Insider Threats Continues to Increase

he number of annual security incidents caused by insider
threats continues to increase. In The CERT Guide to Insider
Threats: How to Prevent, Detect, and Respond to
Information Technology Crimes, authors Dawn M. Cappelli,
Andrew P. Moore and Randall F. Trzeciak, wrote: “Insider
threats are an intriguing and complex problem. Some
assert that they are the most significant threat faced by
organizations today.”

Disgruntled system administrators damage data and
systems, skilled professionals steal intellectual property
and inferior employees use information to achieve political
or financial objectives for their self-gain. Any of these can
constitute a critical national defense breach or breach of
public trust.

To defend against the damage or theft caused by insiders,
an organization must hold every employee responsible for
detecting and reporting both behavior and technical
evidence indicating a possible employee defection from
policy and compliance. In addition, technical controls can
help monitor suspected offenders and the overall network
for evidence of criminal behavior.


Behavior monitoring

In a 2008 article I wrote for CBS Interactive/TechRepublic,
I listed employee characteristics that warn of potential
defection from organizational and social policy and norms,
including:


 Appearing intoxicated at the office;
 Actual or threatened use of force or violence;
 Pattern of disregard for rules and regulations;
 Attempts to enlist others in illegal or questionable
activity;
 Pattern of lying and deception of co-workers or
supervisors;
 Argumentative or insulting behavior toward work
associates; and
 Attempts to circumvent or defeat security or auditing
systems

In general, any negative change in an employee’s behavior
is concerning. Furthermore, actions taken by management
can trigger a borderline defector to cross into criminal
behavior. For example, an already disgruntled employee
might feel justified in stealing and selling intellectual
property after being passed over for promotion. Any
potential-employees are candidates for additional
monitoring.

Terminating an employee is one way to deal with a
potential problem. However, we often value employees
who are simply going through rough personal times. If
terminating an employee is your preferred choice, keep in
mind that you need to have attempted to resolve the
issues with the employee or have clear evidence of a
violation in policy; otherwise the termination can result in a
lawsuit. It is often better to remediate than to terminate an
employee.

First, we should ensure all employees understand
organizational policies regarding the use of information
resources and workplace behavior. Second, management
should have a clear and fair process for a workplace
infraction. The response should match the level of the
offense. Furthermore, every employee, without exception,
should understand the consequences of defection.

Finally, problem employees will usually not commit an
infraction in front of management. This means we must
train employees, as well as managers, to detect suspicious
behavior and report it to someone higher-up. Since many
employees would rather not become personally involved,
an anonymous tip line is a possible solution. For example,
a large organization for which I worked had a toll-free
number any employee could call to report policy violations
or any other concern or complaint.

In addition, if you don’t want to set up a phone line, you
could set up an anonymous website where you achieve the
same result. Weekly, a compliance committee met to go
over all reports, and there were many. Anything that
appeared critical did not wait for the weekly meeting but
was handled immediately.


Technical monitoring

While behavior monitoring can alert us to many possible
incidents, it often fails when dealing with network and
server administrators who go rogue. We can easily miss
behavior signals when an employee does his or her best to
hide them. When behavior monitoring fails or is
insufficient, technical monitoring should fill the gap.


Non-administrators

For non-administrators, we can control how much
information an employee can access (and what they can do
with it) by enforcing need-to-know, least privilege and
separation of duties. Organizations enforce all three by
properly managed authorization policies and processes.

The first two are closely related. Need-to-know restricts
the information a user can access only to that required for
daily task completion. Least privilege access controls what
a person can do with the information available to him or
her. For example, need-to-know might allow me to see
electronic information classified as top secret, but least
privilege would prevent me from changing or deleting it
unless my role in the organization requires it. Together,
they strictly limit insider threat damage.

Separation of duties, when properly implemented, prevents
any one person from performing all tasks associated with a
critical process. To illustrate, separation of duties prevents
a software developer from creating malware and placing it
in a production environment. In other words, developers
should not be able to place their work into production
systems.

Next, organizations must control the movement of
sensitive information. If not possible using direct means,
such as data rights management, then you should use
indirect means. One of the most effective indirect
monitoring methods is NetFlow analysis. NetFlow,
emerging as the IPFIX standard, collects network traffic
flow information at various points across the network.
Information gathered and aggregated to an analysis and
management server provides insight into anomalous traffic
flow.

If, for example, an employee decides to copy a large
number of documents to an Internet location, NetFlow
statistics would alert security to unusual behavior at one or
more points on the network. This near-real-time
identification of technological infractions happening on the
network enables the possibility for a quick and effective
response: stopping the employee or mitigating their effects
on the organization.

In addition to NetFlow, security information and event
management (SIEM) provides additional information about
anomalous server or network behavior. SIEM solutions
gather logs from various devices and systems, aggregating
them into a correlation server. An event correlation
application then mines unusual patterns or patterns known
to be related to malicious behavior. Questionable activity is
reported to security via email, SMS, or a Web portal.

Finally, employment termination and job change processes
must include immediate revocation of all rights and
privileges to previously accessed information resources.
During a job change, removing all access and then
granting access for the new role is a good approach.
Failure to adequately perform these tasks is a significant
cause of many insider incidents, especially those caused by
administrators.


Administrators

While the previous controls also work for malicious
activities by administrators, they tend to fall short.
Administrators can alter logs or create backdoor accounts
for use after hours or post-termination. Monitoring all
employees and using separation of duties can help
eliminate these vulnerabilities.

Administrator monitoring must extend to changes applied
to special purpose files. One example includes log changes.
Operating systems or other third-party solutions can track
changes to logs, including who made the change and
when. Security teams can identify unplanned changes and
respond appropriately. This also applies to other files that
might contain critical system management information and
applications in the production environment.

In addition to file changes, any creation of a privileged
account should raise a warning. For example, one security
team ran a script every morning to determine if any
accounts had been added to any Windows Active Directory
administrator group. If so, the addition was reviewed
against change management documentation to ensure it
was approved. Any questionable account was removed and
the offending employee was reported to his manager. A
periodic audit of all privileged accounts, whether disabled
or active, is another good way of identifying possible rogue
IDs.

Sharing of administrator passwords also requires special
attention. Each time a shared admin account is used, log
it. Each time an administrator leaves the organization,
change all shared passwords. If your budget allows it,
consider implementing a privileged password management
solution that logs who checks out shared account
passwords and changes the passwords after use.

Finally, remember that every employee has the ability to
be an insider threat. The most impactful threats are caused
by those at the top -- managers, administrators,
programmers, and security experts. Insider threats are
real, and they will eventually cause an incident in every
organization. Proper preparation, training and vigilance can
prevent or alleviate related consequences.

Tom Olzak is a security researcher for InfoSec Institute,
a security certification company that has trained over
15,000 people. He has held positions as an IS director,
director of infrastructure engineering, director of
information security and programming manager at a
variety of manufacturing, health care and distribution
companies. Before joining the private sector, he served ten
years in the USArmy Military Police, four years of which
were as a military police investigator.

Olzak has written two books, Just Enough Security:
Information Security for Business Managers, and Microsoft
Virtualization. He is also the author of various papers on
security management and a blogger for CSOonline.com,
TechRepublic, Toolbox.com and Tom Olzak on Security.