As companies fall victim to increased insider threats, one
of the greatest casualties has become trust in coworkers. Where one used to
think primarily about threats to network security as coming from external
intruders, today CISOs need to contend with the increasing likelihood that the
threat actor might be a colleague — perhaps someone close to the IT staff, a
disgruntled executive or other employees, a contractor or maybe just someone
trying to do their job. Sometimes the threat actors are not even aware that
they are doing anything wrong.In light of recent, high-profile breaches, it might well be
getting easier to convince the C-Suite to take threats from within more
seriously. In 2018, insider threats have become one of the most pressing
worries at a time when executive management across many industries is finally
realizing the potential enormity of security breaches. That awareness, though,
comes at the cost of attacks that are only increasing in scale and complexity.
Securing against insider threat is a process that requires immediate attention.
That said, companies are still trying to sort out what is a real threat and
what is just an employee doing their work.The non-malicious insider — perhaps the employee who
downloads a confidential file to a thumb drive to work on it at home — might or
might not be aware they are violating security policies. Sometimes the pressure
of getting a job done on time takes precedence over an obscure security policy
if the company is not proactive in training staff about what is and is not an
acceptable use of resources. Sometimes it is just easier to ignore the rules
for efficiency’s sake.
Robert Olson, technical director of the Rochester Institute
of Technology Security Assessment and Forensic Examination Lab, begins his
investigations of insider threats using threat modeling designed to profile
potential attackers by understanding their malicious motivations.“The two models I point [students] at are MICE (money,
ideology, coercion, and ego) and RASCLS (reciprocation, authority, scarcity,
commitment, linking, and social proof),” he explains, noting that these
detailed explorations of what motivates spies and attackers have become standard
in the CIA and other investigative circles.Olson argues that regardless of the attacker, a lack of
strictly enforced organizational policies plays into adversaries’ hands.
“Insider threats are only possible when employees can access confidential or
proprietary information or systems with impunity,” he says. “Organizations with
strong access control policies, which are enforced with technical controls that
also monitor for violations, should be reasonably resilient to attacks from
insiders.”Eric B. Levine, co-chair of the Cybersecurity & Data
Privacy Group for Lindabury, McCormick, Estabrook & Cooper P.C., a
Westfield New Jersey law firm that works primarily with closely held companies
and their executives, focuses primarily on the rogue employee when he thinks of
the most pressing insider threats.Levine identifies rogue insiders as “those insiders who are
unhappy with the organization, seem disgruntled and appear poised to leave.” He
cautions security people to take notice of insiders who engage in unexpected
activity on the network, such as downloading large numbers of files. “These are
warning signs that your organization’s data may be subject to an unauthorized
access.”Motorola Mobility CISO Richard Rushing agrees with Levine,
noting that the insider threat is one best identified early through close
consultation with human resources. Rushing says that if he can get copies of employees’
performance reviews, it provides a fast track to being able to identify
potential insider dangers.“People who are on a work-improvement plan or a
needs-improvement plan are probably the biggest risk for insider threat,” he
says. But if HR will not share those documents, it is a matter of using the
tools you have in front of you to assess how workers seem to feel about the
organization, and how they express those feelings in actions, as evidenced by
time and attendance records or badge access passes logged in the security
information and event management (SIEM) system to show who is coming to work on
time and staying the whole day.Eric B. Levine, co-chair, cybersecurity & data privacy group, Lindabury, McCormick, Estabrook & Cooper P.CConsidering the quandary of insider threats, Robert J.
Hudock, a member of Washington, D.C., law firm Epstein Becker Green, recalls a
quotation from Russian Nobel Prize winner Aleksandr Solzhenitsyn’s Gulag
Archipelago, who wrote: “The line dividing good and evil cuts through the heart
of every human being. And who is willing to destroy a piece of his own heart?”
