In an environment of infinite risk and limited resources, the recent trend has been to implement risk management approaches that pragmatically weigh the cost of security controls against the potential cost of the damage to critical information assets. While this simple approach has helped to elevate some basic defenses against external risks, it has left organizations woefully unprotected against the much greater risks posed by "insiders." Organizations need a new paradigm and a new solution to adequately deal with the increasingly challenging insider problem.
Insiders aren't what they used to be
The term "insider" now includes more than simply users who are truly "inside". Within the context of information security, an Insider should be defined as someone using your internal or external network legitimately. These include users who misuse privileges, or who attempt to get higher rights, or uses another user's privileges. Unfortunately, we tend to confuse the concept of "insider" with the user of an internal/ private network. This is not correct – once a "bad guy" has privilege (any level), he or she should be considered an insider.
Semantics? Not really. The term is critical to understanding whether the technology solutions you have implemented adequately protected from the ravages of barbarians inside your building. Based on the statistics, you probably are not.
Why do we continue to focus more heavily of preventing external attacks than on damage by the insider? Is it because the frequency of insider perpetrated "loss" is statistically less significant? No – can't be. The 2003 CSI/FBI Survey concluded that most security breaches (80%) are done by insiders. By 2005, sixty (60) percent of security breach incident costs incurred by businesses will be financially or politically motivated and will be the work of insiders working alone or in conspiracy with outsiders. (Gartner May 2003 press release and Gartner IT Security Summit, June 2003).
Simply stated, insiders represent the greatest threat to your information assets.
Insiders do bad things. According to the 2003 Global Security Study carried out by Deloitte and Touche, 59% of network attacks could be reasonably attributed to "insiders".
Insiders frequently do dumb – and destructive – things. Here are two very common occurrences:
- Developers disable Anti-Virus protection in order to increase efficiency of compiling tasks. Result: viruses run rampant unchecked through the network.
- IT administrators provide high-maintenance remote users "power user" permission over laptops in order to promote "efficiency" – Result: with these keys to the kingdom, the user inadvertently deletes critical data and installs insecure, unapproved software.
On occasion, insiders act out of boredom or curiosity. For instance, I once witnessed a network administrator use his nifty new Palm Pilot to run nmap within the internal network of a large organization. Unfortunately, the network infrastructure was built on a combination of Bay and Motorola equipment, which do not like UDP scans and immediately crashed, leaving users and customers stranded for hours.
As a theory, the pragmatic approach started gaining momentum in the late 1990s as security officers in open source environments recognized that achieving "perfect security" is neither practical nor economically feasible. In keeping with the axiom, never spend $100 dollars on a fence to protect a $10 horse, information security managers turned to risk management strategies whose approach was to find the optimum balance between effective security and cost. This basic approach helps to ensure the presence of fundamental external defenses and ongoing security maintenance processes, but as we will see, it falls far short of providing adequate defense against threats from insiders.
The Pragmatic Approach: balance security risk and security controls
The pragmatic approach starts with a traditional risk management paradigm which includes three basic steps: analyze and quantify risk, mitigate risk, and monitor and manage the risk management infrastructure on an ongoing basis. The primary distinction between this approach and more traditional risk management approaches is the preventative application of the "risk formula" to control "protective" costs:
Risk = Threat * Vulnerability * Cost
In this model, terms are expressed as follows:
- Threat is the rate of potential security events (per hour, day, month, etc.) and the frequency that a security event occurs in a certain time frame.
- Vulnerability is the likelihood of success of a threat against your organization.
- Cost is the sum of "hard" and "soft" dollars per security event.
According to this formula, if any of the variables equals 0, there is no risk. For example, if there is a hole in your software, but no way to exploit that hole, there is no risk. Or, if there is a hole in your software, code to exercise it, but no cost to you or organization, there is no risk.
In working to reduce overall security risks, organizations then have two avenues to pursue: reduce the prevalence of vulnerabilities and mitigate the rate of threat. In the real world, all security controls have costs, and achieving a zero-threat rate or vulnerability prevalence is not possible. So the goal of this approach is to achieve a cost-effective balance of security risk and security controls.
A useful expansion of this basic risk formula begins to quantify the effects of these risk mitigations. Preventative vulnerability management is widely practiced, using technology (i.e. patches, firewalls) as the easiest and most quantifiable way to reduce risk.
While more difficult than vulnerability management, threat management still has a useful place in the infosecurity arsenal – particularly when it comes to controlling insider risk. When it comes to dealing with insider risk, most organizations focus on traditional process and policy measures to manage threats and vulnerabilities such as vulnerability mitigation (i.e., access control policies, user profiles, password policies, separation of tasks) and threat mitigation (i.e., hiring policies, background checks, termination policies, security awareness programs)
Unfortunately, these approaches are insufficient and largely un-quantifiable... because when it comes to "insider" risk here is no way for most companies to determine the cost/benefit value of threat rate reduction techniques – therefore it becomes hard to justify personnel security programs within the security budget. Additionally, vulnerability rate management requires implementation of additional technical controls that may hinder operating efficiency, and face resistance from business managers.
