In response to this perception, companies have implemented layers of physical and IT security around the perimeter of their organisations—and yet we are still vulnerable as evidenced by the number of IT incursions we see every day.
Truth is, the reality of IT sabotage is more complex. Forrester Research highlighted in a 2007 report that approximately 70 percent of all data theft is from internal sources – a staggering figure. The trading scandal at Societe Generale in France in early 2008 cost the company an estimated US$7.5 billion, and is the latest headline-grabbing example of how lax security and poor password management can be exploited from within.
In recent years, advances in perimeter security technology—such as packet filters and intrusion prevention and detection tools—have enabled organisations to reduce the risk of external network attacks. However, most companies have done little to counter internal threats—threats that can be even more damaging to a company’s business and reputation, exposing lax policies and inadequate management. To add insult to injury, insider threats are perpetrated by people who at some point were either employed and/or considered trusted by the organisation.
As companies continue to shift to greater use of PDAs, remote workers, shared workstations and more readily-accessed data, protecting companies from the inside out is increasingly important. Fortunately, there are ways to combat the insider threat—effectively and affordably.
Identity Management and the Insider Threat
Following a recent insider threat study prepared by the U.S. Secret Service and Carnegie Mellon University’s Software Engineering Institute, the University’s CyLab organisation published a report, entitled Common Sense Guide to Prevention and Detection of Insider Threats, outlining 13 best practices to help organisations avoid insider threats. (This report is available for download in PDF format at http://www.cert.org/insider_threat.)
Of those best practices promoted by Carnegie Mellon, many are related to the role that identity management technologies can play in fortifying a company’s defenses from the insider threat. In particular, there are three crucial initiatives to help achieve optimal protection from the insider threat:
Institute Periodic Enterprise-wide Risk Assessments: Across Physical & Logical Systems.
Before a company can defend itself against insider attacks, it needs to understand its vulnerabilities. Taking an honest enterprise-wide view requires a company to examine both its physical and logical security environment – this will help them understand where the holes are and how existing physical and logical security policies and practices reinforce each other and where they are left vulnerable.
For example, insider attacks commonly occur after an employee has been terminated from work following a performance or behaviour issue. While that employee’s physical access to the facility is usually immediately suspended by the physical security department with all badges and access cards surrendered, it can often be days or weeks before the IT department removes the user’s information access privileges to each and every application they were previously granted access.
That lag time between an employee’s termination and de-provisioning of all access systems is often the biggest hole in the security fabric, and presents a disgruntled employee the opportunity to easily execute a malicious attack via remote access.
Consolidating identities between physical access systems and IT directories to enable a converged policy for allowing or denying network access based on a user’s physical location, role and/or employee status can ensure appropriate access and use of company resources. In addition, this integrated policy also allows for the revocation of user privileges immediately upon termination which will help eradicate the post-employment insider attack.
Implement Strict Password and Account Management Policies and Practices
Strict password policies are a highly-effective way to minimise unauthorised access to networks and applications – but only if users can comply with the policies without changing behavior. Implementing password policies to improve password complexity and frequency can backfire as users get fed up with remembering their passwords to various applications and begin simply writing them down on sticky notes and leaving them on their desk, under their keyboard or even stuck to their monitor.
Implementing single sign-on (SSO) technology can create a multifold benefit for organisations. First, it ensures that each employee only needs to remember one password to access all the systems they need on a daily basis to do their jobs, easing the “burden of security” on the employee while strengthening it as well as increasing user productivity.
Second, SSO enables companies to better control which employees are accessing which resources and when. With a single password to remember, the potential for sharing user IDs and passwords, written-down passwords and work station sessions left open for colleagues shrinks. This tightening of employee-centric security and greater company control helps to strangle the openings for an insider attack.
Finally, SSO can also be used to keep the user from knowing the passwords to individual applications. A password change in which the SSO system affects the use of a random password for the application effectively isolates the user from being able to logon to the application without first being authenticated by the SSO system.
Log, Monitor and Audit Employee Online Actions
The business world is increasingly under government and industry compliance scrutiny. With countless data breaches that reveal patient data, customer credit card data and personally identifiable information (PII) running rampant worldwide, corporations face fines, penalties, negative publicity, public embarrassment and a strain on customer loyalty and satisfaction. Many of the threats making the headlines today are the result of an insider – often either a disgruntled former employee with still-live access, or a consultant or contractor that had temporary access to networks and applications.
Although mandatory disclosure of security breaches is not yet enforced in the Australia marketplace, it is very likely that in due course Australia will follow the U.S. and the European Union towards a more transparent disclosure environment. After all, public disclosure forces responsibility to be taken by guilty parties and allows for a path of recourse for those directly affected.
Fraudulent activities in the Payment Card Industry (PCI) have already led to attempts to enforce PCI data security standards (PCIDSS) by the likes of Visa and MasterCard in the Australian marketplace; although with some objection from the local Australian retail industry due to costs and perhaps complexity.
Other international regulations relevant to Australian business are gradually being implemented. In some cases Sarbanes-Oxley (SOX) is relevant to organisations linked to companies traded on the U.S. stock exchanges and Basel II capital adequacy requirements are being adhered to. Basel II includes an operational risk component that is guiding banks and financial services to implement more stringent security controls as they advance towards compliance.
Beyond these regulations, best practices and frameworks have also developed a foothold with many organisations taking notice of the BS7799/ISO27001 security frameworks to implement a more robust lifecycle of continual security improvements. More information is available at the Australian Government ‘Privacy’ website as follows: http://www.privacy.gov.au/news/media/2008_01.html
The only reliable way to associate online actions with the employee who performed them is to enforce account and password policies or use strong authentication such as tokens, biometrics or facility access badges.
Otherwise, potential inside attackers can hijack other users’ accounts, assume their coworkers’ identities, and leave no telltale traces behind after they’ve inflicted their damage.
Implementing and enforcing security policy is a great step forward in thwarting insider threats. In order to do so effectively, organizations need to consider common security best practices which all center on the need to know your users, how and when they access data, and the ability to control, track and report on access events.
A single converged user policy for each employee streamlines the overall security process, enables a company to better control access to data and to monitor access events for compliance reporting and general security purposes while preventing users from sharing IDs and from hiding behind the anonymity of an electronic log-on.
Facing the reality of internal risk: Thwarting insider threats
By David Ting, CTO, Imprivata on May 1, 2008 7:30AM