Information Security Management Handbook, Sixth Edition (2012)
DOMAIN 3: INFORMATION SECURITY AND RISK MANAGEMENT
Chapter 7. Insider Threat Defense
It is a known fact that insider threats exist for all organizations. Essentially, this threat lies in the potential that a trusted staff member may betray their obligations and allegiances to the enterprise and conduct sabotage or espionage against them. Many enterprises use the 80–20 rule when looking at threats. In the past, most of the enterprise threats were external. In today’s environment, the 80–20 threat has changed to be more of an insider threat. An “insider” is anyone who is or who has been authorized to access an enterprise asset. Insider threat activities can fall into several general categories:
1. Exceeds given asset (network, system, or data) permissions.
2. Conducts malicious activity against or across enterprise assets (network, system, or data).
3. Provides unapproved access to enterprise assets (network, system, or data).
4. Circumvents security controls or exploits security weaknesses to exceed authorized permitted activity or disguises identity.
5. Nonmaliciously or unintentionally damages assets and resources (network, system, or data) by destruction, corruption, denial of access, or disclosure.
Some of the insider threat activities can be composed of the following:
Virus-laden CD, USB flash drive, or floppy
Social engineering passwords
Smuggling out USB sticks or other mobile media
Responsible for “missing” laptops or hardware
Targeted acquisition of equipment or data adjustments
Using unpatched systems
False positives on antivirus reports
Use of unattended desk areas
Extra copies of backups
Recording devices, such as cell phones, PDA, or blackberries
Suspicious system activities
Mislabeling information classifications
Copying and pasting between different information classes
To limit the risk of insider threats, an enterprise must base an effective trust relationship with a staff member on the following criteria:
1. Establish an appropriate level of trust at the beginning of employment.
2. Create effective compliance monitoring to ensure that the established trust is valid over time.
3. Revoke access, in a timely and effective manner.
This includes former staff members who might lack current access but who might have retained knowledge of the potential security measures or vulnerabilities. In addition, it includes nonstaff individuals with access, such as contractors and consultants. Inside knowledge draws emphasis to those mission-critical positions within the enterprise where a staff member’s access, combined with their knowledge of the systems and vulnerabilities, creates the greatest potential for harm from an insider attack. For instance, despite technical advances, the greatest potential risk factor that still remains is the staff member with access to high-level system privileges. This staff member may or may not have malicious intent and due to the rapid evolution of increasingly mobile and decentralized control access, he need not be physically collocated with the traditional data center. Thus, this risk can exist both internally and externally to the enterprise.
As the boundaries between systems become more open and the perimeters of individual systems less easily defined, the critical distinction between an insider and an outsider will be based less on geographic location and more on the access and privilege level obtained (appropriately, inadvertently, or maliciously) within the system. A good deal of attention within information technology is placed on creating a tower wall, a defense perimeter, that will keep malicious outsiders from gaining access to transmission control networks. The reality is that the greatest threat to the enterprise environment and its information assets is still from an internal vector. This is because, once an external actor climbs the “tower wall,” he will essentially become an insider.
Thus, it is believed that the greatest effort to protect systems will need to be placed on protecting the system from those with insider access. This insider can be both accidental and malicious. As the use of technology continues to increase, there needs to be a refinement of the concept of insider versus outsider. As the devices and the access to critical systems migrate out of highly protected data control centers into the field, the boundary that defines where an insider can have access will change and potentially cease to exist as a relevant point of division. Thus, the enterprise will need to ensure that there are more robust internal controls on insider behavior. This can include the traditional approaches to segmenting networks and duties, along with new and alternative approaches.
Unfortunately, insider threat is not limited to fraud. There is also sabotage, negligence, human error, and exploitation by outsiders to consider. Once someone is hired by the enterprise, a trust relationship is established, which may degrade over time. We know that
If we can persuade you to run something, it is not your machine anymore.
If someone can alter your operating system (OS), it is not your machine anymore.
If someone can gain physical access, it is not your area anymore.
If someone can upload to your machine or Web site, it is not yours anymore.
Weak passwords ruin strong security.
An environment is as secure as the personnel are trustworthy.
Encryption is only as secure as the decryption key.
Out-of-date virus scanners are only a bit better than no virus scanner.
Anonymity is not practical.
Technology is not a panacea.
All these items can contribute to a degradation of trust within the enterprise, possibly enhancing the risk of insider threat. Any trust can degrade over time as the enterprise’s assets continue to grow and become mobile. The enterprise needs to take continued steps to ensure that trust is maintained.
