This article can also be found in the Premium Editorial Download "Information Security magazine: How to implement a change management that works and reduces security risks."
Download it now to read this article plus other related content.
If your enterprise is drawing a figurative line down the middle of its network and divvying up security differently between insiders and outsiders, then honestly, you're so six years ago.
Get with it.
Outsiders are on the inside today. Customers, business partners, suppliers, contractors, and anyone else who tunnels in through your network or walks through your company's front door and has authorized access to systems or data is an insider -- or is it an outsider? Either way, it doesn't really matter, the old paradigm is gone.
Get over it.
"Where the attack comes from is irrelevant," says blogger and senior vice president of strategy at eIQ Networks, Mike Rothman. "This idea of segmenting security defenses seems to be a marketing scheme and a very 2003 way to look at security. I always recommend to people that there is no insider. Everybody needs to be treated as an outsider. The old truism of trust-but-verify is absolutely critical."
The firewall used to be the great divide between insiders and outsiders, but third-party access over the Web has not only de-perimeterized the enterprise but forced businesses to dispense with separate defenses for each.
Problem is, not everyone has gotten the message.
IT'S ALL IN THE RISK ASSESSMENT
CISOs are probably leery of moving off the insider/outsider paradigm. Horror stories such as the fraud perpetrated by rogue trader Jerome Kerviel that cost French banking giants Societe
The results come from evidence collected during data breach investigations by the Verizon Business Investigative Response team. The 2009 report revealed that 74 percent of breaches were caused by outsiders, while 20 percent by insiders (32 percent by business partners crossing the insider/outsider threshold). Only 22 percent of those breaches were directly related privilege misuse, while 64 percent involved hacking.
Organizations must understand that while insiders have the potential to do severe damage, those instances are few and far between. Regular and formalized risk assessments can help organizations visualize critical assets and where threats are mostly likely to cause costly damage, and prioritize security investments accordingly.
"Defining an insider is an important question," says Paul Kocher, president of Cryptography Research. "If you have a company with 10,000 employees, you know some of them are dishonest. But we've also dealt with a number of situations where there were compromises because of a failure to trust insiders; not giving the senior system administrators the privileges they need to monitor properly or not bringing in the proper people to do security reviews because there was a fear that by bringing somebody in to look at systems, that person would then know how to break them."
Privileged insiders, those who set up and maintain critical databases, network segments and web portals, hold a lot of power -- no matter whether they're fulltime employees or contracted third parties. They configure systems, manage encryption keys and are often smart enough to quietly move sensitive data off a network. But there is a layer of trust with these people, some of whom are longtime employees who are invested in the well being of an organization. Dramatizing the risk associated with privileged insiders can be an en vogue marketing tactic.
"I've never seen an intrusion as a result of a highly paid senior staff doing something wrong," Kocher says. "A lot of times you've got a situation where an ordinary user either through malice or ignorance compromises a system or enables somebody to compromise a system. In my mind, I differentiate between people trying to protect systems -- they don't pose a threat despite having a lot of power."
WHO'S WATCHING THE WATCHERS?
That doesn't mean you ignore privileged insiders. It's just that your warm and fuzzy and cozy firewall, intrusion prevention system and antimalware aren't the best tools to combat the risks posed by those with privilege.
Enterprises that manage customer or financial data, or deal with intellectual property, have to rely on a mix of identity and access management (IAM) frameworks and processes such as provisioning, role-based access control, as well as database activity monitoring and a converged IAM and security information and event management system. It's about watching the watchers.
"Overall, I would say companies have done a very poor job monitoring privileged insiders," says Slavik Markovich, CTO of database security vendor Sentrigo. "A lot of times you have DBAs watching DBAs. Most companies don't have the correct tools to monitor privileged insiders. Companies are still focused on keeping outsiders out, rather than looking inside. It's a matter of time before we see companies create boundaries for insiders."
Segregation of duties, and on occasion, even segmentation of systems, is critical to keeping privileged insiders within reach. The problem is that, especially in a recession, companies are resource-strapped and sometimes it's easier to dole out access rather than manage it properly.
"The joke is that if a person works for an organization long enough, they will eventually gain access to everything," says Ben Goodman, director of technology, Novell. "That concept that people are gaining rights and access as they go is a huge threat. Gaining too much access can break down checks and balances. If you keep accumulating access rights over time, we believe excess rights equal excess risk. If you have rights to things you don't need, it's just bringing unnecessary risk to your organization."
De-provisioning is the area where most companies fall down with trusted insiders. Not only is important to assign roles and access as needed throughout a person's tenure with an organization and log and audit their activities, but once their responsibilities change or employment terminates, access must be shut off as well.
