Dripping Data: Understanding and Reducing Insider Threat

  • Article

image This is currently an area I've been focusing on for the past month or so. I've been doing a lot of reading, fact finding, research, etc. around the topic of data leakage that occurs when users are essentially stealing data from within your business. This ties into economic espionage, which is another major concern for businesses today.

So what's to say about Insider Threat. It's out there. It's actually more of a risk than "external attack" to your business. Why is that? Well, with insiders, they already have access to the data. This normally isn't any "super secret access" they've managed to secure for themselves through diabolical means. Instead it's normally access that you've given them based on their role within the organization. "Bob in Accounting? Why he'll need access to SERVER1, SERVER 3, and SERVER44....but we should probably go ahead and grant him access to the CUSTOMER database and the BILLING database, just in case he needs them. No need to make this guy's life difficult. We certainly don't want to get a nasty email from the VP of Finance later!"

Over the next few posts, I'm going to be taking a look at what Insider Threat is, how it happens, and ways we can use to help mitigate it's impact on our business.

Before we get started, I want to really give credit to one of the biggest resources I've found. The book "Insider Threat: Protecting the Enterprise from Sabotage, Spying and Theft" by Eric Cole and Sandra Ring really had some great point in it. It is really only one of the few books out on the topic. There are of course, many many surveys, 3rd party research findings, reports, etc. that I used in putting together the presentation on this topic, but Eric and Sandra's book is very well written. I highly recommend investing in a copy.

 

 

Why Do Companies Ignore Insider Threat?   image

  1. "Who us?" - Most companies are actually unaware that Insider Threat is even happening. As sad as that sounds, it's very true. As I mention in my presentation, a typical story goes like this: "Bob has worked for us for 10 years, therefore we trust Bob. Bob would never do us harm. We love Bob." and that is a very good thing. You should be recognize and reward loyalty. However the real question of the day is "Does Bob love you?" Simply ignoring an issue doesn't solve it. Turning up the car stereo while driving doesn't fix that kl-kl-kl-klunk sound coming from under the hood.
  2. "We don't have risk here." - Maybe, maybe not. Are you willing to ignore a potential risk? Denying the issue ("We don't really have a problem.") and refusing to admit it because then you'd have to take action ("If we have an issue, then we'll have to address it.") are two very typical responses to Insider Threat. They also happen to be the same excuses that addicts use: "I don't have an issue and if I admit to it, you'll want me to stop." ( Honey, this does not apply to World of Warcraft.)
  3. "What if the press finds out?" - Finally, a legitimate excuse for ignoring the threat: bad press. The person who came up with the idea that "There is no such thing as bad publicity" probably wasn't a Chief Security Officer. Bad press does happen to good people, right Britney? Unfortunately it's very true. Given two financial institutions, Bank A who admits they had a breach, fixed it, and are taking security seriously in the future vs. Bank B, who never admits to having had a security issue.....whom would you trust? The Security Pro in me says, "Bank A. They've fixed an issue and will be more aware of such attempts in the future." The consumer in me simply says, "Bank B."

So Why is Insider Threat a Greater Risk Than External Attack?

It all comes back to risk management and risk assessment. Is it easier for someone to break into your house to steal the money out of your change dish, or for a guest to swipe a few dollars once you've invited him in?

  1. Easier to Implement - The attacker already has all or most access required. What "31337 skillz" do I need when all I need to do is take a document out of the building once I'm already inside?
  2. Current Mitigation Don't Address Insider Threat - Which way is your firewall facing? What about IPS/IDS? Yep...all facing towards the external side. "Well Kai, we got some great company policies that limit this risk." Really? When was the last time any of those were actually enforced? I hear all the time, how they "should have" been enforced, or we "could have" fired that employee....but we didn't. All bark. No bite.
  3. High Probability of Success - You've already given them access, haven't you? It's like saying to me, "Kai, how do you plan on getting into the Packers game?" Ummm...with these tickets I have in my hand. The fact that more attacks don't happen is what is astonishing. Looking for examples of successful attacks? Good luck....not many CEOs are going to be announcing during the Annual Shareholders Meeting, "...and in Q4 we actually had 15,000 pieces of intellectual property leave through the hands of one of our most trusted employees."
  4. Less Chance of Getting Caught - If you give them access, it really isn't "breaking in" is it?

Okay, if you got any great amusing anecdotes about Insider Threats, please feel free to comment. I love reading them and do try to reply to each.

NEXT TIME: Insider Threat continues with "Prove it! Show us the Statistics!"