A Look at Insider Threats

Authors:
  • Eric Goldman

20 Jan 2009   ::   Security   ::   #insider #employee monitoring #privacy #proactive security

 

Summary

This article [1] by Tom Reilly focuses on enterprise security threats from employees (insiders). He begins the article by acknowledging that while insider attacks are not new, the proliferation of information systems increases the number of people who have access to valuable data. Thus, this significantly increases the number of individuals who may possibly steal information assets. Mr. Reilly notes that the recent economic downturn may be a strong motivator for individuals to commit information theft. White collar professionals may have access to valuable information and can easily find a black market customer via the Internet. Furthermore, there is a much higher level of risk from insiders as they do not have to be technically sophisticated hackers to steal a valuable asset; a employee can easily print or copy data to an external drive.

As a result of this internal threat, the author notes that many companies are increasing their employee monitoring efforts in order to track down and stop insider attacks. The key activities to monitor are what applications employees use, how much and how often certain data or datasets are accessed, and to where and at what time information is copied or duplicated (e.g. email, printed). For example, it would be very suspicious if a scientist was accessing a highly important database and printing out 100 records every night at 9:00 PM. The author also notes that based upon his customer interactions, that companies are increasingly more concerned with internal attacks rather than external hackers. The author also surprisingly notes that not only is management interested in these monitoring practices, but employees seem to support such initiatives. The reason for this is that employees realizes that if an insider sells company secrets that the company may subsequently go out of business. In order to protect their organizations, and thus themselves, employees will support such initiatives.

Relation to Enterprise Security

This concept is absolutely paramount to enterprise security. While quite often there is a focus on external attacks and hackers breaking into an organization’s systems, a much more likely attack can come from the inside. The costs to perpetrate an internal attack are much lower for the attacker because they often already have access and are well aware of the security measures and if the rules are in fact followed. Internal attacks could very easily be comingled with legitimate work activities; as a result, the attacks could be much more difficult to detect. In terms of costs to the enterprise, internal attacks can be incredibly damaging because the attacker will usually know how to get the most valuable asset for a given attack cost. Furthermore, to monitor employee activity requires not only looking for irregularities or violations, but also patterns of activity over time.

Monitoring of activity is also often mandated by regulatory requirements. For example, email records must be stored for some time and under some regulations must be reviewed by a compliance officer. In addition, other laws such as HIPAA require detailed auditing of when and by whom records are accessed [2]. As a result, over time is may be expected that there is limited privacy within a business setting and employees will act with higher levels of discretion. Perhaps now it is not only expected, but also accepted by employees that they will be monitored as a result of news stories and regulation.

Analysis / Discussion

The tools and training for mitigating and monitoring internal attacks is not as widespread as external risk management tools such as firewalls, IDSs, and penetration testing. To some degree these tools can help track down internal attacks; however, monitoring internal attacks and violations is much more complex because they can be highly dependent upon the organization’s internal policies and specific applications. For example, should an individual have restricted access to a database only between certain hours? Should they further only be allowed to access so many records at any given time? Should an executive receive access to this system simply because he is an executive? These questions are often very difficult to answer and can often be subject to internal politics. In general, information should be accessible only on a need-to-know basis with only the minimum level of access required. Furthermore, additional measures may be necessary; while it is possible to prevent copying or printing of data on some systems, could some attacker take a screen shot or do they have a camera on their cell phone? While the costs of the attack are very high, the cost to hire a security guard to pat down employees as they enter a locked room with a computer terminal may be extremely high or employees may simply choose to leave such a restrictive environment. As a result, it may be very difficult to prevent security breaches internally. However, the development of firm, enforced policies and monitoring programs can help limit such attacks or greatly increase the attack costs to the point where it is too costly or risky to perpetrate the attack.

In an older article [2] by Daintry Duffy, the author addresses how organization’s can effectively implement monitoring programs. One of the keys addressed in this article is that policies must be explicit and well communicated. In this way the employees will understand the rules and will reduce behavior that the monitoring would identify as potentially risky; as a result, there is less incidents and data to sort through in order to find the real insider attacks. Next, action should be blocked whenever possible, for example some companies block access to external FTP servers from inside the enterprise. When a potentially risky action cannot be blocked, then restrictive measures must be put in place and monitoring of actions becomes required. Another point to consider is the legal standpoint on monitoring. Some monitoring may be mandated by regulation and forced upon the organization. On the other hand, privacy laws may prevent other forms of monitoring; these laws can vary from state to state and country to country.

References

  1. Reilly, Tom. Employee Monitoring Good for the Employee. CSO Online. [Online] CXO Media Inc., January 14, 2009. [Cited: January 14, 2009.] http://csoonline.com/article/476078/Employee_Monitoring_Good_for_the_Employee.

  2. Duffy, Daintry. Employee Monitoring: Watch This Way. CSO Online. [Online] CXO Media Inc., February 1, 2003. [Cited: January 15, 2009.] http://www.csoonline.com/article/217419/Employee_Monitoring_Watch_This_Way.