That is the challenge every organization faces, he says.An employee who today might never have considered stealing
data might reconsider tomorrow when he gets a pink slip, while a disgruntled
employee thinking about how she could profit from her access to data may be
brought back on board the team tomorrow with the right encouragement. What
matters, Hudock says, is understanding that both types of employees are equally
dangerous at different times in their careers.“The blind spot for many organizations here is the
realization that anyone can become an insider threat to an organization,” he
notes, “so it is in the best interest of all to implement an effective insider
threat program.”Aside from the malicious insider and outsider, one threat
actor who hangs in that gray area between the two is the employee who is being
laid off and want to take their work with them when they go, Rushing notes.
This might not be a deliberate malicious attack; instead it might simply be an
employee who wants to keep copies of their work without the intension of
harming their employer deliberately.“Whether it be source code, marketing presentations, customer
lists, or anything else,” he says, “people are just taking their stuff. They
figure, ‘I’ll grab my documents and email and all those things, copy it to my
USB drive and walk out the door with it.’”Rushing stresses that the majority of these people likely do
not see what they are doing as exfiltration. However, when they find a new job
working for the competition, they discover they have migrated to the new
company with a portion of their former employer’s confidential data.They are not acting with malice, he says, but “They maybe
need to be reminded of this during the process and told, ‘Hey, you really
shouldn’t be taking things that are company specific.’”Another prominent form of insider threat actor is the wholly
unwitting one, entirely unmotivated by any goal. Gavin Mead, principal in KPMG
LLP’s Cyber Security Services, explains, “Unwitting insiders are now equipped
with capacities and opportunities to do inadvertent harm on a more frequent
basis, from posting sensitive materials to cloud storage, to wrongly sharing
sensitive data with suppliers, to using information in a way that violates
regulation, to enabling an outside attacker to take over their credentials.”The rise of third-party logical and physical access to data,
networks, and facilities — whether contractors, vendors, or contingent labor —
concerns Mead, who notes that because they are less known, vetted, and
monitored, they present an even bigger risk than employees.Mead says that there is a tendency to focus too much on the
malicious insider and as a result, organizational problems might neglect the
potential harm of the unwitting actor, though a well-crafted program for
defending against insider threat should contain provisions for confronting both
eventualities.The DataUnwitting insiders vex loanDepot CISO and Senior Vice
President Billy Spears. “Organizations should be concerned about insiders that
are unaware of appropriate requirements,” Spears says. “These are folks that
want to do the right thing, and definitely are policy followers, but have a
business need to use or share information without guidance on the appropriate
methods to safeguard this data.”Spears notes that this group is the biggest problem because
they cannot be readily detected, require additional training, and almost never
think about data safeguards as they go about their daily business. For that
reason, he says, once- or twice-a-year training is insufficient.“That never really keeps the risks fresh or top of mind,”
Spears warns. “I think it is important to communicate at the level of your
audience via an appropriate channel that makes sense. This is something that
needs to happen weekly to assure that people understand what to do if they
recognize a risk or need advice.”Ultimately, it is up to the security and IT teams, as well
as the owners of the business data, to ensure that confidential data is not
only protected but that it also is clearly identified. If the company does not
know what data it has, what level of confidentiality it requires and how it is
protected, it is difficult to ensure that it will not be exfiltrated,
accidentally or otherwise.Richard Rushing, CISO mobility, Motorola“It is critical that an organization consider and understand
what types of data might be vulnerable to attack in order to understand the implications
of responding to unauthorized accesses of that information and how to prevent
such access from occurring,” Levine says. He notes regulations like Health
Insurance Portability and Accountability Act (HIPAA) or the Gramm Leach Bliley
Act help organizations understand what information must be protected.Of course, he says, organizations are presented with the
challenge of determining which classes of their information are protected by
law. However, they also must protect valuable data not subject to regulation.“An organization should assume that all of its data is
vulnerable,” Levine says. “Whether the data is personally identifiable
information, protected health information, or something more general like a
client list, a company should assume that some third party may find some
improper use for obtaining that information. The better approach is to build
your defense around all of your data.”Mead says that the first step of any insider threat program
