The topic of dealing with insider threats has entered the spotlight in a big way recently thanks to Edward Snowden. A former contractor who worked as an IT administrator for the National Security Agency via Booz Allen Hamilton,
Snowden rocked the public with his controversial (and unauthorized) disclosure of top secret documents describing the NSA’s telecommunications and Internet surveillance programs to
The Guardian. But could Snowden’s case really have an impact on the IT security of your business? For some people it will; for others, his case might serve as a more abstract example of the dangers awaiting those without solid internal security. Achieving a layer of solid protection from insiders is a complex issue; when it comes to protecting a business’s data, organizations more often focus on threats from the outside. As an information security program is developed, insiders are considered potential threats, but ultimately don’t get much attention. This is because the types of breaches that executives seem to worry about—the ones that make the news—rarely focus on the threat from within. This mindset is rather common in the business world. But when a trusted employee or contractor uses privileged access to take company data, the aftermath can be as catastrophic to the business or organization as an outside attack. Eric Chiu, the president and founder of HyTrust, suggested in a recent interview that, when an administrator successfully steals data, it’s the result of several factors coming together. The first factor: the administrative accounts used to manage information systems typically feature godlike access. The second: most organizations do an appalling job of locking down against insider threats. “Historically, they’ve really focused on what I would call traditionally an outside-in model to security,” Chiu said. Outside-in security includes perimeter defenses such as firewalls and IDS / IPS systems, the things designed to keep bad guys out of the network. But those do nothing to protect the organization from those already on the inside. It isn’t about trusting employees (or not trusting them, as the case may be): the threat a business faces from an insider attack is much larger and comes in a variety of different flavors. This means privileged accounts are at risk from attackers outside of the network; attackers on the inside who have hijacked a legit account for their own needs; staffers who abuse access for one reason or another; or—and most likely—a user with too much access who makes a mistake that results in a security incident.
Inside Job
Sometimes, the malicious insider isn’t so malicious. This is the argument many are making in Snowden’s situation these days, but this point-of-view isn’t new. A similar one was also made for Terry Childs,
whom InfoWorld's Paul Venezia once called San Francisco’s admin gone rogue. Childs was the administrator for San Francisco’s Department of Telecommunications and Information Services. According to
the news at the time, in addition to court documents, the problem started after the new security manager ran an unannounced audit on the city’s network. Childs disagreed with the auditing methods, and was eventually asked to turn over all his access passwords. He refused and was suspended for insubordination. While this saga was unfolding, the city’s IT continued to function properly—but with Childs refusing to give up the passwords, there was no way for other workers to access those systems. He ended up going to jail. A similar case is that of Jason Cornish, an IT administrator of Shionogi, Inc., a U.S. subsidiary of a Japanese pharmaceutical company. In 2010, shortly after he resigned, the company announced layoffs that impacted Cornish’s friend and former supervisor. In February of 2011, Cornish felt it was time for some payback. Using a privileged account (his own), and software that he had secretly installed before his resignation, Cornish deleted 15 virtual servers, which impacted the company’s ability to function. “The deleted servers housed most of Shionogi’s American computer infrastructure, including the company’s e-mail and Blackberry servers, its order tracking system, and its financial management software. The attack effectively froze Shionogi’s operations for a number of days, leaving company employees unable to ship product, cut checks, or communicate by e-mail,” read an
FBI press release drafted from the criminal complaint. What makes Cornish’s case interesting and important is that it hinges on the other problem with insider threats—visibility. Cornish was allowed to install software due to his access permissions. And his credentials were never revoked after he left. Regulating access is the first step into addressing the insider threat. This means limiting accounts to functions that are essential for the job, and only the job. In this scenario, an account used by a staffer in sales would never have access to the development side of the network. And if access to the development side were ever needed, it would be restricted to select assets—and only those assets. But that isn’t how things often work in the real world: the larger the organization, the harder it is to enforce role-based accounts and privilege. Time is money, and often administrators don’t have time to sit and create a unique role for each staffer—so groups are defined and broad access is implemented. But those sorts of procedures create big gaps with precious little visibility. If someone changes roles within the company, there’s a good chance they will retain their old access in addition to their new access. This may seem strange, but it happens—and it does lead to security incidents.
Hopeless Case?
