Beware the insider threat

While your perimeter defenses may be strong, they won't stop an inside attack.

data ctr security ts

What is a firewall? That's a basic question to ask an audience of IT pros. But I'll answer anyway.

A firewall keeps the dangers of the outside world from entering your network. Most security tools work this way. Antivirus, for instance, keeps bad code from getting on your PCs or servers.

That is only half the security battle. This approach is like locking the door. It only stops outsiders from coming in. But what if the thief is already in the house, or the troublemaker already on your network?

That is the insider threat, and it can be far worse than a hacker from Eastern Europe.

Verizon tracks this type of activity in its annual Data Breach Investigations Report, and sees insiders as truly brazen and insidious. "The corporate LAN was the vector in 71% of these incidents, and 28% took advantage of physical access within the corporate facility. This means the majority of employees perpetrated their acts while in the office right under the noses of coworkers, rather than hopping through proxies from the relative safety of their house," the latest Verizon report said.

Insiders have two things that make them more dangerous than an outsider. Insiders already have network access, sometimes at a high level. And they know much of what is on the network, and where.

Much damage can be done without even hacking. These scourges include:

  • Data leakage and theft
  • Sexual harassment and even child porn
  • Crime such as fraud and theft
  • Espionage
  • Data corruption/deletion
  • Identity theft
  • Committing crimes using corporate technology, then even using that technology to blame others
  • Insider trading

And there are countless examples of employees using not just confidential data (such as customer databases) to start their own competitive businesses, but using company computing resources as well.

So just what is an insider? Usually an employee with network privileges who uses the network regularly, even when working remotely – on the road or from home – where there are no supervisors. Many insiders, such as those in HR or IT and certain managers have higher-level computer privileges. While there is presumably more trust here, there is also clearly more danger of critical information being leaked.

"You have managers (including those in the C-suite) that came in higher than in prior years. You know the type; one of those straight shooters with upper management written all over him. They often have access to trade secrets and other data of interest to the competition and, tragically, are also more likely to be exempted from following security policies because of their privileged status in the company," Verizon said.

Employee Danger

Technology and employees with network access is a dangerous combination for a number of reasons.

  • End users can be pretty technical
  • Employees are people so a certain number are nefarious
  • IT systems aren't properly protected and able to detect and prevent bad internal behavior

These breaches are more common that you might think. The Verizon Data Breach Investigations Report found that some 14% of breaches come from insiders.

Two motives stand out. Financial gain is one. Another common source is ex-employees who still have network privileges and are seeking revenge.

Breaches aren't always intentional. A worker may copy files to a USB drive to work on at home and have that drive stolen or misplaced. And once that data is on the home PC, it is subject to hacking like everything else on the machine.

Technical Solutions Often Lacking

Most shops have a handful of standard security tools that do not offer full insider protection. And many additional tools and techniques add more protection, but are still not enough. For instance:

  • Security software such as IDS/IPS (these are just aimed at outsiders)
  • Event Logs (results after the fact, not always rich in detail)
  • Anti-malware (mainly blocks malicious code, not insider hacking)
  • Filtering content (doesn't fully address the issue of crime, misdeeds and other activities)
  • USB blocking (only stops one form of data theft, offers no detail, no forensics ability)
  • ACLs to restrict employee access to computing resources (much can be done without admin or high-level access and many in IT and executives have admin rights anyway)
  • Setting and publicizing policies (policies are like laws, they don't prevent bad things, just give grounds to charge when rules are broken)
  • Investigate after the fact (this is way most cases are handled. Unfortunately many breaches go on for months or more before they are discovered)

The Answer

Like someone with an addiction, the first step in fighting the insider threat is to admit you have a problem. It is human nature to trust those whom you know, and even more those managers that run your organization. But bad actors come from every stripe – even CEOs (just look at all the ones we have locked up).

To truly combat the insider threat, you need a fuller approach to security. Part of this is knowing what is going on in the network and controlling activity.

Web and email monitoring and filtering can track and block abuse of the network, including inappropriate surfing, such as child porn, that can expose your organization to liability. It can also block the release of confidential data.

Some organizations even post lists of surfing and data activity to show how well this is all tracked, and for privacy sake, these results can be presented anonymously.

Meanwhile, Verizon suggests strong access controls and tailoring access levels to true needs, trust, and levels of responsibility. "Having identified the positions with access to sensitive data, implement a process to review account activity when those employees give notice or have been released," Verizon suggested.

End-point security can also help stop data leakage, such as information stored on a USB or other portable drives.

Conclusion: Responsibility

IT pros are corporate stewards, charged with securing computer infrastructure and protecting data. Protecting the company against insider threats is just as much an IT responsibility as blocking outsiders.

(Doug Barney is a writer/editor for GFI Software. Barney was the founding editor of Redmond Magazine, Redmond Channel Partner, Redmond Developer News and Virtualization Review. Doug also served as Executive Editor of Network World, Editor-in-Chief of AmigaWorld, and Editor-in-Chief of Network Computing.)

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2015 IDG Communications, Inc.