is determining a formal definition of the organization’s business drivers and
its crown jewels.“When taking a threatdriven risk scenario approach,
understanding the data at risk is a critical consideration,” he explains. “This
includes assets and information as well as business functions that are at risk:
moving money, changing reporting structures, creating new employees and
changing employee direct deposit information, destroying production capability,
damaging reputation and others.”However, he says, it is tricky to tighten access to data
without becoming unnecessarily restrictive — and a restrictive attitude can
strike at the values of team collaboration necessary to protecting data.“While restricting access to some data is a strong control,
it is critical for an organization to understand the spread of sensitive data
and of privileged access,” says Mead. “The failure to understand what
constitutes sensitive data, failure to manage sensitive access and review its
appropriateness, and the constantly-changing nature of peoples’ jobs and
technology enablement leads to access drift over time.”Managing The DataRushing is a proponent of establishing a high standard for
granular-level access control because those who cannot access the data cannot
remove it or transfer it where it does not belong. This is a nearly end-to-end
process; it is not enough to mandate it but it needs to be enforced
continually.Like all good ideas, Rushing says, access control starts out
pristine, but once it is left to wither, it can cause problems. “It has to be a
continual environment,” he says. “There’s some level of responsibility you want
to bestow upon whoever’s the custodial person responsible for managing that
data, and you really want to empower them to make decisions.”Classification, he says, is a key element of prevention. Footers, headers, and metatags allow CISOs to track data that has turned up where it should not be, where it has been, and how it is moving around the organization. “If there’s nothing in it then it becomes really hard for any [tracking]to actually work,” Rushing says. “If you know where all your data are and the repositories of your data are, you then have an idea of here’s what I need to protect. If you haven’t gone there yet, it’s like boiling the ocean.”to actually work,” Rushing says. “If you know where all your data
are and the repositories of your data are, you then have an idea of here’s what
I need to protect. If you haven’t gone there yet, it’s like boiling the ocean.”Gavin Mead, Principal, cyber security services, KPMG LLPOne reason so many organizations allow too much access is
simple convenience, says Levine. Securing sensitive company information is
initially time-consuming to classify the data. It also requires time to
authenticate the users each time they want to access the data. A compounding
problem in organizations occurs when there is no clear record of what data they
have, where it is stored, and who has access to it, he notes.“Organizations need to adopt practices that provide that
they secure all data upon its creation or initial acquisition, meaning that the
files are secured, password protected or accessible only to limited people who
have authorized credentials,” Levine says. “Organizations also need to invest
the time and resources to map their data in order to learn what data they
possess, where on their computer network the data is located, and who can
access it. Investing the time and resources at the upfront and then adopting it
as a routine practice is a substantial undertaking, but one that will create a
more secure environment on an on-going basis.”(Much of what Levine says about protecting data became
mandated on May 25 if the data contains private information about European
citizens. That was the day the European Union’s General Data Protection
Regulation (GDPR) went into effect. Among its requirements is knowing exactly where
data on EU citizens resides on the network, on every corporate or personal
device, and in every backup or archive, regardless of where in the world the
data resides.)However, the process of recording all this information is a
complex project, says Olson, who notes that lax security is rarely due to
laziness on the part of system administrators, network administrators, or
programmers. ““Time and financial constraints make [security] a challenge
for many organizations,” he says, and the problems become exacerbated by
organizational cultures that allow such constraints to spread. “If respect for
data privacy isn’t baked into strategic security policies set at the executive
level, technical controls preventing unauthorized — or unethically authorized —
access will receive less or little priority and employees are less likely to
protect data privacy in day-to-day activities.” Even conscientious staff
members can engage in risky behaviors, such as cloudbased file-storage, when
they have not been properly prepared to adhere to rules and best practices
while still running the business effectively.Billy Spears, CISO and SVP, loanDepot“Once this mentality sets in, monitoring for malicious
behavior becomes even more difficult, as it is often comingled with innocently
motivated, but still out-of-policy actions,” Mead says. “Insider threat
programs have to work to be positively perceived by the employees they monitor.
