The Insidious Insider Threat!
In security we often preach that insider threats are generally the worst. When the attacker is one of your own the challenge to keep your systems safe becomes a lot harder. This is because you effectively tell your staff what checks and balances are in place and if you do not they can still figure out a way to get hold of such information. There is nothing to be done or that can be done about this; it is essentially just part of the dynamics that the security policy needs to handle.
Insiders do strike and sometimes they do get caught. In some cases the breaches are well thought-out and executed so well that is truly a wonder how security can still prevail. Let us consider the case of Matthew Kluger as reported by law.com. Matthew allegedly used his position at various law firms to gather insider information on various companies. He then shared this information with some alleged accomplices to carry out trading based on the inside details he had obtained. Reports said that Matthew allegedly made a total profit of $32 million from his scheme. Matthew managed to get away with this nefarious scheme for 17 years. The obvious question is ‘how does one do that’. The answer is that Matthew was very clever. Knowing that if he had to access these confidential documents directly an audit trail would have exposed his activity; instead he simply looked at the document titles. These gave him enough information on which companies were about to merge and other advance knowledge of events that would have an effect on that company’s stocks.
Let us focus on the specifics of Matthew’s alleged actions because what this person allegedly did is probably a prime example of why insider attacks are so insidious: how can we ever protect against an employee who attacks us by simply looking at the title of documents he has access to? Most of the time, the answer is you really cannot. The usual security recommendations cannot protect a company against this type of activity! Normal security controls will not prevent this type of attack and putting in any security controls that could detect such activity would be way too restrictive and excessive.
So how do we handle such a threat?
The first important aspect we need to consider is employee trust. It is inevitable that we need to trust employees that they will not take advantage of their position. We can put deterrents in place, we can put controls in place, but these will never be 100% effective. Most of the time, a company’s main target should be employee loyalty and maintaining it. Implementing too many security controls can at times have the opposite effect, alienating employees instead of bringing them on your side. Therefore, it is very important that a balance exists between maintaining security levels and keeping employee morale up.
Segregation of duties might also be helpful to reduce the risk. If employees depend on each other to get tasks done, segregation might make it harder for a malicious employee to hide their tracks.
Finally, a security policy can also be of help. If you are dealing with confidential data that is highly sensitive, have your security team periodically review the systems to ensure there have been no breaches or attempted breaches. To avoid prying eyes from gathering information from document titles, the policy could be used to establish document-naming guidelines that contain enough information for those with legitimate permission to access them whilst being useless to others unless they open the document (which would then create an audit trail).
There will always be an element of risk; it is impossible to be 100% safe from insider attacks however proper procedures and planning can reduce the risk significantly.
It is certainly true that happy employees will probably not engage in such outside activities, mostly out of fear for losing their job. Of course, if you hire in somebody who on the outset is trying to run such an operation, there isn’t much you can do. Definitely a tricky situation but keeping your security tight and open dialogue between IT, management, and employees, things like this can hopefully be spotted early.
You’re right Anthony in that it is impossible to completely eliminate the problem. All you can do is try to mitigate it and reduce the risk as much as possible and have controls in place to detect breaches as early as possible.
For me trust is useless for this kind of situation. When it comes to insider threats, both the HR and IT departments should be vigorous and proactive enough to their strategies.
For instance, when an employee is about to leave or resign from the company, the said departments should limit the worker’s access to business documents (both online and offline). At the employee’s last days, the company should not give him or her integral assignments. The HR should make sure the employee is cleared.
I follow what you’re saying Uninmymous and yes, at some stages you can be proactive. It should be standard practice to limit employees’ internet access when they are fired, access to systems should be revoked immediately and HR should be clear with employees when hiring.
But in other instances you have nothing more than trust to go on really. You cannot fully prevent an employee from missusing what he/she learns while at work. Furthermore, how can you be 100% successful in preventing an employee form learning what he/she shouldn’t during work hours? This can happen in various ways; in this post the employee simply looked at the titles on the CMS system.
Employees might learn information by overhearing a conversation in the cafeteria, catching a glimpse of a printed report on a coworker’s desk, having a conversation with a coworker who isn’t careful with what he/she says, there are even stories of people talking about what I would consider confidential information on social sites! And all this has to do with accidental disclosure; imagine how much worse the situation is when someone gets a job with your organization specifically because s/he believes they can use that job to get insider information!
There are steps you can take to limit the risk, of course, but at some point you just have to trust your employees. The only other option is to assign a person to watch their every move and another person to watch the watcher – an option which is quite impractical and which would probably still not guarantee 100% safety!
This brings us back to what Anthony was saying, if you focus too much on actual control employees will be unhappy and that makes it more likely that they act against the company’s best interest as opposed to happy employees. It’s a case where too much security actually makes you less secure.
@Uninymous – the brute force attack you are suggesting won’t work, unless the employee is real stupid. If the employee is smart enough, he can take the adequate measures. For instance, if you fire an admin, I can bet my life that a smart one will leave numerous backdoors that allow him access.
Trust isn’t useless – it just depends whom you trust. Well, even the best psychologist might be fooled but when you hire crap and hope to control it with brute force, expect lots of damage.
I have to agree with Carter, hoping to keep employees in line by controlling every aspect of their daily activities is likely to make you more insecure than secure because either:
A. People will leave the job forcing the organization to hire frequently and having to lax its standards to quickly fill in the vacant places
B. Angry employees will get an opportunity to pay the company back!
As with everything else, there should be a balance when dealing with security.