Address the Insider Threat of PrivilegedUsersCo-written by Dr. Eric Cole and NetIQ CorporationAs a general rule, organizat...
This document could include technical inaccuracies or typographical errors. Changes are periodicallymade to the informatio...
Table of Contents About Dr. Eric Cole .......................................................................................
About Dr. Eric ColeDr. Eric Cole has been working with international banks, Fortune 500 companies, and governmentalagencie...
person is to pass the polygraph. Their candidate is put through intensive training so that he or she canpass the polygraph...
Insider vs. External ThreatInstead of arguing over whether an insider threat versus an external threat causes the most dam...
they are not doing it well.Security measures that are in place are mainly for the perimeter and do not scale to the inside...
executives do not believe what they cannot see, so they initially do not take insider threat seriously. Then,after it happ...
Key Areas of AttentionWhile there is a lot for an organization to focus on with regards to insider threat, there are some ...
NetIQ and the Insider ThreatNetIQ security products provide the ability to monitor and control privileged activity as well...
ConclusionAddressing the potential for insider threats is a vital, yet often overlooked security imperative for virtuallya...
Upcoming SlideShare
Loading in …5
×

Address Insider Threat of Privileged Users White Paper

722
-1

Published on

Insiders Can Ruin Your Company. Take Action.

Did you know that 80 percent of threats to an organization come from the inside? The threat from insiders is often overlooked in organizations worldwide. This white paper discusses key technology solutions that help to prevent and detect insider threats.

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
722
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
3
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Address Insider Threat of Privileged Users White Paper

  1. 1. Address the Insider Threat of PrivilegedUsersCo-written by Dr. Eric Cole and NetIQ CorporationAs a general rule, organizations typically grant IT administrators much moreaccess than is required to make simple changes to their production serversand applications. In order to protect sensitive data, comply with regulations,and ensure the integrity of their IT infrastructure, organizations need tomaintain a tighter control on their access.This white paper is divided into two sections. First, Dr. Eric Cole discusses thebusiness issues around insiders, especially IT administrators. Second, NetIQdiscusses how to reduce or eliminate many of the issues that Dr. Coledescribes.
  2. 2. This document could include technical inaccuracies or typographical errors. Changes are periodicallymade to the information herein. These changes may be incorporated in new editions of this document.NetIQ Corporation may make improvements in or changes to the software described in this document atany time.Copyright © 2010 NetIQ Corporation. All rights reserved.ActiveAudit, ActiveView, Aegis, AppManager, Change Administrator, Change Guardian, Compliance Suite, the cube logo design,Directory and Resource Administrator, Directory Security Administrator, Domain Migration Administrator, Exchange Administrator,File Security Administrator, Group Policy Administrator, Group Policy Guardian, Group Policy Suite, IntelliPolicy, Knowledge Scripts,NetConnect, NetIQ, the NetIQ logo, PSAudit, PSDetect, PSPasswordManager, PSSecure, Secure Configuration Manager, SecurityAdministration Suite, Security Manager, Server Consolidator, VigilEnt, and Vivinet are trademarks or registered trademarks of NetIQCorporation or its subsidiaries in the USA. All other company and product names mentioned are used only for identificationpurposes and may be trademarks or registered trademarks of their respective companies. WHITE PAPER: Address the Insider Threat of Privileged Users
  3. 3. Table of Contents About Dr. Eric Cole ....................................................................................................................................... 1 Introduction ................................................................................................................................................... 1 The Importance of Understanding the Insider Threat by Dr. Eric Cole ........................................................ 1  Key Aspects of Insider Threat ................................................................................................................... 2  Insider vs. External Threat......................................................................................................................... 3  Why the Insider Threat Has Been Ignored ................................................................................................ 3  Current Solutions Do Not Scale ................................................................................................................ 3  The Threat Is Real ..................................................................................................................................... 4  Key Areas of Attention ............................................................................................................................... 6  Policies and Procedures ......................................................................................................................... 