13 best practices for preventing and detecting insider threats

* What if the "bad guy" is authorized to use your IT system?

When you think of IT security, you probably think of keeping the bad guys out of your IT systems. But what if the "bad guy" is fully authorized to use those IT systems? Insider threats are real and not so uncommon. That's why the CERT Coordination Center offers a report called Commonsense Guide to Prevention and Detection of Insider Threats. There's plenty you can do to lessen your risk of harm perpetrated by a trusted insider.

When you think of IT security, you probably think of keeping the bad guys out of your IT systems. But what if the “bad guy” is authorized to use those IT systems? Insider threats are real and not so uncommon. A survey conducted by the United States Secret Service, the CERT Coordination Center (CERT/CC), and CSO Magazine found that in cases where respondents could identify the perpetrator of an electronic crime, 20% were committed by insiders.

The losses from crimes and security breaches (Compare Data Leak Protection products) conducted by insiders can be significant, often because these people know precisely where to look to obtain access to the financial accounts or intellectual property, and how to circumvent existing security measures. CERT has documented several cases where the damages were quite high, including one complex case of financial fraud that resulted in losses of almost $700 million. In another case, a technical employee of a defense contractor wrote a logic bomb that resulted in $10 million in losses and the layoff of eighty employees. And of course, we all know about the trader at Societe Generale that circumvented internal security to amass losses of $7.7 billion for his bank.

CERT/CC has published a report called "Commonsense Guide to Prevention and Detection of Insider Threats". The information is based on the analysis of more than 150 known cases of malicious insider activity – how they happened and what could have helped to prevent them. The report also includes trends and patterns in the various malicious activities, which fell into categories including insider IT sabotage, fraud and theft of confidential or proprietary information.

As the report says, “insider threats are influenced by a combination of technical, behavioral, and organizational issues, and must be addressed by policies, procedures, and technologies. Therefore, it is important that management, human resources, information technology, and security staff understand the overall scope of the problem and communicate it to all employees in the organization.”

Clearly this is not a battle just for the IT experts to fight, although technology often plays a part in both enabling and preventing insider incidents. At any rate, it’s worthwhile to review the best practices and see how they might work in your own organization.

1. Institute periodic enterprise-wide risk assessments.

The organization must take an enterprise-wide view of information security, first determining its critical assets, then defining a risk management strategy for protecting those assets from both insiders and outsiders.

2. Institute periodic security awareness training for all employees.

All employees in an organization must understand that security policies and procedures exist, that there is a good reason why they exist, that they must be enforced, and that there can be serious consequences for infractions.

3. Enforce separation of duties and least privilege.

Effective separation of duties requires the implementation of least privilege; that is, authorizing people only for the resources they need to do their jobs.

4. Implement strict password and account management policies and practices.

If the organization’s computer accounts can be compromised, insiders have an opportunity to circumvent both manual and automated mechanisms in place to prevent insider attacks.

5. Log, monitor, and audit employee online actions.

Logging, periodic monitoring, and auditing (Compare Network Auditing and Compliance products) provide an organization the opportunity to discover and investigate suspicious insider actions before more serious consequences ensue.

6. Use extra caution with system administrators and privileged users.

Typically, logging and monitoring is performed by a combination of system administrators and privileged users. Therefore, additional vigilance must be devoted to those users.

7. Actively defend against malicious code.

System administrators or privileged users can deploy logic bombs or install other malicious code on the system or network. These types of attacks are stealthy and therefore difficult to detect ahead of time, but practices can be implemented for early detection (Compare Patch and Vulnerability Management products).

8. Use layered defense against remote attacks.

Insiders tend to feel more confident and less inhibited when they have little fear of scrutiny by coworkers; therefore, remote access policies and procedures must be designed and implemented very carefully.

9. Monitor and respond to suspicious or disruptive behavior.

In addition to monitoring online actions, organizations should closely monitor other suspicious or disruptive behavior by employees in the workplace. Policies and procedures should be in place for employees to report such behavior when they observe it in coworkers, with required follow-up by management.

10. Deactivate computer access following termination.

When an employee terminates employment, whether the circumstances were favorable or not, it is important that the organization have in place a rigorous termination procedure that disables all of the employee’s access points to the organization’s physical locations, networks, systems, applications, and data.

11. Collect and save data for use in investigations.

Should an insider attack, it is important that the organization have evidence in hand to identify the insider and follow up appropriately.

12. Implement secure backup and recovery processes.

It is important that organizations prepare for the possibility of an attack or disruption by implementing secure backup and recovery processes that are tested periodically (Compare Data Backup and Replication products).

13. Clearly document insider threat controls.

As an organization acts to mitigate insider threat, clear documentation will help to ensure fewer gaps for attack, better understanding by employees, and fewer misconceptions that the organization is acting in a discriminatory manner.

For more details about the 13 best practices, read the July 2006 report "Commonsense Guide to Prevention and Detection of Insider Threats" published by the Carnegie University CyLab. You can find it on the CERT Web site.


Copyright © 2008 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022