How Many Spies?

This is a follow-up to Incorrect Insider Threat Perceptions. I think security managers are worrying too much about insider threats compared to outsider threats. Let's assume, however, that I wanted to spend some time on the insider threat problem. How would I handle it?

First, I would not seek vulnerability-centric solutions. I would not even really seek technological solutions. Instead, I would focus on the threats themselves. Insider threats are humans. They are parties with the capability and intention to exploit a vulnerability in an asset. You absolutely cannot stop all insider threats with technical solutions. You can't even stop most insider threats with technical solutions.

You should focus on non-technical solutions. (Ok, step two is technical.)

  1. Personnel screening: Know who you are hiring. The more sensitive the position, the deeper the check. The more sensitive the position, the greater the need for periodic reexamination of a person's threat likelihood. This is common for anyone with a federal security clearance, for example.

  2. Conduct legal monitoring: Make it clear to employees that they are subject to monitoring. The more sensitive the position, the greater the monitoring. Web surfing, email, IM, etc. are subject to inspection and retention within the boundaries of applicable laws.

  3. Develop and publish security policies: Tell employees what is proper and improper. Let them know the penalties for breaching the policy. Make them resign them annually.

  4. Discipline, fire, or prosecute offenders: Depending on the scope of an infraction, take the appropriate action. Regulations without enforcement (cough - HIPAA - cough) are worthless.

  5. Deterrence: Tell employees all of the above regularly. It is important for employees who might dance with the dark side to fully understand the consequences of their misdeeds.


At the end of the day, you should wonder "how many spies?" are there in your organization. Consider the hurdles an insider threat must leap in order to carry out an attack and escape justice.

  • He must pass your background check, either by having a clean record or presenting an airtight fake record.

  • He must provide a false name and mailing address to frustrate attempts to catch him.

  • He must evade detecting by your internal audit systems.

  • He must have an escape plan to leave the organization and resurface elsewhere.


I could continue, but imagine those difficulties compared to a remote cyber intruder in Russia who conducts a successful client-side attack on your company? Now which attack is more likely -- the insider or the outsider?

Comments

Anonymous said…
(#3) ... Make them resign them annually.

Excellent! That should cut down help-desk costs immensely!

Oh, re-sign? Ah!

This is similar to the idea of automatic expiration (pioneered by Ranum). Proactive action is required to maintain access (or privilege). Lack of action results in garbage collection.
Anonymous said…
External attackers are basically fishing; they do not know what they are looking for. Insiders do.


In the Verton book I referred to in your last post, the US Attorney General estimated that the loss due to inside attackers in the US in 2004 was over $250 BILLION annually. I have read other estimates that the figure is now approaching up to $400 BILLION annually.
Without internal controls, how does one know what losses are occuring?


Some of these breaches are decidedly low-tech. However, if these figures are anywhere close to accurate, it would indicate that such losses are mostly hidden since there are few means to detect that they are occuring, or that current corporate management is so lame as to be basically incompetent with their heads in the sand. In any case, I do not read anywhere that the loss figures from external breaches are close to these amounts. Then again, corporations are loath to acknowledge their stupidity and negligence anyway.
Unknown said…
As part of #2, basically something auditable as well. Data access should leave trails if it is technologically accomplished. Even presence can be audited with well-placed security cameras and electronic door locks.


I would bet that much like companies have no idea an attacker from the outside has been accessing their database from Oct 2005 until Nov 2006, that many orgs simply have no idea someone is coming in late at night and siphoning off a few files here and there, or using access to systems to host a few FTP accounts for some games for friends. Sadly, far too many orgs, when they do find this stuff out, either do nothing or do nothing more than waggle a finger and close the hole by technological means and bury it under the rug.

Richard's #4 about enforcement is one of the weak points in my experience. It is easy when it comes to obvious criminal activities or porn-surfing at work, but anything except the obvious seems to baffle mgmt and hr.
Anonymous said…
With regards to Rob, you should check out this Miami Herald article: http://www.miami.com/mld/miamiherald/news/local/states/florida/counties/broward_county/16332102.htm

Basically, this lady (a convicted felon) got a job where she ended up working alone, at night, unsupervised in the accounting section of a Broward County (think Ft. Lauderdale) Labor Agency. She then wrote over $2,400,000 worth of checks to herself.

Who caught her? The bank teller at her local branch office.

I do agree with you that external threats are the greater of the two when proper controls are in place.
Anonymous said…
Richard, you're right on the money with all of these threat management measures. However, I smell a hint of straw here. Insider threats can encompass everything from Stoopid User Tricks that let in external attackers, to grudge attacks, turf wars that escalate to security fights (yes, I've seen them), larceny, and pr0n collecting. It isn't just about theft of proprietary information.
Anonymous said…
yaa taa tas ir
Anonymous said…
This comment has been removed by a blog administrator.

Popular posts from this blog

Zeek in Action Videos

New Book! The Best of TaoSecurity Blog, Volume 4

MITRE ATT&CK Tactics Are Not Tactics