6  Audits ...................................................................................................................................................... 6  Access Controls ...................................................................................................................................... 6 NetIQ and the Insider Threat ........................................................................................................................ 7 Conclusion .................................................................................................................................................... 8 About NetIQ .................................................................................................................................................. 8  WHITE PAPER: Address the Insider Threat of Privileged Users
  4. 4. About Dr. Eric ColeDr. Eric Cole has been working with international banks, Fortune 500 companies, and governmentalagencies such as the CIA for more than 15 years to improve their security. In addition to being a hands-on expert, he is also a respected teacher, presenting at security conferences, working to explain securityconcerns to mass media through outlets like CBS News, 60 Minutes, and CNN, and by writing articlesand books including Hackers Beware, Hiding in Plain Sight, and the Network Security Bible. Dr. Colesbook, Insider Threat: Protecting the Enterprise from Sabotage, Spying, and Theft, reminds us thatinsiders (trusted employees and contractors) can do more damage more quickly to an organization thanany outside hacker.IntroductionWorms! Viruses! Spyware! Mass media coverage (hysterics?) about external security threats has causedmany of us to temporarily forget the most important rule-of-thumb about security – that 80 percent of thethreat to any organization comes from inside. Trusted employees, IT staff, contractors, and outsourcersall have access to critical systems and are inside the primary lines of organizational defense. Whether theprimary security concern is data integrity, financial compliance, or privacy protection, administrators mustensure that the insider threat is comprehended and contained.Most organizations deal with insider threats by defining application roles, restricting access to data, andidentifying strict audit rules. Often forgotten are their computer administrators. IT administrators aregranted eminent powers over servers, Active Directory, and applications as part of their jobs. Untilrecently, a solution did not exist to limit this power, outside of partial solutions like logs, but administratorsby definition have been able to evade those solutions.The Importance of Understanding the Insider Threat byDr. Eric Cole1Organizations often think that once they hire an employee or a contractor, that person is now a part of atrusted group of people. Although an organization might allow an employee privileged access, why shouldthey trust that person? Many organizations do not perform background checks or reference checks. Aslong as the hiring manager likes them, they will hire them. Many people might not be who you think theyare. It can be an expensive, if not a fatal mistake for a company to improperly validate their background.Because many organizations, in essence, hire complete strangers who are really unknown and give themaccess to sensitive data, the insider threat is something that all organizations must worry about.If a competitor or similar entity wants to cause damage to your organization – steal critical secrets or putyou out of business – here is a good example of how they could succeed, if granted access. They wouldlocate a job opening, prep someone to ace the interview, have that person get hired, and they are insideyour organization. The fact that it is that easy should alarm you.Many companies have jobs open for several weeks and it could take a couple of weeks to set up aninterview. That gives a competitor focused on your company a four-week period to prep someone to acean interview. This is a current practice of foreign governments. They know that a key requirement for that1 Pages one through six are excerpts from the book Insider Threat by Dr. Eric Cole. WHITE PAPER: Address the Insider Threat of Privileged Users | 1
  5. 5. person is to pass the polygraph. Their candidate is put through intensive training so that he or she canpass the polygraph. This points out a key disadvantage that organizations have. The attacker is aware ofyour hiring process and all they have to do is prep someone so they ace that part of the process.Insider threat is occurring all the time, but since it is happening within an organization, it is a privateattack. Public attacks like defacing a Web site are hard for a company to deny. Private attacks are mucheasier to conceal.Because these attacks are being perpetrated by trusted insiders, you need to understand the damagethey can cause, how to build proper measures to prevent the attack, how to minimize the damage, and, ata minimum, how to detect the attacks in a timely manner. Many of the measures companies deploy todayare ineffective against an insider threat. When companies discuss securing their enterprise, they areconcerned with the external attack, forgetting about the damage that an insider can cause.The United States Secret Service is conducting a series of studies on the insider threat. Why? Becausebillions of dollars are being lost. You will never be able to completely remove the insider threat becausecompanies