Insiders in the Real World
The world of security in general, InfoSec in particular, is a funny one. For example, in the real world (as opposed to cyberspace) we spend a lot of time worried about all sorts of stranger danger when the reality is that ¾ of child kidnappings are committed by family members and 79% of murders are committed by friends, family, or acquaintances. It seems pretty clear that if something bad is going to happen to you that it is likely that you know the person who is going to do it.
Insiders in Cyberspace
On the cybersecurity front, the insider has always been a significant source of risk, with 62% of respondents indicating that they believe the risk to be growing, a number which goes hand in hand with less than 50% believing they have the appropriate safeguards in place. When we drill down, regular employees and contractors are a risk but far from the biggest risk. The biggest risks (and the biggest, most tempting phishing and spear phishing targets) are privileged users – network and system administers and others with root or other powerful accounts.
We have seen many examples in the past – 40% of South Koreans found their personal information, including credit card details, exposed by a team of criminal insiders, one of the 10 largest banks in the world had 27,000 records sold by insiders, a DuPont contractor sold trade secrets to a rival for $28 million, and EverVest was taken down for about a month by a rogue employee who, upon learning he was to be fired, provided some hard hitting justification by wiping all servers, disconnecting the network, and turning off data center cooling. We could certainly go on, but you get the point. Sure, Anons, APTs, and the like are certainly out there, but a pragmatic approach to security would probably have most focusing, first, on the home front.
Concrete Steps and Actions
With this information in mind, there are a number of things that an organization can do. One is to make sure that everyone on your executive staff, IT team, and your security team is aware of the fact that the biggest single threat facing the organization is the insider. Taken to heart, this will impact a number of areas from the assignment of rights to hiring. Sure, you are not going to be able to prevent the hiring of people who eventually go rogue, but you can at least stack the cards further in your favor with more careful hiring practices. The same thing goes for contractors, both internal and external. It is always tempting to save money, but long term the lowest bidder is not always going to be the best choice.
One thing to keep in mind is that the APTs of the world have gotten smarter. While they used to employ rather ham-fisted and easily detected methodologies they are now, in many cases, doing a better job of “flying low and slow” – working in methodical ways to be harder to detect. They are also moving from a “spray and pray” approach to more finely targeted spear phishing attacks going after individual executives and privileged IT accounts. Once one of these privileged accounts is compromised, the network once again begins to resemble the fabled crunchy outer shell with a soft chewy middle.
RBAC, 2FA, and Other Fun Acronyms
On the technical front, SIEMs used to be more helpful, but the ability of a SIEM to protect an organization from an insider, whether via compromised account or actual rogue, is limited at best. One thing that can certainly help with compromised accounts is Two Factor Authentication (2FA) solutions such as RSA SecurID. Even if someone is able to get the password to an admin account, that person will still need to have a physical token, which in the case of an attacker located in a PLA bunker is going to be hard to do. 2FA is not bulletproof, but it does at least add another layer of security.
Another approach would be to roll out solutions like HyTrust CloudControl which provides not only Role Based Monitoring, but also Role Based Access Control. This way you can contain administrator accounts to their appropriate “swim lanes,” and also monitor and alert on adherence to those swim lanes. The HyTrust solutions also allows policy control including the Two Person Rule. It is important to note that the Two Person Rule can not only protect against intentional bad acts, but also accidental ones. In many environments, there is nothing standing between a rogue actor and a well-intended, but fat fingered, systems administrator, from bringing the production environment down. CloudControl fixes that problem, while also providing strong access control and support for 3rd party Two Factor Authentication as well as built-in forensic quality logging.
Realistically, the majority of organizations are going to experience a breach at some point and the odds are good that there will either be a true insider or a compromised account involved. You can both hope and pray that it doesn’t happen during your tenure with that organization or you can take the appropriate steps to cope and contain the damage when it happens.