An enterprise can take steps to mitigate insider threats, including:
1. Security policy architecture: Documenting information classification requirements, how information should be used within the enterprise environment, and the responsibility of every staff member in relation to protecting that information is a requirement for any enterprise.
2. Classify information and impact analysis: Classify the enterprise’s critical information by confidentiality, integrity, and availability with impact ratings, using something like NIST SP800-60, for examples. Once the information has been defined and classified, the enterprise needs to identify system boundaries that include system, data flow, networks, people, hard copies of information, and responsibilities.
3. Identify baseline controls: Establish a baseline control standard for each impact category of information, mapping the information to low, moderate, and high controls, using something like NIST SP800-53, for examples. Established baseline controls can be procedural, technological, and physical. Insiders are familiar with internal controls and may find ways around single-layer or poorly implemented controls. Some key areas would be
Human resources: Human resources personnel should follow detailed new hire and termination procedures. The new hire procedures might include criminal background investigations, credit checks, and employment verification for all staff (direct hire, contractors, temporary staffing, and cleaning crews) and then periodically repeat the background checks for people in highly sensitive positions. Require all staff to sign a statement demonstrating that they have read and understood the information security policies. Ensure that third parties comply with the enterprise’s security requirements (e.g., employment and background checks of new personnel). Establish an anonymous abuse and fraud reporting mechanism.
Security awareness program: All staff should annually attend a comprehensive awareness training session on security policies and procedures for all levels in the enterprise.
Access control: Implement a need-to-know access control for the routine performance of the employees’ duties or their role-based access. All access requests should be formally documented and approved by the information or application owner. Configure physical building access cards to restrict personnel to the areas and time periods required in the performance of their duties, and review on a regular basis the access logs and access and ask managers to formally sign off on the privileges of their direct reports. Separation of duties should be used as an additional control.
Administrators: Administrators have complete control over systems and applications; therefore, prohibit the use of default administrative accounts to facilitate accountability.
Workstations: Laptops and mobile devices can store large amounts of sensitive information and are frequent targets of thieves. Issue laptops and mobile devices based upon business need and with consideration of the type of information typically processed. Restrict workstation/laptop administrative access to the desktop team. Exceptions should be limited to personnel with a well-defined need for administrative privileges in the performance of their duties, including formal sign-off by their manager. Restrict who has access to use USB storage devices.
Network security: Configure perimeter devices using security best practices by restricting outbound traffic to common services. Use proxies to limit traffic to designated protocols. Establish separate rules to limit outbound file transfers to an authorized set of users and systems. Restrict accesses between offices to specific systems, ports, and protocols. Use network segregation to restrict access to systems hosting sensitive databases. Block some of the “bad” applications and services, such as peer-to-peer file-sharing services, instant messenger, and services that allow unauthorized external access to the corporate network (e.g., GoToMyPC and PCAnywhere).
Social engineering: Con artists attempt information extracts from authorized personnel or get them to take actions on their behalf. Three ideas to address social engineering are: raise awareness of the techniques used by social engineering; establish processes to protect sensitive data and valuable assets; and provide a documented escalation path.
Backups: As part of the business continuity and disaster recovery testing, perform restore tests of critical systems at least annually. Take backups of workstations and laptops to provide a record of employee activity. If there is a business requirement, encrypt backup tapes and e-vaulting data to keep sensitive information confidential while off site.
Audit trails and monitoring: Ensure auditing and log files are configured for each system component (e.g., network devices, OSs, applications). The audit trails must be protected by file permissions and, possibly, synchronized in real time to a central log server to prevent modification. Logs should be reviewed by automated processes with notification sent to the appropriate personnel.
4. Implementation: Depth in defense will continue to limit the enterprise risk to insider threat. Layer on additional controls in accordance with the confidentiality, integrity, and availability information ratings. Any deviation from the baseline controls should require a formal exception approved by the information security management and the business owner.
5. Audit: An audit function is required to ensure that sensitive data and valuable assets are appropriately safeguarded. The audit function should monitor systems/applications and insiders to detect illicit activity. If you have audit trails, you must review audit trails searching for security events and abuse of privileges. Verify directory permissions, payroll controls, and accounting system configurations. Validate accesses for transferred staff to ensure that accesses are systematically rescinded as the transition occurs. Conduct regular system and access assessments.
Documented and tested defense-in-depth or layered controls, separation of duties, and access controls are key actions that an enterprise can take to limit the risk of an insider threat. As the enterprise knows, the threat from within is very real and trust is a requirement and necessary, but it must be controlled and monitored.