need to be able to function. If you fire all your employees, you might have prevented theinsider attack, but you will also go out of business. The key is to strike a balance between the access youremployees need and the access your employees currently have.Key Aspects of Insider ThreatThe key aspect to remember when dealing with threatening insiders is that in most cases, they will exploitthe weakest link that gives them the greatest chance of access, while minimizing the chances that theyget caught. Why try to break through a firewall and gain access to a system with a private address, whenyou can find someone behind the firewall with full access to the system? It has been emphasized manytimes, but taking advantage of access is a driving force in the insider attack.Most people, when they think of attackers, think of someone with a huge amount of technicalsophistication that can walk through virtual cyber walls and gain access to anything that they want.However, insiders take advantage of the fact that they already have access, so many of the attackmethods tend to be less technically sophisticated. In some cases, if an insider has partial access, they willsometimes use additional techniques to increase their access. However, since they are typically notdealing with any security devices, most of the methods tend to be fairly straightforward.It is also important to remember that to launch an effective attack, attackers need knowledge of theorganization they are trying to attack. External attackers could spend weeks, if not longer, trying toacquire the information they need to launch a successful attack. In some cases, if they cannot gainenough knowledge, they might decide to go against a different target.In the case of the insider, he has full knowledge of your operations. He knows what is checked and whatis not checked and can even test the system. For example, when he is trying to access his private share,he could click on someone else’s and see if anyone notices. If he does this multiple times and nothingever happens, he has now gained valuable knowledge that either access is not being logged or not beingwatched. Because he has access to your operations, he either has detailed knowledge of how thingsoperate or he can gain it quickly by testing the system. WHITE PAPER: Address the Insider Threat of Privileged Users | 2
  6. 6. Insider vs. External ThreatInstead of arguing over whether an insider threat versus an external threat causes the most damage, theshort answer is: They both can cause damage and they both have to be addressed.The problem to date is that most security efforts have been focused on the external threat. For mostorganizations, more energy and effort have been placed on the external threat rather than the internalthreat. The reason is simple: It is easier to stop, easier to control, and it is more visible. If you havesystem “x” you can state that it should not be accessible from the Internet and have measures in place toprevent it. Then if someone accesses it externally, it sets off a flag. The problem with the insider threat isthat people are supposed to access server “x” but only for legitimate purposes. Now you have to measureintent when someone accesses data, which is almost impossible to do.In addition, the outsider threat is more understood. We understand the means and methods that areutilized to attack systems because we have case studies and history to back it up. With insider threat weknow it happens and it is damaging, but we have less factual data to base conclusions on.Companies that are going to survive and thrive are going to need to turn their focus to the insider andtake preventative action against these types of threats. Otherwise, by the time the threat occurs, there willnot be much of their company left to save.Why the Insider Threat Has Been IgnoredAt this point you might be saying that if the insider threat is so damaging, why has it been ignored andwhy haven’t people been focused on it earlier? There are many reasons for this. First, it is not an easyproblem. It is very hard to understand and almost impossible to grasp. Both the Central IntelligenceAgency (CIA) and the Federal Bureau of Investigation (FBI) knew of the potential damages of insiderthreat and took many measures to prevent it. However, over the past ten years they have still beenseverely impacted by it.There are three key reasons that the insider threat has been ignored: 1. Organizations do not know it is happening. 2. It is easy to be in denial. 3. Organizations fear bad publicity.Current Solutions Do Not ScaleMost security devices that are deployed at organizations are meant to stop the external attack. Firewalls,intrusion detection systems (IDS), and intrusion prevention systems (IPS) are based off of some attackvector that they are trying to prevent. Firewalls block access to certain ports, which stop an attacker butdo not stop an insider. If an insider needs access to certain information to do his job, a firewall will allow it.If that person uploads data to an external site or e-mails it to an unauthorized party, it is almostimpossible for a firewall to prevent. IDS and IPS work off known signatures of attack. Most externalattacks have known signatures. Most internal attacks do not. In addition, most security devices aredeployed at the perimeter. Once you get past the perimeter there are minimal internal protectionmeasures.As we have discussed, limiting access and implementing policies and procedures are key to preventingthe insider threat. It should not be surprising that most organizations do a terrible job at controlling accessand an even worse job at having clear, consistent policies. While companies claim they are doing this, WHITE PAPER: Address the Insider Threat of Privileged Users | 3
