Corporations continue to beef up and adapt their defenses against attackers. They put up firewalls, implement restrictive ACLs, deploy IDS to alert them to attacks and use two-factor authentication to keep users’ credentials from being exploited. They restrict access to resources and manage mobile devices with MDM solutions. Encrypting everything helps ensure that if drives go missing, data is not stolen and accessible. All of these measures help to keep the bad guys out. But what if they are already in? Insider threats have always been a problem and examples abound. Edward Snowden didn’t hack anything. Simply put, he just took what he had access to.
Already this year, Morgan Stanley experienced a security incident when an employee with authorized access to customer data used that access for inappropriate purposes. The unnamed employee accessed customer records, extracted some data from them, and posted the text to pastebin.com, a website designed for sharing large amounts of text with others. What the intent of this now ex-employee was has not been publicly disclosed, and Morgan Stanley quickly detected the incident and took action to remove the data. There has been no indication that any customer’s personal data has been used for fraud or identity theft. But things could have been so much worse.
What should a company do when users, whose roles require access to sensitive data, misuse that access? What precautions can companies take to reduce both the risk of this happening, and the damage that can result from insider activity?
There is no single answer to these questions, and there is no silver bullet that can solve the problem. A layered approach that includes policy, procedure and technical solutions is the right approach to take.
Background checks should be carried out on every employee joining the company, even more so if those employees will have access to privileged data. While not foolproof (Edward Snowden had security clearance) they can help to identify potential employees who may have a criminal record or had financial problems in the past. They may also uncover some details of their employment history that bear closer inspection and further checks.
For users with significant access to critical data and/or administrative access, bonding can help insure against the costs that could be incurred should a security incident occur. Like any insurance, you hope you never need this, but with the average cost of a security incident reported by various studies as between $647K and $12.7M, no company can afford to be without some extra protection.
Acceptable Use Policies do more than simply define what users should and should not do on the Internet. They also define what is acceptable and unacceptable when using customer and company proprietary data. While it will not stop those with clear intent, it will warn employees that there are consequences if they are caught including disciplinary action and possibly dismissal.
The principal of least privilege states that users should only be granted the minimum amount of access necessary to complete their jobs. This should include both administrative privileges and access to data. By limiting access, the amount of damage an insider can cause is limited.
Review of Privileges
Users’ access to systems and data should be reviewed regularly to ensure that such access is appropriate and is also still required. As users change roles and responsibilities, any access they no longer need should be revoked.
Separation of Duties
When possible, administrative duties should be divided up so that at least two users are required for key access or administrative functions. When two users must be involved, any malicious or inappropriate access requires collusion, reducing the likelihood of inappropriate actions and increasing the likelihood of detection.
Many insider threats develop over time and may go undetected for months or years. Often boredom is a cause. One way to counter both problems and at the same time improve the skills and value of key employees, is to rotate users through different roles. Job rotation also increases the likelihood that inappropriate activities will be detected as the new role holder must by definition examine what the previous role holder was doing.
Mandatory time away
All users need a vacation, a break and time away to recharge. This is not only good for users, it’s good for the company. Just like job rotation, when a privileged user is on leave, another admin must cover their duties and has the opportunity to review what has been done.
Auditing and log review
Auditing is imperative. All actions and access must be audited, both for successes and failures. You will want to investigate failures as they may indicate attempts to access data, but you will also want to review successes and ensure that they are in support of appropriate actions, rather than inappropriate ones. While log review only detects things “after the fact”, they can detect repetitive or chronic actions early, and hopefully before too much damage is done.
Data loss protection technologies cannot prevent a determined attacker from taking data, but it can prevent many of the accidental data leakages that can occur.
Endpoint protection technologies can greatly reduce the risk of data loss and also detect inappropriate activities by privileged users. Endpoint protection can help you secure BYOD devices, search files for key data like NPI and account numbers. The technology also helps to enforce policies that restrict users from transferring data to unapproved USB devices and encrypt those devices that are approved.
Insider threats can be prevented if a detailed and layered strategy is adopted. Every company needs HR, legal and IT to work together to cast a protective net that will proactively identify threats or at least minimize the impact of insider threat. No company is safe but every company can lower the risk.