Insider threats and how they can be mitigated

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.pcadvisor.co.uk/news/security/3473798/insider-threats-and-how-they-can-be-mitigated/

Any employee with access to sensitive data is a potential threat, whether
they know it or not. Even if they don't have malicious intentions, the
inherent nature of their privilege is what makes them so dangerous.

Vormetric recently published its 2013 Insider Threat Report exploring the
very nature of these dangers while also tallying the results of a survey it
conducted over two weeks in August of this year. The numbers, which were
tabulated in September, indicated the responses from 707 IT professionals
to questions regarding insider threats and they choose to combat them.
Needless to say, the pervasive theme of the survey results was that insider
threats are a very serious concern to just about everyone.

The respondents were likely fearful, at least in part, due to what they had
been hearing about in headline news about data breaches and insider
threats, said Vormetric CEO Alan Kessler. He pointed to recent examples in
Bradley Manning and Edward Snowden, adding that many businesses are
beginning to see these problems themselves.

Vormetric CSO, Sol Cates, meanwhile, said that enterprises are concerned
about insider threats because they are realizing that beyond an employee
going rogue -- as was the case with Manning and Snowden -- there is the
idea of privileged users whose identities are being compromised.

"That's becoming another concern," said Cates, "this idea of unchecked
privilege that these companies don't have enough controls around."

The report also indicated what specific types of insiders the respondents
perceived to be the biggest threats, with non-technical employees with
legitimate access to sensitive data accounting for 51 percent of the vote.
Though it may not necessarily seem obvious at first, there are scores of
employees that fit the description in question, including employees in HR,
who often find themselves needing to interact with personally identifiable
information (PII).

"The question is, do you have proper control over how they interact with
this information?" asked Kessler. "But the technical aspect of controlling
this kind of access is very hard, especially if you're trying to retrofit
older systems."

Cates added that executives also fit the bill here, as their jobs are not
technical in nature, but they often need access to sensitive information in
order to do their job.

"That's the whole point of data and information, to make it usable." said
Cates. He did, however, have one suggestion for mitigating such a threat.

"Education and empowerment of the business user is a good way to counteract
this problem," he said.

With insider threats posing such a significant problem, another obvious
solution would be to conduct thorough background checks on potential
employees before they are hired to determine whether or not they can be
trusted (or whether or not they are a liability). While Cates maintains
that this is a common procedure these days, the tricky part is limiting
those employees' exposure to sensitive data while still allowing them to do
their jobs and administrative functions.

"There are tools that blind operators to sensitive information," said
Cates. "Businesses have ways to never expose certain employees to the
information in their systems."

Surprisingly, however, the very employees who should be trusted to manage
these systems and protect the data within them are the ones that present
the most risk. The report indicated that 34 percent of security
professionals said that IT administrators were one of the biggest threats
to their organizations. That said, it's not always an individual or an
actual person that presents the risk, said Cates. The inherent risk is
their privilege.

"You can watch what [IT administrators] are doing, but they get to make
these decisions," said Cates. "They authenticate, oversee data flow, and
determine what apps your company is interacting with."

So from a control perspective, businesses need to determine, can they or do
they need to look at sensitive information in order to do their jobs? One
possible solution here, said Cates, is to audit what your IT administrators
are trying to do.

"It's important to understand what they're doing with your info, because
they're the ones protecting it," said Cates. "You need to manage the
privilege, not the user."

It would appear that that's what many businesses are trying to do. The
survey results indicated that 31 percent of respondents rated "network
security tools" as the most important protection against insider attacks.
Kessler explained that this could include anything from firewalls to
intrusion detection/protection services (IDS/IPS) to network-based malware
detection solutions. This is, of course, because a lot of the time malware
is targeting specific users based on their privileges.

Kessler agreed that the gatekeepers and their privileges need to be
monitored, using the postal service as a metaphor. They manage and deliver
your mail, but they have no right or need to see what's inside. "Here, it's
the same thing," he said. "We're limiting their ability to see data but
still allowing them to do their job."

Employees aren't always in the office though, so what about insiders who
find themselves frequently working on the road? The use of mobile devices
and connecting to company networks from remote locations pose inherent
risks, both of which were addressed in the report. To put the concern into
perspective, 49 percent and 41 percent of respondents said that their
organizations' data was most vulnerable on a desktop/laptop or mobile
device, respectively.

Cates went beyond the statistic, however, and clarified what the numbers
meant by reading between the lines. Unless companies have enabled special
privileges on these devices, he said, they are nothing more than vectors to
information. So the real risk isn't localized, but there is still concern
about where they could lead.

"The actual amount of data or records being stolen from these devices is
fairly minimal," he said. "They're just a way to get into data centers. But
there is a lot of risk on those endpoints."

Employees accessing their company's network or files remotely, said the
Vormetric report, is a situation in which businesses need to take user
context into consideration. A CEO, for example, should have complete access
to all data when he or she is connected via the corporate LAN, but not when
accessing the files remotely from an internet café. Current, typical
measures for remote access are often not sufficient in this sense, said
Cates.

"As it stands now, VPN is not strong enough. Things can be spoofed," said
Cates. "You need better monitoring of database access and activity. In the
future, there's going to be some innovation where you can get more info
about whether where you're coming from is safe."

The report also suggested that a viable approach to fighting insider
threats is pervasive coverage. While this may raise concerns about whether
or not this creates more work for security teams, Cates argues that this
isn't the case.

Cates suggested implementing controls so that access is on a "need to know
only" basis. Organizations can take privileged access away and use methods
like keystroke tracking and heavy auditing to protect their data. By taking
a policy approach to data access and reducing total ownership, he said,
Vormetric's idea of pervasive coverage doesn't actually take more time or
work since it reduces what teams need to focus on.

"You want to make it so the only way to your information is through the
front doors," said Cates. "Now I only have to watch the front doors. My
time is more focused."

Kessler also talked about de-perimeterization and, more specifically,
situational awareness when approaching security. While there are some
solutions that are focused and tactical, he said, they are often expensive
and require training. Rather, teams should focus on the prevention and
reaction aspect of security and try to reduce reaction times when dealing
with a threat.

"Yes, there are expensive options, but you can always start off by just
collecting information [about threats] for faster response times," said
Kessler. "Boil up your data to discoverable problems and actions, and that
way folks can get to the bottom of issues quicker.

"Reduce your attack surface with preventative measures, and then solve
problems quicker with your reaction."

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

# OWASP http://www.appsecusa.org
# Builders, Breakers and Defenders
# Time Square, NYC 20-21 Nov
o()xxxx[{::::::::::::::::::::::::::::::::::::::::>

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.