  7. 7. they are not doing it well.Security measures that are in place are mainly for the perimeter and do not scale to the insider. Measuresthat will protect against the insider are hard to implement at a large organization and do not scale verywell.The Threat Is RealInsider threat is no longer a fictitious concept that people write about and that you see in movies. It is realand it is happening consistently, and those who do not take it seriously may be hurt by its results.Think of the damage that viruses and worms cause to organizations. These are attacks that start on theInternet and manage to get through organizations’ firewalls, perimeters, and security devices and causesevere loss. If an external worm can penetrate an organization with ease, what can someone who isbehind the firewall and the security perimeter do? The short answer is: Almost anything they want.Although people can argue over the validity and strength of firewalls, IDS, and perimeter security, at leastthere are some measures in place.When it comes to insiders, there is little stopping them because they are a trusted entity. What is evenworse than not preventing them is not trying to detect their actions. This means that not only is nothingstopping an insider but there is nothing in place that is watching or recording their actions to even detectthat something is happening.As we talked about earlier, many organizations would rather live in denial than fix the problem.Unfortunately with a real threat, denial will only cause more harm. The insider threat is like a tumor. If yourealize there is a problem and address it, you will have short-term suffering but a good chance ofrecovery. If you ignore it, it will keep getting worse, and while you might have short-term enjoyment, it willmost likely kill you.You might be saying that you acknowledge that the threat is real but that your company is not vulnerable.The reality is that almost every organization is vulnerable because almost every organization hasminimal, if any controls in place and do not carefully control access to data.Some organizations might have some basic access controls in place, but that is not good enough. If evenone person has more access than they need to do their job, that is too much access. Giving everyone theleast access they need to do their job is critical, plus putting auditing measures in place to track behavior,even if you know that access is strictly controlled. What stops someone who has legitimate access to afile from e-mailing it to someone who should not have access? Not only do you have to strictly controlaccess, you must also monitor it. Too much access is what leads to ultimate compromise and too littlemonitoring leads to someone not being caught or controlled. Both play a critical role in your insider threatarsenal.More and more organizations are starting to recognize that insider threat is important. The problem is thatit is after the fact. I know of a multitude of companies that have been victims to insider threat. I do notknow of any that have successfully stopped an insider threat initially. All of our case studies, histories,and knowledge of insider threat are after the problem occurs and a company becomes compromised.The real problem is we are not finding out about the problem because the insiders are being caught. Atleast if we caught the insider after the fact we could stop that person from doing it again. Unfortunately,we know it is happening but we do not know who did it. This creates a double-edged sword. Most WHITE PAPER: Address the Insider Threat of Privileged Users | 4
  8. 8. executives do not believe what they cannot see, so they initially do not take insider threat seriously. Then,after it happens and there is critical damage, they ask why they weren’t warned or told it was a problemso they could have fixed it.In 2005, it is estimated that more than 10 million identities were stolen, with a loss of more than $50million resulting from it. What more proof do we want that this is a real threat? You might ask what stolenidentities have to do with insider threat. The answer is: there is a direct correlation. How is personalinformation taken to steal someone’s identity? It is taken through an insider who has access to thatinformation for the company they work for. Credit card fraud and identity theft are both caused by insidersstealing information they should not have access to.The Bali nightclub bomber wrote a manifesto from jail in 2004 urging terrorists to take terrorism tocyberspace. Why? Because he knew that was a weak link that could easily be exploited. Organizationsand countries have critical infrastructures all stored in computers. If that information is compromised, itcould have the same impact as an actual bomb.The book Unrestricted Warfare, by Qiao Liang and Wang Xiangsui (Beijing: PLA Literature and ArtsPublishing House, February 1999), which can be downloaded athttp://www.terrorism.com/documents/TRC-Analysis/unrestricted.pdf, talks about how cyberweapons will become the weapons of the future. The key fact is that this levels the playing field across allcountries. Who can compete with the nuclear arsenal of the U.S.? However, with cyber