But is insider risk really such a hopeless case? The problem is that organizations are suffering from data overload. With organizations forced to store and manage untold amounts of raw data on a daily basis, it’s easier than ever for malicious insiders to take their sweet time planning and implementing an attack, and cover their tracks afterwards. The security industry has several products and services that attempt to cover risk from all sides. As you’d expect, the “insider threat” is one of the many attack surfaces that constantly comes up in conversations with experts. Despite that widespread recognition, however, most products don’t offer much in terms of security against malicious insiders—often just a note indicating that a particular user has logged into an application or service. The chain of events after a login, if it exists, is a perfect example of the signal lost in the noise. Unless they are tuned properly, SIEM systems and many IDM products may not raise a red flag in time. Examples of this can be seen in the
Verizon Data Breach Investigations Report; evidence of a breach exists in network logs, but is only discovered long after the fact. “Trying to find the users, whose behavior is anomalous in that pile of noise, is where I think we are going to see a lot of the challenge of network monitoring and adjustment going,” said Jay Roxe, the senior director of products for Rapid7. Many of the insider defenses on the market only addresses insiders who rely on their own access. They don’t deal with hijacked accounts or mistakes. They don’t cover role movement within the company or dormant accounts. (Some do, but you have to know where to look—see below.) The fact is, so-called “regular behavior” varies from company to company, with no true general baseline. The intern will behave differently on the network than the CEO or lead development team. The trick is to spot the differences in what’s normal, and when that “normal” behavior deviates toward something more sinister. “Once you start addressing the baseline of somebody’s behavior across themselves, across their organization and then across the company, you at least start to gain the ability to identify the outliers,” Roxe added. For example, if an employee on the network who’s never used a cloud-based storage service suddenly becomes a heavy Dropbox user, they might have just switched jobs within the company—but they also might be trying to exfiltrate data. If a remote worker who lives (and logs on) in Michigan suddenly begins connecting from California or Tokyo, they might be on vacation—or the account might be compromised. Not only are over-privileged accounts are often left unchecked, but employees are often using services without IT’s oversight. “What we see is that a lot of enterprises, particularly larger ones, their lines of business are adopting SaaS without involving the central IT department. So there’s no central registry to know what a given user has been given access to,” explained Darren Platt, the founder and CTO of Symplified, a cloud-based identity management firm in Boulder, CO. Knowing where the data lives on the network is one of the key rules for a security admin. Once it’s determined what data is most important, it needs to be tracked as it moves in and out of the network, and while it is at rest. If IT is left out of the process when a business unit launches a new SaaS initiative, for example, risk management just went right out the proverbial window. “SaaS is enabling the line of business to buy software under their own purchasing power, and kind of go around the IT department. That’s created a situation where the IT department is not aware of what users even had access to begin with. And so when the user leaves the company, they have no way to go out to all those systems [and revoke access], because they don’t know of all the systems their users are going to,” Platt added.
Physical Security
Physical security should be taken into consideration, as well. There have been countless examples of sensitive data stored on removable media, such as USB devices, and either lost or taken by an insider (Snowden apparently lifted sensitive NSA data via this method). The common fix for this is to disable USB slots or control access to them via profile. Another solution is DLP,
which has issues of its own if not used properly. “USB is just one mechanism, and typically admins have the ability to still use USB drives and they have legitimate purposes for doing that,” Eric Chiu said. “So trying to lockout the transport mechanism vs. prevent access to that data, prevent sensitive operations that could be used to copy that data, and also monitor for that, that’s really the point where you just have to stop it from happening in the first place.” For those who are interested in USB monitoring and protection, The Software Engineering Institute at Carnegie Mellon has
published a great whitepaper on the topic [PDF], which addresses GPO implementation and the use of OpenDLP in your environment. In the end, managing the risk posed by a privileged insider centers on control. After that, it’s down to splitting the signal from the noise when examining the mountains of security-related logging data that various products create on a daily basis. There’s no silver bullet product, but several vendors are making interesting advances in the space. It’s expected that by the end of the year, the number of options when it comes to access management and protection will greatly increase. Slashdot has done some of the legwork for you. Below are some of the vendors that can help when it comes to dealing with insiders. While this isn’t a conclusive list, each vendor offers more than simple login checks and can adapt to your existing infrastructure:
Fischer International: They have a rather unique approach to managing access to on- and off-premise resources via role-based controls.
Centrify: They’ve got a rounded access management product, which is easy to use and has a decent amount of easily followed reporting. They also have affordability, which makes them a fit for small to medium businesses.
HyTrust: The company was one of the first to offer policy management and access controls for cloud environments.
Symplified: Like HyTrust, Symplified is also good at what they do, and they cover access control for all levels of infrastructure from mobile to cloud, in addition to layers that cover staffers as well as customers.
McAfee: McAfee has rolled their Identity and Access Management tools into their Web protection software. If you’re an existing McAfee shop, then it’s likely you either already have the tools, or they can be quickly implemented.
NetIQ: This is another fully functional identity management suite; and like the others, it works across all platforms.
Image: scyther5/Shutterstock.com