Threats from inside an organization – and from third-parties – pose a burgeoning challenge for security professionals, reports Jim Romeo.
Bo Zhang, a 32-year-old programmer from Queens, N.Y., worked as a contractor for the Federal Reserve Bank of New York and moonlighted with a sideline IT business. But Zhang's plans ended when the FBI arrested the Chinese national on charges of stealing source code – used to track payment and collections made by federal agencies – from his bank job. Zhang intended to use it as a training tool for his side venture.
Zhang's actions are typical of what has of late become a common occurrence – and a challenging security problem in today's enterprise security architecture: the insider threat.
Eric Chiu (left), president and founder of HyTrust, a Mountainview, Calif.-based cloud infrastructure control company, says the risk from inside is one of the greatest security challenges for today's CIO. According to his company's research, 43 percent of security breaches are due to trusted insiders.
Chiu says the risk posed by insiders – or what he deems “privileged users,” which intimates that an insider is not necessarily a direct employee – are real and on the rise. “The drivers are diverse and can range from malicious intent, potential profit, accidental and socially engineered,” he says. “However, the consequences are huge, whether you are talking about theft of confidential information, financial data, such as credit cards, or someone taking down the data center of a large enterprise.”
Alan Brill, senior managing director of Kroll Advisory Solutions, based in Secaucus N.J., agrees that the definition of just who might be considered an insider has evolved. “Historically, it was easy,” he says. “Insiders were your employees, and everyone else was an outsider. But today, exactly who is an insider?”
Is it the employee on premises, he asks, or a contractor employed by an outsourced call center that's 7,000 miles away who accesses the company's sensitive information stored on a cloud server operated by another third-party contractor? Is it the driver of the delivery service that picks up the company's backup media and takes it to a storage facility? Is it the programmer at a vendor who provides the analytical package the company use through a SaaS interface? “They all have some level of authorized non-public access to your data,” Brill says. “And for these people, what degree of control do you exercise? Do you know the background checks or activity monitoring that the companies you entrust with your data actually do as part of their security protocols?”
For many global enterprises, identifying and understanding the inside threat involves mapping what Brill calls the “insider ecosystem.” Until a firm recognizes that scenario, he says it does not have a good basis for assessing its risk or determining the right course of action to control the threat.
Few industries are exempt from insider threats, but some do present more risk than others. Those markets where the underlying information is an integral and key asset of the company are at greater vulnerability, says C. Kelly Bissell (right), principal and U.S. information and technology risk management leader at Deloitte & Touche in Atlanta. “It always depends on specific exposures and situations of the insider,” says Bissell. “Theft is rampant across all industries, but certain ones have more valuable data to steal.” Most of the valuable data sits in banking, pharmaceutical, government and high-tech manufacturing, he says.
The underlying data may be a target, but it is not necessarily the only motive of the hacker. Organizations are targeted for a wide range of reasons.
“Government organizations often earn the ire of their subjects when they feel wronged,” says Steve Lee, a certified fraud examiner and managing partner with Steve Lee & Associates, a Los Angeles-based fraud detection agency.
For any IT security manager, there is a need to understand the underlying psychology of the insider who stands as a threat to the IT organization. Security personnel must know and recognize behavior, background and how these potential threats think in order to adequately assess the risk they present.
“External threat actors who exploit an organization's connectivity to the internet have been a hot topic for years,” says Shane Sims, a principal in PwC's advisory practice focused on cyber security, based in McLean, Va. “However, the insider threat existed long before business operations became reliant on the internet.”
Sims (left) says there are two forms of an intentional insider threat: those who come to an organization predisposed to behave badly and those who are influenced to behave badly after being granted authorized access to information. “The former are most often criminals, or may be agents of a foreign intelligence service,” he says. “Sudden financial distress, unresolved work conflict, perceived or actual layoffs, and perceived or actual unethical behavior by the employer are typically at the root of the latter.”
Deloitte's Bissell adds that any organization that possesses large amounts of personally identifiable information (PII) are more susceptible to attack. He highlights three vulnerable industries: hospitality, retail and health care. “The bottom line is this,” he says. “If an organization has data [or] information that is valuable to the organization, then it also has a value to someone else.”
Another issue is the general attitude that employees have toward their company's data. According to Imperva's whitepaper, “An Inside Track on Insider Threats,” published in 2012, 70 percent of 1,000 people in the U.K. surveyed said that they planned to take something with them when they left their current job, while 27 percent planned to take intellectual property and 17 percent planned to take customer data.
Ryan McElrath, CTO at American-Eagle.com, a website services firm based in Des Plaines, Ill., says he uses this data to illustrate an obvious motivator in today's business landscape: Economic conditions and personal financial difficulties can drive behavior, resulting in a desperate employee who may resort to fraudulent activities or be motivated to sell confidential information. “For this reason, a candidate's financial history is commonly reviewed during an employment background check,” he says. “A person with debt problems is a higher risk to get involved in fraud and is also more vulnerable to being bribed by outsiders.”
Defenses should be developed with such a focus in mind. One option is to implement role-based techniques, where permissions are assigned to workers to perform certain operations based on their specific roles.
Some responsibility for detecting odious behavior by an employee falls to security leaders. “To combat the threat from insiders, chief information officers have to change their thinking from an ‘outside in' mentality around security and also think ‘inside out,'” says Chiu. “They need to proactively put in access control and role-based monitoring solutions [used to regulate access based on an employee's position in an organization] that can lock down the infrastructure and applications that contain sensitive information.” He says role-based techniques are the only way to prevent privilege hijacking – thus, stopping insider and advanced persistent threats with the highest degree of ease.
Further, the insider sees weak points that others may not. And the insider has the privilege and vigilance to exploit these chinks for their gain, be their motives greed or otherwise. But it is important for IT practitioners to always be cautious.
Just as the typical private home has less to offer a thief than a local branch bank, it is also a great deal easier and less fraught with risk to burglarize the home than to break into the bank. “The metaphor works in cyber space,” Lee says. “The wolves typically look for the weakest sheep among the herd. So don't be a weak sheep.”
Look for a special Spotlight edition of SC Magazine later this month devoted to the insider threat.