weapons, all thebarriers to entry and monitoring are gone. Just think if you put together two or three of the cyber weaponstogether in a coordinated fashion, you would have the cyber version of the perfect storm.Insider threat needs to be moved up in importance and discussed in boardrooms prior to attacks, not aftersignificant monetary loss. Proactive measures need to be taken to stop insider attacks from occurring, notreactive measures to clean up the mess.What is scary is there is really minimal skill needed to launch these attacks. You really do not need toknow anything if you have access. You just drag and drop information you should not be sending outsidethe company and you e-mail it to a competitor or a Windows Hotmail account. Years of companyIntellectual Property (IP) can be extracted in minutes. Even if you do not have access, there are tools youcan download and run to get access. If you can install Microsoft Office, you can install and run thesetools. Unfortunately, they are really that easy to use. These tools are publicly available, free for the taking.The sale of stolen IP makes the stolen car industry look “small time.” It is happening constantly and issuch a normal occurrence that people do not even realize it. An unprotected computer is an insider threateven if the user of the system is the most ethical employee on the planet. The computer and account hastrusted access, not the person, and if someone can compromise the system because the person went tolunch and left his system unlocked, that is a huge source of insider threat and potential loss for acompany.We can predict with high reliability snowstorms and severe weather before they occur. This early warningsystem enables people to prepare and take action to help minimize the damage. The reason we canpredict weather is because we look for indicators using radar and other advanced techniques. We need todevelop cyber indicators. Some initial indicators that could show a company is vulnerable are: no or weakpolicies, weak passwords, and no list of critical assets. If we can better identify and track these cyberindicators, we will have a better chance of reacting to the problem. WHITE PAPER: Address the Insider Threat of Privileged Users | 5
  9. 9. Key Areas of AttentionWhile there is a lot for an organization to focus on with regards to insider threat, there are some criticalareas they need to concentrate on. These areas have been alluded to earlier in the paper, but they arecritical enough to have their own section.Policies and ProceduresMany companies, from a cyber perspective, lack clear control and direction in terms of protecting andcontrolling access to their critical assets. While companies are focusing on long-term strategic plans fortheir organizations, they need to address the critical IP and put together clear guidelines for what isexpected of their insiders. As we move forward, the lack of solid policies is going to manifest itself moreand more in companies. Companies that are serious about the insider threat are going to realize that theold style of inefficient policies is no longer going to work. Therefore, instead of trying to re-work existingpolicies, companies are going to realize that they are going to have to rewrite their policies from scratch.It is critical with any organization that everyone is on the same page with regards to protection ofinformation. Just because you have a policy does not mean people will follow it; however, without thepolicy as the starting point, there is no way you can perform consistent enforcement across anorganization. While it is difficult, and executives never want to put things in writing, it is critical that a clear,concise policy with appropriate repercussions be put in place. With new and existing regulations, policieswill play a key role, since organizations are required to clearly document their stance on security and howthey are going to achieve it. Written policies are a perfect way to capture this information.AuditsIf an organization is going to maintain a proper level of security and prevent the insider threat fromperforming serious harm, they must know what is happening. The best way to know who is accessingwhat is through regular and thorough audits. Just because an organization is secure today does not meanthey will be secure tomorrow. Only through regular audits can a company keep their arms around theproblem and make sure security is properly maintained. By themselves, audits are a good thing, but withall of the new regulations, audits are becoming a necessity. At a fundamental level, how canorganizations know they are compliant with a given regulation if they are not validating it on a regularbasis? The key problem with audits is they are very difficult to perform and almost impossible to domanually. Key software products and tools are needed to help organizations not only produce detailedreports but also analyze them in a time efficient manner.Access ControlsAccess is the gateway in which the insider threat is manifested. Typically, in most organizations, accesscontrol is poorly implemented and poorly understood. Moving forward, companies are going to have tochange this. Those that have been burnt in the past by insider threat or those that want to make sure theydo not get burnt moving forward, will have to take the time to properly control access to critical data. Thisis a multi-staged process, involving identifying critical IP, determining who should have access to it, andcontrolling and tracking that access. WHITE PAPER: Address the Insider Threat of Privileged Users | 6
