Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
ISSA            The Global Voice of Information Security                                     ISSA Journal | December 2008
...
Securing the Enterprise from the Malicious Insider | Vinoth Sivasubramanian                         ISSA Journal | Decembe...
Securing the Enterprise from the Malicious Insider | Vinoth Sivasubramanian                                               ...
Securing the Enterprise from the Malicious Insider | Vinoth Sivasubramanian                      ISSA Journal | December 2...
Upcoming SlideShare
Loading in …5
×

Sivasubramanian Securing The Enterprise From The Malicious Insider

477 views

Published on

My First Publication with ISSA , received a lot of good comments , Felt so happy.

  • Be the first to comment

  • Be the first to like this

Sivasubramanian Securing The Enterprise From The Malicious Insider

  1. 1. ISSA The Global Voice of Information Security ISSA Journal | December 2008 Securing the Enterprise from the Malicious Insider By Vinoth Sivasubramanian – ISSA member, United Arab Emirates chapter Insider attacks can be foiled by following a layered defense mechanism consisting of policies and procedures, technical controls, and employee awareness and training. • 79% reported their company employs temporary The threat of attack from insiders workers who have access to critical areas is real and substantial. • 37% stumbled into an area they were unauthorized to access I Insider attacks can be foiled by following a layered defense nsiders are generally people who work or have a rela- mechanism consisting of policies and procedures, techni- tionship within an organization, including employees, cal controls, and employee awareness and training. For this contractors, business partners, subcontractors, and con- management should look beyond information technology sultants. Insiders have a significant advantage over others and study the corporate culture – its people and geographi- who might want to harm the organization: they can bypass cal domains – to combat the malicious insider and keep data physical and technical security measures designed to prevent safe. unauthorized access. Mechanisms such as firewalls, intru- sion detection/prevention, and electronic building access Research shows that insiders who commit crimes are mostly systems are implemented primarily to defend against exter- disgruntled employees who act out of revenge to some extent. nal threats. However, insiders are not only aware of security Examples include termination, disputes with the employer, policies within the organization but may also be aware of any new supervisors, transfers or demotions, economic condi- security flaws in the systems. A survey conducted by RSA in tions, dissatisfaction, and a history of personal frustrations 2008 discovered that over 50 percent of polled employees cir- with salaries and bonuses. Detection of the attacks have been cumvent IT security policies to get their jobs done. Respon- generally manual and reactive, not proactive. In most cases dents reported the following: system logs were used to identify the instances of attacks: re- mote access logs, database logs, application logs, system logs, • 94% were familiar with their organizational security network logs, and email logs. Some privileged and techni- policies, yet 53% felt the need for working around cal users, knowing that logs could be used for identification, them would tamper with the logs. • 64% emailed work documents to their homes • 5% held a door open for someone they did not rec- Strategies for managing insider threats ognize Technical solutions alone cannot always detect or discover • 43% switched jobs internally, and still had accounts insider threats or address them appropriately. Insider threats which they no longer needed are personnel threats – first and foremost – not technical threats. Human beings require human resource security so- lutions. http://www.rsa.com/press_release.aspx?id=9703. 33
  2. 2. Securing the Enterprise from the Malicious Insider | Vinoth Sivasubramanian ISSA Journal | December 2008 Insider threats and external threats should be managed co- operatively, as part of a comprehensive security program. Having a proper code of ethics and However, a special focus on insiders may help organizations close the gap between external and internal security pre- having it signed will help employess paredness. understand what they are to do and Let us now focus on the various approaches required to com- what they are not to do. bat internal threats. Enterprise-wide risk assessment istrators as well as any privileged user activity. Users must Risk is a combination of threat, vulnerability, and mission also be trained on the protection of their system passwords impact; therefore, introduce periodic risk assessments in the and acceptable computer usage policy. workplace. Refine and maintain the plans periodically to re- duce the risks from both internal as well as external sources. Written code of ethics Perform penetration testing to check if the risk assessment Have a written code of ethics. It should be prominent and plan is really working and to identity other potential areas of duly signed by each user of privileged accounts, if not all em- weakness. ployees. Having