Employees must understand that the program is designed to protect everyone’s
job and livelihood and not perceive it as ‘Big Brother’ driven by employer
mistrust. Programs that fail to create this positive perception with employees
can actually be the cause of disgruntlement, becoming part of the problem they
are attempting to solve.”The ProgramThe way an insider-threat program portions out its defenses
to detection, deterrence, and post-breach forensics is determined by what kind
of data it is defending.Rather than counsel for a percentage split on each approach,
Rushing says it is better to keep asking questions of the data: “How do I track
it? How do I see it in transit? How do I trust it at a third party or anything
else that’s doing something with it? What kind of controls can I put around it
and keep wrapping it? It’s kind of like an onion,” he says. “You want to put
layers of controls around [it]. The more layers of controls that I can put
around it the better I can maintain that kind of structure.”Mead says each means of control — detection, deterrence, and
post-breach forensics — has a varying role to play. “If dealing with an
unwitting insider, DLP (data loss protection), coupled with easy-to-use
encryption tools, may mitigate the scenario leaving a limited role for IDS
(intrusion detection systems) or post-breach forensics,” he says. “When looking
at the actions of an outsider impersonating an insider, particularly one with
privileged IT administrative access, detection and forensics will likely play a
very strong role. Understanding the relative risk to a particular organization
of each scenario should help dictate the right level of emphasis on each
category.”However, defenses need to be tested in threat-driven risk
scenarios in order to determine how effective they would be for any one
organization’s needs, he notes.“When focused on the unwitting insider, prevention defenses
can be very powerful,” he says. “From training and awareness to controls that
prevent a user from taking the wrong path while simultaneously pointing them to
the right one, these approaches can keep those who have good intentions on the
right path. Preventative defenses for malicious insiders are more problematic,
particularly as many of the insiders in this category are aware of the gaps in
prevention and take advantage of them.”Robert J. Hudock, Epstein Becker GreenOlson believes organizations need to prioritize detection
and prevention ahead of post-breach forensics, since these are the controls
that provide the most formidable obstacle to those wishing to do the
organization harm.“Many organizations are rapidly becoming better at both of
these tasks,” Olson explains. “Anti-virus … is improving, monitoring is
becoming more common, as is patch management planning. The net result is that
adversary dwell time, the amount of time an attacker has access to a host before
they are noticed, is decreasing.”Winning over the C-suite is the necessary precursor to all
of this, however. Olson says that if you do not have high-level approval,
bolstering data privacy and fighting insider threats simply will not be a
priority.“Having executives establish high-level security and privacy
policies is important to setting the tone for the organization, which will
translate into data and privacy protecting controls and behaviors being
implemented at the lower levels of the organization.”Once you understand the motivations of the company’s
executives, you can talk to them about the importance of thinking of their data
as something that needs to be secured. Some of the most important information
in many companies, he notes, takes the form of unstructured data, because those
who write it and save it are thinking only of the ideas, and not of protecting
them.Rushing notes, “I can talk to them and say, ‘Could you add
this meta field into the properties so that we can track it?’” But that works
best if they understand what is at stake.
There are many ways to do DevSecOps, and each organization — each security team, even — uses a different approach. Questions such as how many environments you have and the frequency of deployment of those environments are important in understanding how to integrate a security scanner into your DevSecOps machinery. The ultimate goal is speed […]
It’s Cybersecurity Awareness Month, but security awareness is about much more than just dedicating a month to a few activities. Security awareness is a journey, requiring motivation along the way. And culture. Especially culture.That’s the point Proofpoint Cybersecurity Evangelist Brian Reed drove home in a recent appearance on Business Security Weekly.“If your security awareness program […]
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
