January 06, 2014

3.2.15 Malicious Insider Threat

Malicious insider threat

We have met the enemy and he is us. – Walter Crawford Kelly, Jr.

IT security professionals and laypeople alike are aware of IT security threats posed by external forces such as hackers, malware, denial of service attacks, etc. Systems and policies to mitigate these “outsider” security threats such as firewalls, intrusion detection and prevention systems, antivirus software, etc. are well defined. However these security mitigation efforts are largely ineffective against what several studies have recognized as a significant threat to an organization’s security profile, the malicious insider.


Electronic Crimes most costly or damaging to an organization
Bob Bragdon, VP and publisher, CSO puts it this way “Cyber threats can come from outside and inside the organization. Public awareness has been largely focused on the more sensational successful cyber espionage attacks from nation-states, but the fact is insiders with malicious intent also pose a great security risk.”

Insiders necessarily have legitimate access to internal resources and are familiar with the organization's security controls for protecting them. A malicious insider is a current or former employee, contractor, or business associate who has or has had authorized access to an organization’s resources and has (incidentally or intentionally) misappropriated that access in a way that negatively impacts the confidentiality, integrity and availability of the organization’s resources.

According to research by CERT, the malicious insider is motivated in many cases by revenge and greed and as such his or her activities will include sabotage of computer systems, extortion, theft of Intellectual Property and exposure of private information.

Most Common Insider Cyber Incident
Unintentional exposure of private or sensitive data 34%
Theft of intellectual property (IP) 34%
Theft of other (proprietary) info including customer records, financial records, etc… 31%
Unauthorized access to/ use of information, systems or networks 30%
Source: 2013 US State of Cybercrime Survey

Malicious insider threats are difficult to defend against since the insider has intimate knowledge of security controls and methods bypass them. The scope of the impact of malicious insider threats may be underreported and likely underappreciated. The following table from a 2006 survey highlights how over 400 organizations handled both insider and outsider threats: ‡‡

Insider Outsider
Handled internally without involving legal action or law enforcement 72% 75%
Handled internally with legal action 13% 6%
Handled externally by notifying law enforcement 14% 18%
Handled externally by filing a civil action 2% 1%

At the 2013 RSA Conference in San Francisco, Patrick Reidy of the Federal Bureau of Investigations (FBI) shared five lessons-learned for security practitioners based on the FBI’s experience investigating malicious insider threats.
  • Insider threats are not hackers.
    • The Insider Threat Study in 2008 by CERT and the National Threat Assessment Center (NTAC) describes several key findings:††
      • A specific event or series of events triggered most insiders’ actions.
      • Revenge was reported as the main motive in just over half the cases.
      • Frequently reported goals of insider attacks included financial gain, theft of information and sabotage to the organization.
    • The first step to mitigation is gaining an understanding of the motivation of the malicious insider.
  • Insider threat is not a technical or "cybersecurity" issue alone.
    • Mitigating insider threats calls for controls that move beyond IT and include solutions that are people-centric.
    • Successful mitigation strategies look at the interplay between business processes and information technology.
    • “Adopt a multidisciplinary whole threat approach”
  • A good insider threat program should focus on deterrence, not detection
    • Create an environment that makes it “really difficult or uncomfortable to be an insider.”
    • Crowdsource security, i.e. solicit input from the user community on how to improve controls to protect data
  • Avoid the data overload problem
    • Deploy data filters
    • Periodic audits
    • Implement segmentation of duties
  • Use behavioral based techniques for detection of insider threats
    • “Base detection on user’s personal cyber baselines”
    • “The idea is to detect insider bad behavior closer to that tipping point of when a good employee goes rogue.”
The following table describes some differences between insider and outsider threats and point to why insider threats demand special categorization.

Threats
Description
Insider
Outsider
Trusted Untrusted Insiders have intimate knowledge and are able to sidestep security measures more easily without raising alarm.
Legitimate Access Unauthorized Illicit activity by insiders can more easily be masked as authorized because they have legitimate access to the resource.
Operational tools Specialized tools Relatively low-tech tools can be deployed by insiders as they are already behind the firewall, already know the administrator password, etc.
Revenge Financial The motivation of the insider is usually less sophisticated, however in many cases, it is also less predictable and more expensive to prevent or detect.
Insider vs. Outsider Threats

As in most cases, effective security measures calls for a multi-layered approach to security. To mitigate malicious insider threats, in addition to technology-based deterrents such as firewalls, intrusion detection systems and monitoring, behavioral and policy-based deterrents should also be deployed.

Behavioral and policy-based deterrents include tools such as acceptable use policies (AUP), background checks, account management policies and segregation of duties. In a 2006 E-Crime Watch Survey conducted by the United States Secret Service (USSS), the SEI CERT Program, and CSO Magazine, the top five security policies and procedures used by organizations in the survey were:‡‡
  1. Account/password management policies
  2. Acceptable use policy/ Formal “inappropriate use” policy
  3. Employee/contractor background check
  4. Employee education & awareness programs
  5. Conduct regular security audits
Here are some best practice considerations suggested by various security principles:
  • Monitor how users interact with information
    • Establish a baseline of normal user behavior with respect to data and resource usage, conduct trending analysis and alert on deviations from baseline with respect to data movement, channels and usage.
    • Log, monitor, and audit employee online actions
  • Anticipate and manage workplace issues across the employee lifecycle
    • Deploy policies and procedures designed to monitor, manage and respond to disruptive and suspicious behavior.
    • Deactivate computer access following termination
  • Implement comprehensive and consistent information controls to minimize data exfiltration
    • Require accountability regardless of endpoint (e.g. desktop, tablet, smartphone)
    • Employ controls across all information states (at rest, in motion, and in use) and across all endpoints (network, tablet, desktop, smartphone, etc.)
    • Understand, monitor and lock down all exit points for data, e.g. wireless, removable media, fax/printers, social media, FTP, etc.
    • Implement secure backup and recovery processes
  • Institute stringent access controls and monitoring policies on privileged users
    • Institutionalize system change controls
    • Centralize security control management for rapid incident identification, analysis, and response
    • Enforce separation of duties and least privilege
    • Define explicit security agreements for any cloud services, especially access restrictions and monitoring capabilities
    • Use a log correlation engine or security information and event management (SIEM) system to log, monitor, and audit employee actions
    • Collect and save data for use in investigations
  • Institute periodic security awareness training for all employees
Related Terms: stochastic forensics
References:

No comments:

Post a Comment