"It's one of the things organizations get banged on consistently in external audits having legacy accounts still sitting around," Goodman says. "It's also one of the things that pose the greatest risk; intellectual property leakage, access to systems, it all comes down to not properly handling de-provisioning."
Companies at a minimum, if they haven't invested in identity management, need to look at permissions in Active Directory, for example, to look for orphaned accounts. Someone in finance who may have left the company could still have an ERP application account open, and if that account had, say, check-approval status, that open account would be enough to fail a Sarbanes-Oxley audit.
"They can't access it any more, OK, but someone may know that account is open and could use those credentials to commit fraud," says Brian Cleary VP of marketing for enterprise access governance vendor, Aveska. Companies are stunned when a SOX audit finds that. Different classifications of users: super users; system admins; root-level access DBAs; all have the keys to the kingdom and need different controls because auditors are looking for shared accounts and shared passwords."
Role-based access controls, traditionally a difficult task for IT because of the diversity of roles within any organization, is becoming more critical. Experts urge organizations to grant access based on function and job role and port those roles into some kind of on-boarding framework so that regardless if an employee is a third-party temporary contractor or a fulltime employee, appropriate access is defined and doled out.
The irony is that a privileged insider -- a super user -- is someone you trusted enough to hire or promote to give them the keys to the kingdom. Even if there is monitoring in place, chances are they set it up, or could manage a workaround.
"It comes down to how much inefficiency you want to put in place," Kocher says. "For really large organizations, there are different problems. When you've got an administrator responsible for a particular system, a person with experience who is well compensated, all of those attributes are low risk. They're unlikely to be malicious or rogue; but you can never say never. It's inevitable you trust that individual and even put monitoring in place, but they often have the power to disable and work around those protections."
More companies, especially large enterprises, are getting better at screening potential employees before they're brought on board. That means background checks.
"Bigger companies, almost all, do background checks, especially companies that deal with sensitive data," Kocher says. "There are a number of things motivating that from liability concerns to the realization that people who lie on their resumes tend not to make particularly good employees. I've got friends who do background checks and they've been finding business is pretty good and business has not been letting up during the downturn."
Kent Anderson, managing director of consultancy Encurve and former director with PricewaterhouseCoopers, says smaller companies are terrible at background checks.
"In general, I don't see background checks done to a proper level of due diligence," Anderson says.
ONE SECURITY STACK TO SAVE THEM ALL
Outsourcing has done more to blur the lines between insiders and outsiders than anything else. Insiders, Anderson says, had certain attributes aside from fulltime employment, including authorized access to assets, knowledge of processes (and security controls) and opportunity. Classic outsiders, meanwhile, were removed from organizations, had not authorized access and limited opportunity and knowledge of processes.
The efficiencies introduced by outsourcing, coupled with the explosion of Web-based commerce and Web-based applications exchanging connections and data between disparate systems, have made traditional IT controls -- set up to defend against outsiders -- obsolete.
"The concept of the outsider, if it hasn't vanished, it's on its way," Anderson says.
Anderson says risk assessments lay the baseline for any development and implementation of security controls. It also helps to understand the classic triangle of criminal theory: mean, motive and opportunity. He adds a fourth, disenfranchisement, which he says is particularly important in a down economy.
"In this culture of layoffs, employees are no longer tied to a company through pensions and long-term employment," Anderson says. "Most employees under 30, if they stay on a job two years or more, it's unusual. There is no loyalty, and they possess a look-out-for-myself mentality. This is causing increases in insider risks."
Aveksa's Cleary cautions that in such an economic environment, if employees have access to information they don't need, they may misuse it.
"Think about the workforce reductions we've had; if you have no automation or visibility into access, you don't know what to de-provision. We've had reductions on a scale we've never seen before -- 10 percent to 15 percent reductions in two days sometimes. That leaves companies open to the potential for access-related risks."
Disgruntled or disenfranchised risks lead to incidents. So do unintentional actions. In fact, the majority of insider-related incidents are not meant to be harmful. They're instead, policy violations or workarounds to technology barriers, such as using Web-based personal email to send sensitive documents to a home account to work on them after hours.
"There is no policy that protects against user stupidity," eIQ Networks' Rothman says. "A lot of the insider issues we have are accidental; they're not malicious. That's kinda why I stay to this concept of not thinking about an insider. If you don't' have that delineation, what you're trying to do is protect the fundamental of data and the systems that have access to that data against who may be accessing it at a given time. Part of what security has to do is protect us from ourselves, and we're trying to do the right thing. It's not like all employees are malicious. But, if you go back to the thinking that there really are no insiders, you never get confused about how to think about your protection stack. You have different layers of access, but you're always trying to verify what folks are doing."