  10. 10. NetIQ and the Insider ThreatNetIQ security products provide the ability to monitor and control privileged activity as well as remove theneed to grant powerful, general-purpose accounts to IT operators that are traditionally required for themto do their jobs. In delivering these capabilities, NetIQ helps enterprise and mid-market customersaddress the following issues and needs: • Monitoring privileged users – Administrators and users with extensive privileged access to critical resources represent a significant vulnerability. Their activities must be managed and monitored in such a way as to protect the systems they are accessing without reducing their ability to do their job. • Excessive native and escalated account privileges – Administrators are faced with granting escalated privileges so that operators or contractors can perform tasks, many of which are relatively minor compared with the level of access they are granted. The potential then exists for these accounts to be abused or compromised and for their activity to be concealed. • Meeting audit requirements – Today the process of auditing changes and other activities can result in a time-intensive manual effort that still proves to be inadequate to meet current regulatory requirements for demonstrating separation of duties. • Managing an increasing number of servers and applications with fewer administrators – For large IT organizations, there is an ever increasing tendency to increase the number of servers and applications, while seeking to maintain or reduce the amount of administrative overhead.NetIQ delivers two product families in its security portfolio to address these needs: NetIQ® Directory andResource Administrator™ and NetIQ® Change Guardian™.NetIQ Directory and Resource Administrator mediates access to Microsoft Active Directory, limitingthe user to particular actions for specific views of the overall directory. As part of NetIQ’s identity andaccess management offering, it supports user provisioning and other automated tasks and processes.It also eases directory consolidation efforts and helps enforce security policies and segregation of duties.Moreover, NetIQ® Identity Integration Suite seamlessly integrates your Unix, Linux, Macintosh, VMwareESX and other platforms with Active Directory so that you can manage and secure access to these criticalsystems using the same authentication, authorization, and Microsoft Group Policy services currentlydeployed for your Microsoft Windows systems.NetIQ Change Guardian products provide real-time monitoring and notification of changes across yourdistributed environment, providing detailed insight into files, directories, file shares, registry keys (onWindows), system processes, database activity (on Oracle, Microsoft, Sybase and other databases) andmore. They also deliver enhanced audit information in order to provide greater fidelity and clarity ofinformation than native log events can provide, and recording pre- and post-change information forimproved incident analysis.NetIQ provides other products to address data protection and regulatory compliance needs. To learnmore, visit NetIQ.com. WHITE PAPER: Address the Insider Threat of Privileged Users | 7
  11. 11. ConclusionAddressing the potential for insider threats is a vital, yet often overlooked security imperative for virtuallyall organizations worldwide. With the increased dependence on technology to support key businessprocesses and activities, companies are vulnerable to a “trusted” insider causing irreparable harm to theirbusiness.While the majority of security resources are spent preventing the anonymous hacker from causing harm,organizations need to be aware of the even greater threat of the trusted insider. Studies have shown thatinsiders can do far more harm than external hackers as a result of their unfettered access to criticalsystem and the general lack of oversight and accountability. An intrusion detection system mayimmediately notify IT security of a hacker infiltration, but the tools to notify and address unauthorizedchanges made by insiders are relatively new to the market. Most worrying of all, organizations typically donot realize that damage has been done by an insider until it’s too late.NetIQ offers a set of products designed to control, manage and audit changes within your ITinfrastructure. These products assure that any changes made to your IT environment are managed toprevent any disruption of services or introduction of security vulnerabilities.These solutions address the insider threat by tightly controlling and provisioning access to servers andapplications, and monitoring for unplanned and unauthorized changes – increasing compliance andassuring operational integrity across your critical assets.About NetIQNetIQ is an enterprise software company with relentless focus on customer success. Customers andpartners choose NetIQ to cost-effectively tackle information protection challenges and IT operationscomplexities. Our portfolio of scalable, automated management solutions for Security & Compliance,Identity & Access, and Performance & Availability and our practical, focused approach to solving ITchallenges help customers realize greater strategic value, demonstrable business improvement and costsavings over alternative approaches.For more information, visit NetIQ.com. WHITE PAPER: Address the Insider Threat of Privileged Users | 8

×