Information is one of the primary competitive weapons and business enablers for organisations of all kinds. The ability to provide the correct information to educate workers has driven a proliferation of information sharing—but with it has come significant risk. The actions of users who intentionally or accidentally cause damage to an organisation is now one of the most complex and difficult to manage problems facing IT security teams. So, how can you thwart the people you trust? This article examines some of the important aspects of insider threats and offers guidance to reduce the risk.
While much has been written on the subject of the insider threat, it still remains one of the most contentious and difficult to manage areas of information security policy. It goes against the grain to believe an employee is capable of stealing information – yet it happens.
So exactly how big is the risk from insiders?
In short, it depends greatly on what we define as an insider attack and the role that insiders play in breaches. The 2010 Verizon Risk Team Data Breach Investigation Report states that almost half (48%) of studied breaches are caused by insiders (an increase of 26% on 2009). As our understanding of the role of insiders in data breaches develops, so does our understanding of the complexity of attacks facing organisations and the difficulty in maintaining the balance between free information flow and good security.
Understanding the insider attack
At the most basic level, there are two kinds of insider attack: malicious and non-malicious. 2010 statistics from The Open Security Foundation found that almost three times as many breaches are caused by accidental insider activity than malicious intent. In fact, non-malicious breaches will often occur through normal usage of information, and especially through avenues such as email, loss of laptops or storage media, and exposure to non-authorised parties within the organisation.
As users carry increasingly large quantities of information on mobile devices such as laptops and smart phones, and on removable media such as thumb drives, the risk of breaches caused by accident will continue to rise. Statistics show that enterprise organisations lose large numbers of laptops every year, and in 60% of the cases the device is simply misplaced by the owner.
While non-malicious insider breaches are a growing concern, most security organisations are focused primarily on preventing the actions of malicious insiders. A malicious insider can, and often will, cause damage over a long period of time, and may also be a significant contributory factor in external breaches too. In CERT's "Common Sense Guide to Prevention and Detection of Insider Threats,” the authors identify four types of malicious insider attack:
1) Attacks aimed at sabotaging IT resources (often out of a desire for revenge)
2) Attacks that steal (or modify) information for financial benefit
3) Attacks that steal (or modify) information for business gain
4) A miscellaneous group of attacks associated with unauthorised access but not necessarily for personal gain
Attacks aimed at sabotage and those for financial gain make up the bulk of the cases the authors examined, however given the difficulty of tracking when sensitive information is stolen and handed over to a competitor, it is entirely possible that thefts for business advantage are under-represented in any study.
Avoiding the insider attack
The challenge of managing risks and reducing the likelihood of an insider attack is that it requires a close correlation between technical information, security controls and human resources and management. This need for the intersection of the human element with monitoring and other controls is precisely what makes insider attacks, especially malicious ones, so difficult to detect and prevent.
In the previously mentioned CERT whitepaper on preventing insider attacks, the authors suggest 16 practical measures, which can be adopted to help reduce risks from malicious insiders:
• Consider threats from insiders and business partners in enterprise-wide risk assessments
• Clearly document and consistently enforce policies and controls
• Institute periodic security awareness training for all employees
• Monitor and respond to suspicious or disruptive behaviour, beginning with the hiring process
• Anticipate and manage negative workplace issues
• Track and secure the physical environment
• Implement strict password and account management policies and practices.
• Enforce separation of duties and least privilege
• Consider insider threats in the software development life cycle
• Use extra caution with system administrators and technical or privileged users
• Implement system change controls
• Log, monitor, and audit employee online actions
• Use layered defence against remote attacks
• Deactivate computer access following termination
• Implement secure backup and recovery processes
• Develop an insider incident response plan
While these are focused on dealing with intentional attacks, some will also reduce the risk of accidental incidents.
In support of these initiatives encryption software can play a key role. Encryption presents the capability to render sensitive information unreadable to unauthorised users, and most importantly, once encrypted, the ‘protection’ stays with the data wherever it resides. A further benefit is that it helps enforce tight controls over who can access the information. Finally, because encryption is highly data-centric, it reduces the value of the information itself (and the liability associated with it) to a third party. An encrypted file on a laptop may contain highly proprietary information, or sensitive personal data covered by one of the many industry and legislative mandates, but if it is properly encrypted, the information remains protected even if the laptop is lost or stolen.
In the event of an incident, encrypted information is often exempt from some of the more punitive requirements for notification and will therefore significantly reduce the cost of an accidental breach. In their 2009 study, “Cost of a lost laptop”, the Ponemon Institute reported that the presence of encryption on a lost laptop reduced its cost to the organisation by over $20,000.
Addressing the threats from insiders is always an emotive subject. While your organisation will always want to hire trustworthy employees, it is an irrefutable fact that accidental breaches occur with startling regularity, and that a single, well motivated malicious insider can cause immense damage. The nature of the interaction between IT and business units is also changing, fuelled in no small part by the availability of maturing Cloud offerings. As a result, the complexity and nature of the insider threat is too.
While no single technology can ever provide complete security, encryption will continue to play a central and pivotal role in both reducing the risk of a breach and limiting the damage to your business should one occur.