TDR

Danger within: The inside threat


Every business faces the possibility of external attacks, but another potential threat is on the premises, reports Dan Raywood.

The biggest difference between insider and external threats is that while businesses are often equipped to deal with the latter, they tend to be left wanting when it comes to monitoring and detecting unusual or suspicious employee behavior.

A recent poll of 300 IT decision-makers conducted by UK-based communications security company Clearswift found that 83 percent of respondents experienced a data security incident in the past year. Interestingly, 58 percent of these believed an insider was the culprit, while seven percent laid the blame at the door of former employees.

 “Look at the statistics on data loss – only seven percent of it comes from misuse, which could be someone doing something they shouldn't, or theft,” says Chris Cheyne, senior consultant, cyber security division of investment and advisory company Salamanca Group. It is not always about volume, he says. The reality is that while an opportunist might hack into a network and pull data to analyze later and try and sell, if they deem it valuable, the insider has access to what they already know is high-value information.

In truth, experts say, the insider threat should be as big a concern for businesses as the threat posed by external hackers, if not bigger, because it is so hard to spot and stop. 

In early June, the whole insider threat concept was blown open with Edward Snowden's revelations about the U.S. government's monitoring campaign and its data-gathering Prism program. Aside from raising questions about the morality of such state surveillance, Snowden – a systems administrator assigned to the National Security Agency by government contractor Booz Allen Hamilton – exposed how powerful one individual could be in the face of the world's biggest superpower, arguably bringing the reputation of his employer crashing down in the process.

The federal government did seem to be aware of such a threat. Last November, President Obama issued a Presidential Memorandum on minimum standards for executive branch insider threat programs, where he authorized the development of programs within departments and agencies to “deter, detect and mitigate actions by employees who may represent a threat to national security.”

Little was the president to know what was to come, but his memorandum was obviously ineffective against Snowden's disclosures.

Threat to society

Looking at the Clearswift research and the Snowden affair together, it would appear that while insiders pose an enormous threat to organizations, awareness of the task at hand has perhaps never been higher.

James Gosnold (left), a CSO in the central government business area of Fujitsu in the U.K., believes that businesses have always been paranoid about the insider threat, and says his company has always put stock in managing privileged user activity. “In getting people to look at what is coming out of systems, you can see what the trusted users are doing,” he says. “If anything, episodes like Snowden and WikiLeaks have given me ammunition to reinforce those key messages.”

Gosnold has worked with the U.K. government and claims it is prepared for whistleblower-type scenarios within its secure policy framework and recognizes the importance of trusted users.

He refers to the “security triad” of confidentiality, privacy and integrity when discussing strategies to deal with insiders. The first concept is the most important, he says, and it is vital to have an audit trail of who has accessed what and when. “Security clearances are a key control in government and remain so,” he says.

For Gosnold, minimizing the insider threat is a case of going back to basics by remembering the security principle of separation and segregation of duty. “I have given talks before on having an active security monitoring program, and it is easy to make a case,” he says. “It is not about exceptions and users who fail to access files or logon, or suspicious activity – sometimes you need real people sitting down to look at the ports and pick out unusual activity you might want to question.” 

Other experts point to the human factor as well. The impact of the insider threat is not something new, but follows a trend of the employee being the weak link in a company's security, says Paul Swarbrick, CISO at National Air Traffic Services, the primary air navigation service provider in the U.K.

There are a number of reasons a staffer might turn against their employer and leak company secrets (i.e., being passed over for promotion, etc.). “There are 99 percent [of employees] who are fine – it's the other one percent you need to control,” he says. “Without controls, you cannot know what is going on.”

Swarbrick agrees with Gosnold's point on the importance of segregation, pointing out that while CISOs will never mitigate the risk, they can manage it through segregation and by questioning how much risk is acceptable. “If someone argues to have access to everything, how much risk are you prepared to carry?” he says.

For Gosnold, it is possible to control privileged users by regularly questioning them about activity and changes, but he says it is important to make them understand why you are monitoring them: That it is for everyone's benefit.

A solution in tools

So, could controls have prevented what Snowden did, and can tools protect companies in the event of such a threat? Firewalls, anti-virus, intrusion detection and sandboxing technologies exist to stop the bad stuff coming in, but what can really stop an employee downloading multiple records to a thumb drive, or placing them in the cloud for a large fee to the highest bidder?

Often, as was the case with Snowden, that disillusioned employee has legitimate access to sensitive data. In fact, Snowden was one of 1.2 million in the U.S. with that high-level of clearance, says Malcolm Marshall (left), head of information protection and business resilience at KPMG in the U.K.

Marshall says that the tools to track employees are not too far off. “It is difficult to monitor behavior,” he says. “What I do see are good examples with banks that monitor high-profile accounts that they have flagged and monitored.” To achieve this, he explains, they sometimes create honeypots to see who is looking around as behavioral technologies only apply to the external threat. As Big Data analytics matures, the ability for monitoring should become easier, he says.