The effectiveness of the risk reduction mechanisms are reduced over time, gradually reducing the economic payback of the investment in the security control.
Case study: Pragmatic security gives free rein to malicious insider
Smart Investments – an international financial services provider with headquarters in New York – strives to secure its market leadership position by delivering new products and services through innovative technology.
Initially known as a mutual fund company, Smart Investments meets its customers changing needs by now also offering discount brokerage services, retirement services, estate planning, wealth management, life insurance and banking. These services are available to customers through the organization's brick-and-mortar outlets across the U.S., an online brokerage and banking platform and other distribution channels worldwide.
To enter new markets, Smart Investments recently acquired a boutique wealth management services provider in Asia that caters to exclusive clientele. With certain functions centralized at their US headquarters, the company had to reorganize the Asian office and in the process lay off some of the employees. The IS organization now faces the challenge of quickly incorporating another technical infrastructure into their environment and ensuring that all systems are secure from potential attacks – including from trusted users since they have easy access to a wealth of information.
- Key employees were re-interviewed
- Job Descriptions were posted
- Boot-camp with security awareness programs held
- Background checks carried out
- Employees required to sign a "receipt of employee policy" statement
- Employees integrated within the corporate directory structure and assigned roles consistent with their job function
- User profiles enabled
- New employees granted access to the corporate Intranet infrastructure
The result? An IT worker, fearing for his job, staged two short outages that "stumped" his peers. In each case he demonstrated he was the only one to fix the problem. When his job status continued to appear doubtful, he sabotaged two critical accounting servers, essentially bringing down the Accounting Department for two full days.
Using the pragmatic security model, Smart Investments appears to have done everything right: it did the appropriate background checks on the employees, and diligently secured and patched its devices. So the risk and the threat should have been significantly reduced to manageable levels. And yet the company suffered serious damage from an insider during business hours.
Let's look again at this scenario using the basic risk equation: The employee, who had passed the threat mitigating background check, accesses a critical asset, that had been diligently patched and secured through the vulnerability management program, during business hours. However, the threat did not trigger risk management controls. Smart Investments, like other organizations, are still trying to solve the insider risk by applying preventative controls. The insider problem is at its core a "people problem," and the problem with people is that they are not predictable; people risks cannot therefore be sufficiently mitigated with preventative measures alone.
The CIA's psychological profile of the typical IT worker further illustrates the problem: more comfortable in the world of ideas and concepts than emotions and relationships; prefers to work independently; tends to resist authority; more subject to environmental stress. (SOURCE: CIA's Center for Analysis of Personality and Behavior). It's clear that we need stronger reinforcements to predict and protect our critical assets against the malicious or unintended threats from insiders
A new technical paradigm with Security Event Management
There is a new approach to the insider problem that does not rely on accurately predicting behavior, but rather leverages technology to track user and system behavior in real time, identifies potentially dangerous anomalies and prevents or reduces the impact of insider threats. This approach is powered by Security Event Management (SEM) technology, which is now entering its adolescence and is commercially available. In general, an SEM Server collects security logs from event sources and archives them. This data is then mapped against a policy model which helps tell the end user who, did what, on what (file, folder), when they did it, where they did it, where they were coming from, and where they were going to. Once archived, this data can be re-played against any number of policy settings, allowing the end user a number of views into their data store for current or future forensic purposes.
What the Smart Investments case illustrates are the limits of the pragmatic security model to protect against the insider threat. Here, we can go beyond having the threat as a human being exhibiting significantly anomalous behavioral and expand the sensitivity of the risk management controls.
To bring it together, SEM output would have identified the following for Smart Investments:
- Systems administrator (WHO)
- Was making system changes (WHAT)
- To production devices (ON WHAT)
- From his desk (WHERE FROM)
- During business hours (WHEN)
In an organization with active policies, the string of events (behavior pattern) would have generated a policy exception. In an organization without active policies, events can be re-run to identify the source and effect of an outage.
With the ever-increasing reliance on the Internet and connected companies, the lines have disappeared between insiders, outsiders and traditional internal and external boundaries. And a wave of studies has concluded that internal threats continue to cause the most damage. Despite the prevalence of the insider risk, organizations are still relying on solutions that address the external threats. Organizations can look at this challenge from a cost point of view and balance that effect with that of threats and vulnerabilities to come up with the right solution. An SEM solution provides the aggregated auditing and reporting for not only perimeter events, but more importantly user behavior --the trusted user.
Kristin Gallina Lovejoy is vice president of technology and services for Consul risk management