HOW TO BUILD AN INSIDER THREAT MODEL
Humans are frail and subject to temptation. You don't have to be Jerome Kerviel and steal $7B in fraudulent trades from a giant financial institution. You can be a DBA or a Web admin with too many privileges who is tempted to peek at the CEO's salary that's tucked away in an HR database. Or you could work at a hospital and be a mark for someone at the National Enquirer who is willing to pay handsomely for a look at a celebrity's health records.
"IT security organizations are under an incredible amount of pressure to supply access where and when it's needed," Cleary says. "If you delay, the business gets frustrated and escalates the issue. Eventually, you compromise and give the business more access than they need and hope the business does the right thing."
Sometimes there are more sinister elements at work.
The CERT Coordination Center, based at the Software Engineering Institute at Carnegie Mellon University, studies the motivations behind insider attacks. Their researchers model insider behaviors to understand why incidents happen and how to mitigate the risk.
Dawn Capelli, senior member of the technical staff, explains that CERT/CC has build two new models of insiders to go along with previous work on IT insiders stealing intellectual property and IT saboteurs. One they're calling the entitled independent, where one person working alone on a project for a significant amount of time feels entitled to it. "They feel ownership and then something happens, either they don't get a raise or a promotion, and decide they're going to leave," Capelli explains. "They don't want revenge; they just leave. And because they feel ownership, they decide to take it with them (often to a competitor). The original employer loses a competitive edge to the new organization."
The other patter is what Capelli calls an ambitious leader. This usually involves an outside agent, a foreign government for example. The insider steals information on a project, not out of dissatisfaction with their employment, but a government or criminal organization making contact and negotiating for the information. "Typically, they have plans. They want to start a business or give the information to a foreign government," Capelli says. "Often, they need more than just what they were working on and start to recruit other insiders, making promises to take these people with them."
CERT/CC's research is based on actual case data culled from court records, media reports and interviews with organizations hit by insiders, prosecutors and investigators, Capelli says. She adds there are 318 cases in their database.
Capelli says organizations are hamstrung putting policies and practices in place to protect their sensitive data. Most insiders steal within a month of leaving an organization; problem is, for the most part, they're good at concealing their intentions and often do put up flares that would make management suspicious of their activities.
"If HR tells information security that a person is going to leave and has turned in their resignation, can security look at what the person has been doing? There are bigger legal and privacy issues at play here," Capelli says. "If there person has not been doing anything wrong, you have no right to look at what they've been doing. That's really a big concern out there."
Tools such as DLP are incredibly useful for forensics and investigations, but aren't very proactive.
"By then it's too late," Capelli says. "You need to catch it as its leaving. Their hands are tied, and it's very frustrating for them. They come to one of our workshops, we do assessments, and it opens their eyes. It's very scary and frustrating to go back to do something and find out it's going to be hard to do."
TRUST-BUT-VERIFY ALWAYS APPLIES
Interestingly enough, when Information Security spoke to CERT/CC a year ago about its insider research, its definition of an insider did not include trusted business partners and third parties. That has since changed.
"We never did, but we're seeing more cases where third parties are involved," Capelli says.
Organizations still resting on this crutch of differentiating between insiders and outsiders are making a dangerous delineation, experts say.
"It doesn't really make sense to differentiate the two any longer," Novell's Goodman says. "It used to be when you would talk about IT security you were talking almost exclusively about firewalls and the hard shell, gooey center concept. There really is very little differentiation between what is an insider and outsider any longer."
Pharmaceuticals, for example, look at their ability to bring in outsiders rapidly for clinical trials as a competitive advantage. In other instances, enterprises connect systems with vendors and suppliers and exchange data in order to keep business moving.
"If you're a manufacturer, you're exchanging a lot of data between suppliers," Kocher says. "Are their employees insiders? What are they? The usual mentality of putting strong walls all around doesn't apply well in modern business."
What does well is to escape the crutch of segmenting insiders and outsiders, assess where critical risks and vulnerabilities lie in your organization and minimize losses in those areas.
"I think we still have folks drawing that distinction," Rothman says. "We never have enough time, money or resources. It's about trying to, in an intelligent way, determine which three things you're going to do today that would have the biggest impact in reducing risk. It's hard, if it was easy, everybody would be doing it.
"We're in a new time. The way things are built today, it's really hard to understand who works for you now. If we can get out of this early-2000 timeframe of us versus them and adopt a trust-but-verify approach on anyone with access to your data, we'll be a lot better off."
Michael S. Mimoso is Editor of Information Security. Send feedback on this article to firstname.lastname@example.org.
This was first published in November 2009