a proper code of ethics and having it signed will help employees understand what they are to do and what Strong security policies and procedures they are not to do. This should make them more ethically This is the first step in combating insider and external threats: aware and responsible and ensure they understand that viola- develop strong security policies in line with the business of tions would lead to legal/disciplinary action. the organization and enforce them strictly. This will be the benchmark to check if a violation has taken place. Separation of duties and privileges If all employees are adequately trained in security awareness, Monitor data in rest and in motion and responsibility of critical functions is divided among em- Few organizations know where all their data resides: multiple ployees, the possibility that one individual could commit servers, personal computers, laptops, USB devices, etc. Orga- fraud or sabotage without the co-operation of others is very nizational data is both at rest and in motion. There are simply limited. Effective separation of duties requires the implemen- too many methods of data storage and too many methods of tation of least privilege by authorizing people access only to data transmission – you need to keep track and know where the resources they need to do their jobs. your data is. Conforming to regulations like SOX and HIPAA will help, as they regulate strong data controls. Strict account management policies No matter how vigilant employees are in trying to protect Manage end-devices their computers, a compromised computer could wreak hav- End devices like USB drives, PDAs, Smart phones, MP3 oc as privileged data can be viewed by non-privileged/unau- players, and DVD/CD drives are generally ignored, but they thorized personnel. Therefore, have strict account manage- constitute an easy means of data loss wherein the insider can ment policies such as automatic system lock of the screens simply plug in an USB device, transfer the data, and calmly if system is idle, password complexity, and password change walk out. Proper mechanisms should be in place to monitor enforcement. which end devices are being connected to the system or to critical assets, disabling wherever necessary. CCTV Implement closed circuit cameras so that insider interven- Periodic security awareness sessions tion in sensitive areas can be monitored and corrected. Store A comprehensive written security policy is great but inef- the monitored data and destroy it once corrective actions fective if not properly communicated. Involve all employees have been taken or after an audit has been performed. Alter- and design engaging training programs with mock sessions natively, the data can be archived and stored at some other like dumpster diving, do-me-a-favor, desktop snooping, location for further use. coffee break analysis—friendly encounters with employees or contractors during breaks or lunch; people generally let Log, monitor, and audit down their guard in situations outside of the work environ- Log all activities on all computers and on all systems. Let us- ment—shoulder surfing, keyboard logging, USB, CD and ers be aware that logs will be analyzed periodically for insider DVD dropping, and confidential documents left in the print- threat analysis. This should be an effective deterrent, espe- er dock. Make employees fully aware of the impacts an ac- cially for the highly privileged user aware that his activities cidental security threat could pose to the organization. They are being logged and audited on a regular basis. should also be properly notified that their systems are being monitored, especially network, system, and security admin- 34
  3. 3. Securing the Enterprise from the Malicious Insider | Vinoth Sivasubramanian ISSA Journal | December 2008 Defend against malicious code Many organizations defend malicious code using antivirus/ Organizations must commit time and IDS/IPS/firewalls. While these defense mechanisms are use- resources to training supervisors so ful against external infections, the internal threat is often overlooked. Organizations must build and maintain hard- they are able to identify changes in an ware and software on a standard corporate benchmark. An employee’s behavior. organization can have several combinations of hardware and software, depending upon the nature of job performed. Identify these and benchmark them. Once this is done, the former employers. Organizations must commit time and re- configurations can then be compared with the benchmark, sources to training supervisors so they are able to identify and discrepancies can be checked for malicious behavior. changes in an employee’s behavior. Given that financial gain Deviations from the benchmark can be logged and investi- is the primary motive for stealing, employees must be moni- gated if necessary. Computer configurations do not remain tored for sudden changes in their financial positions. A for- unchanged for extended periods of time, so this should be mal grievance mechanism should be implemented by the hu- done regularly. Most importantly, the person identifying any man resources department so that an employee’s grievances changes on systems must not be the one performing changes are reconciled as soon as