However, one problem with monitoring is the noise created. If the solution offered by Big Data analysis is some way off, could a more ready solution exist within IT policies?

And, the collection of massive amounts of data creates new challenges for those charged with looking out for anomalies. For example, government agencies do have a number of tools in place to mitigate suspicious activities – including keylogging software and computer logs that identify the locations of personnel and activity within federal IT systems and networks. But, having these tools in place obviously cannot prevent all leaks. Authorities cannot monitor and keep up with alerts for all network activity, particularly for a program as massive as the NSA's. Reports estimate its Prism program was gathering more than 250 million internet communications since 2011, though the full extent of its data-gathering remains undisclosed.

Steve Wright, global privacy officer at the U.K. office of Unilever, says that the only way to mitigate an insider threat is awareness and using technology that does not inhibit a business's day-to-day activity. While accidental loss can be caused by basic errors, the insider threat can be the Achilles' heel of a business that can bring down the reputation of an entire organization, he says.

In agreement is Heyrick Bond Gunning, managing director of Salamanca Group. For him, an incident such as presented by Snowden is probably the biggest fear for businesses: The fact that they have an employee who will say, “I don't care what I've signed, I fundamentally disagree with the way this organization is being run.”

It is a difficult thing to prevent from happening, he says. “You can go back to the basics of who is seeing what information, and make sure the business has engagement with employees,” Gunning says. “Yet, the bigger the organization, the more difficult that is going to be, and it doesn't take much for someone to get upset for a particular reason, no matter whether they are right or wrong.”

An active monitoring program can be achieved by using security incident and event management (SIEM) solutions to see what people do. Gosnold points out that it is not just about watching people who don't have access to restricted areas, but more about monitoring those who do.

“You get a baseline of normal activity, and if someone in accounts looks at, for example, 10 files in a usual week, and then starts copying gigabytes of data, that should flag an alert,” he says. “If you are lucky to have a SIEM solution that is well optimized, it will do that automatically,” Gosnold says.

Output from SIEM and log events from different technologies across a company can be analyzed to look for the biggest offenders or most questionable activities. Gosnold says this enables businesses to contact employees, whether administrators or end-users, to check that everything is as it should be and that no accounts have been compromised.

However, telling colleagues you have spotted numerous failed logins, or questioning why they moved files, can present its own problems, says Gosnold. “You can understand why people might be taken aback, until they realize why you are doing it. But in the mid-term, it can have a positive effect on security awareness,” he says.

In 2011, a number of CIOs at government departments declared their support for employee monitoring software, particularly in the aim of growing awareness and understanding of why closer monitoring of employees' use of sensitive data was critical to reducing the spiralling insider threat.

Gosnold says most systems he is working with will have a pop-up statement that tells users they could be monitored for auditing processes. He has not gone to the level of active monitoring or recording people's sessions, but says there are technologies that will do that.

Feedback from a number of CISOs confirms they are in a difficult position when it comes to monitoring their own colleagues, and it is an issue that goes beyond security to involve HR and legal departments, says Steve Durbin (left), vice president of sales and marketing at the Information Security Forum, an independent, nonprofit association of organizations around the world which works to develop best practice methodologies, processes and solutions for its members.

“CISOs are shaking off the role of the traffic cop who says ‘no' and ‘you can't do that,' and the role of Big Brother who is always watching you, and are instead building relationships within the business,” Durbin says. However, he adds that senior management often don't want to know about these security and monitoring problems. “They are more concerned with brand perception as they don't want a big noise.”

In the future

The Snowden incident has had a major impact on privacy awareness, but will this drive businesses to invest in technology, training and policy revision to ensure they are not the next to be in the headlines? Durbin is doubtful. While some businesses will batten down the hatches, others will see the affair as a one-off, he says. “They will realize that it is a challenge to their intellectual property and research and development, but also that this is so difficult to guard against.”

Unilever's Wright disagrees, arguing that Snowden's actions have raised questions about data storage and protection. “From our perspective, we use cloud-based solutions for the campaigns we run, so it has highlighted challenges on data protection laws, and raised questions around what we are hosting, where the data warehouses are and whether we have adequate safeguards in place to protect it.”

Gosnold says that every time something like this occurs, it must raise the bar for the industry as a whole, just as previously advanced persistent threat (APT) became a buzz phrase. “When it comes to well-publicized insider breaches, there must be organizations for which this is a consideration.”

He acknowledges, however, that when it comes to using contractors, the situation becomes an issue of “security vetting standards, and...that could be a potential weakness.”

WikiLeaks' publication of secret government data in 2010 still hangs heavily over many businesses, fearful of what could be publicly released about them. Marshall says Snowden's action is of equal concern for organizations, as the concept of the insider posing the biggest threat gains traction.

A version of this article originally appeared in the September/October SC Magazine U.K. For more on the inside threat, see the special Spotlight edition of SC Magazine focused on the insider threat published last month. Click here for a free PDF download.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.