Catching Insiders

I have discussed the insider threat a number of times and recently came across this article on the Dark Reading Website Five Habits Of Companies That Catch Insiders - Dark Reading which discusses the controls or habits that will aid in catching insiders.

The report Insider Threat Study: Illicit Cyber Activity Involving Fraud in the U.S. Financial Services Sector this article was based on made a number of recommendations which I have listed here


Behavioral and/or Business Process

• Clearly document and consistently enforce policies and controls.
• Institute periodic security awareness training for all employees.

Monitoring and Technical

• Include unexplained financial gain in any periodic reinvestigations of employees.
• Log, monitor, and audit employee online actions.
• Pay special attention to those in special positions of trust and authority with relatively easy ability to perpetrate high value crimes (e.g., accountants and managers).
• Restrict access to PII.
• Develop an insider incident response plan to control the damage from malicious insider activity, assist in the investigative process, and incorporate lessons learned to continually improve the plan

I do recommend reading the article and the report to gain a better understanding of the controls that reduce the insider threat.

Insider Threat hits Swiss Spy Agency

In the news today "Swiss spy agency warns CIA, MI6 over 'massive' secret data theft" a disgruntled employee steals terabytes of data. The employee become disenfranchised after being ignored about warning to his employers about the operation of systems. With his admin rights given access to a lot data he downloaded it onto portable hard drives and walked out of the building.

One needs to question did he have the "need to know" to all the data systems, why was it possible to download vast quantities of data to portable drives. Did security not check employees leaving the building. Was their adequate supervision of those with elevated privileges.

There are a number of controls that should of been in place I suspect some will now be put in place.

one down

A short follow up to the blog about Jessica Harper http://geraintw.blogspot.co.uk/2012/08/insider-threat.html who was convicted of £2.4m fraud against Lloyds Bank who she worked for as head of anti-fraud.

She has now been sentenced to 5 years in jail for the committing fraud and has so-far repaid £709,000, Harper had told investigating officers she deserved the money because she was rising at 5.30am and returning home at 8pm. In mitigation, Carol Hawley, defending Harper, said her client had a long history of charity fundraising.

It is one corrupt banker down, but how many other insiders are they siphoning off data and funds from their employers. Combating the insider threat can be done by the use of controls

Technical controls focus on data and computer activities, while nontechnical controls focus on human motivations and behaviour. Nontechnical controls are critical because many insider attacks do not depend on technology.

• Job rotation,
• segregation of duties, 
• mandatory vacations, 
• regular audits/reviews, 
• periodic employee background checks

Technical solutions

• Data loss protection (DLP) systems
• Fraud detection tools 
• Security information and event management (SIEM) solutions

The IT insider

Continuing the theme of some of my recent posts on the insider threat, I came across this article on how IT staff access unauthorised material http://bit.ly/PhmqFf on the Help Net website.

A survey of more than 450 IT professionals by Lieberman Software found that 39% of IT staff can get unauthorised access to their organisation’s most sensitive information  and one in five has already accessed data they shouldn't. 68% of respondents believe that, as an IT professional, they have more access to sensitive information than colleagues in other departments such as HR, finance and the executive team.

The survey seems to show that IT staff are aware of the additional privileges they have, but a proportion are abusing those privileges. There is also a problem in that a large percentage of organisation are not preventing access and management may not be aware of the problem and know how to prevent it.

 

There are a number of controls that can be used including the "Need to know" can be enforced with user access controls and authorisation procedures and its objective is to ensure that only authorised individuals gain access to information or systems necessary to undertake their duties. Most IT duties don't require access to another users work files. An important part of prevent abuse is having the means to detect abuse, logging access to sensitive information and auditing of the access can help control the problem by providing a detective control.

I have come across some organisations how are using additional Acceptable User Policies (AUP) for IT and Administrators which outline in more detail the organisations expectations that those with enhanced privilege access should be more responsible in the way they use their privileges. Additionally an ethics programme may help administrators and IT staff understand what responsibility is and what the expectations of the organisations is of the IT staffs professionalism.

Previous posts on the insider threat.

• http://bit.ly/PpUjHu 
• http://bit.ly/U7bKLa 
• http://bit.ly/PpUjHu 

Insider threat

An other example of the insider threat to companies confidential data, Lewis Hamilton's tweet angers McLaren teamhttp://www.bbc.co.uk/sport/0/formula1/19456707 a case of accidental data leakage, does your company have the means to control this type of data loss, ie accidental leakage by  employee.

Previous blog entries on this http://geraintw.blogspot.co.uk/2012/08/insider-threat_29.html & http://geraintw.blogspot.co.uk/2012/08/insider-threat.html

Insider threat

A follow up to my previous blog on the insider threat http://geraintw.blogspot.co.uk/2012/08/insider-threat.html which gave the example of Jessica Harper, 50 a former Lloyds Bank worker, who while working as head of fraud and security for digital banking carried out a fraud worth more than £2.4m for which she has been convicted and waiting sentencing.

Today I came across the story http://www.theregister.co.uk/2012/08/29/toyota_disgruntled_contractor_hack/ of former IT contractor for Toyota's US manufacturing who has been ordered not to leave the USA  after logging back into Toyota's systems that same night and he was released from his contract and spent roughly six hours trashing the place Toyota hasn't said what data it believes he may have stolen, it could include pricing, parts specifications, quality testing, or design information.

The Insider threat is often thought about in terms of malicious actions as in the two cases listed above, however it can be accidental actions that can lead to data leakage, in the UK an often quoted case is the missing child benefits date from HM Revenue and Customs http://www.computerweekly.com/blogs/public-sector/2008/06/hmrc-loss-of-child-benefit-cds.html

A 2009 report commissioned by RSA shows accidental security incidents caused by company insiders are more frequent and could potentially have a greater impact on information security than malicious insider attacks. There are many examples of both malicious and accidental data loss, leakage and alteration caused by insiders, many accidental losses are not reported unless there is unique circumstances surrounding the situation as in the case of HRMC.

The white paper, Insider Risk Management: A Framework Approach to Internal Security, shows that the majority of senior management give higher priority to protection against malicious insider attacks over investing to prevent more the more frequent, and potentially more harmful, accidental insider security incidents.

Information security is about Confidentiality, Integrity and Availability and all three sides of the CIA triad are involved in the insider problem. An information security professional needs to understand all the threat agents, vulnerabilities and exploits when conducting a risk assessment as part of implementing controls to reduce the insider threat and must consider both the malicious and accidental scenarios.

Insider Threat

An ironic example of the insider threat is the case of Jessica Harper, 50 a former Lloyds Bank worker who while working as head of fraud and security for digital banking has been convicted of carrying out a fraud worth more than £2.4m and will be sentenced on the 21st Sept 2012.

The insider threat is a disgruntled insider with knowledge of the victim's system, see also abuse of privilege, insider attack, internal vulnerability, insider.

Combating the insider threat can be done by the use of controls

Technical controls focus on data and computer activities, while nontechnical controls focus on human motivations and behaviour. Nontechnical controls are critical because many insider attacks do not depend on technology.

Job rotation,
segregation of duties,
mandatory vacations,
regular audits/reviews,
periodic employee background checks

Technical solutions

Data loss protection (DLP) systems
Fraud detection tools
Security information and event management (SIEM) solutions