possible. on the system (separation of duties). Deactivate all accounts following exit Remote attacks When an employee’s employment is terminated, whether un- Insiders most often attack organizations remotely using their der favorable circumstances or not, all shared accounts and legitimate access provided by the organization which had privileged access should be deleted or disabled. This must not been revoked upon their termination. While remote ac- then be verified by the system owner so that the employers cess can greatly enhance employee productivity, special care can be assured that nothing has been compromised. should be given to critical data. Insiders have admitted that it is easy for them to conduct attacks remotely from home or to Effective back up and testing copy data to their personal computers.2 It is, therefore, a good Despite all precautions implemented by the organization, it is practice for organizations not to give remote access to critical still possible that insiders will attack. Therefore organizations data. If access is necessary, proper authorization, account- should prepare for the worst case scenario – e.g., destruction ing, and authentication controls must be in place. When a of vital data by privileged users such as a database admin- privileged user terminates his employment, it is often a good istrator/system administrator who deletes an entire table in practice to change the authentication and authorization pass- the database, impacting confidentiality, integrity, and avail- words for all remote connections and shared accounts. ability – and have a proper backup and recovery mechanism in place. Research has shown that effective backup and recov- Monitor and respond to employee behaviors ery mechanisms make the difference between several hours Probably one of the best methods of dealing with mali- of downtime to restore systems, weeks of manual data entry cious insiders is to proactively address employee behaviors, when no backup is available, or months/years to reconstruct beginning with the hiring process. A consistent practice of the data to its original form. performing background checks and evaluating individuals If possible multiple backup copies should be stored in offsite based on the information received is vital. A background in- locations with different custodians. In the event of a com- vestigation must include uncovering criminal convictions or promise, having multiple individuals lessens the risk of all activities, verifying credentials and past employment refer- the individuals being involved in the sabotage. The system ences, and discussing the prospective employee’s competence admin and data custodian(s) must ensure that the tapes/de- and approach to dealing with problems in the workplace with vices on which backup are performed are protected from data destruction and tampering. 2 www.cert.org/archive/pdf/CommonSenseInsiderThreatsV2.--0708.pdf. Threat Source Risk Factor Impact Controls and measures Action Online replication at a offsite location with a proper backup administrator Investigation followed by Database Administrator 1 High, loss of credibility terminations and/or other necessary System monitoring and database legal procedures as per the country monitoring High, loss of business sensitive data Log and monitor all the activities of Terminate or initiate necessary Help Desk Executive to competitors which leads to many the help desk personnel under the 1 actions as per organizational policy others supervision of multiple supervisors Table 1 – Sample insider threat plan 35
  4. 4. Securing the Enterprise from the Malicious Insider | Vinoth Sivasubramanian ISSA Journal | December 2008 Document insider threats and controls Let us all remember that insider threats have a direct impact on stake holders and customers who have entrusted the secu- Clearly and effectively document, communicate, and main- rity team with their most valuable data. The insider threat is, tain an updated insider threat plan and the procedures to fol- therefore, an obligation which can no longer be ignored. low. Ensure everyone in the organization is cognizant of the plan, eliminating any accusations of discrimination. Table References is a sample insider threat plan. —www.cert.org Conclusion —www.rsa.com There are no quick fixes for managing the malicious insider. —www.nebraskacert.org It is complex, time-consuming, and requires significant se- nior management buy in. The process begins with the fact About the Author that internal threats exist and must be addressed. Next, se- Vinoth Sivasubramanian, CEH, ISO 27001 nior management must understand and agree that the or- LA, is an information standards manager ganization needs protection from insider threats and must at UAE Exchange Centre LLC and is re- take it as a matter of utmost concern. Security requires time sponsible for the IT policies of the enter- and money, and any security program will fail without senior prise. Vinoth has six years of information management support. Once the support is in place, all the security experience in telecommunications, above mitigation mechanisms should begin and be continu- finance, and consulting. He is a founding ally updated. member of ISSA UAE and can be reached at vinoth.sivasubra- manian@gmail.com. 36

×