Wikileaks and a number of less-publicized breaches have put the spotlight on insider threats to government cybersecurity. To help blunt the potential threat posed
If the [Wikileaks] data was encrypted while at rest on the perpetrator’s workstation, it would have been very improbable that [Bradley Manning] could have successfully exfiltrated that data.
Department of Defense, Security Expert
"A lot of the tools that exist in most [organizational] networks are focused on the advanced persistent threat, hackers penetrating through firewalls and those kinds of things,” said a former Defense Department security specialist who requested anonymity. “So most of the sensors are sitting at the network level. We need to focus a lot more on the user and the user's behavior, and we should be doing that where the user sits rather than at the network level.”
That’s where end-user monitoring software comes in. “You have to instrument yourself well enough to be able to effectively monitor what people do,” the DOD government cybersecurity specialist said. “Given the idea that everything of value is already in cyberspace, it makes sense that we should have some tools that can monitor cyberspace in a way to let us know that somebody's misusing access to [secure sensitive information], our crown jewels.”
As for the privacy aspects of user-level security, agencies have a legal right to monitor what users do on government-owned and -operated computers and networks.
Beyond monitoring: role-based access controls
The Homeland Security Department’s insider strategy begins with role-based access control (RBAC), which restricts a user’s network access to a defined job function and permissions to perform certain operations that are assigned to specific roles. This approach is aimed largely at privileged users -- for example, database administrators -- who, without RBAC, would have the ability to roam around the agency’s information systems, according to a DHS security expert who asked not to be identified.
DHS auditors use Xceedium Inc.'s GateKeeper, an appliance that lets agency auditors enforce and control role-based access to critical systems, monitor the actions of privileged users and view comprehensive reports on user activity inside the network.
“It actually monitors and manages what the administrator has access to while they’re doing it,” the DHS security expert said. “It takes a snapshot of what they’re doing.”
Full disk encryption is crucial
Another security technology that can help mitigate insider risk is full disk encryption, which protects data at rest on laptops, desktops and removable media. “To protect against insiders, you have to protect your data first,” said Gary McCracken, vice president for technology partnerships at WinMagic Inc., whose SecureDoc full disk encryption software is used by DHS, the Energy Department and the Treasury Department, among other federal agencies.
“If the [Wikileaks] data was encrypted while at rest on the perpetrator’s workstation, it would have been very improbable that [Bradley Manning] could have successfully exfiltrated that data,” said the former DOD security specialist.
Document tracking: search and destroy leaked docs
End-to-end document tracking and control is another user-level security technology that can keep insiders from getting at critical information, according to security experts. It secures sensitive documents by embedding the security into each document so wherever it goes, it can be controlled, tracked and even wiped out at any point in time.
“It’s a very persistent form of security,” said Adi Ruppin, vice president of business development and marketing for Watchdox, which provides secure document sharing as Software as a Service to government agencies. “It never stops protecting the document until the document is destroyed.”
Watchdox furnishes a detailed audit trail that allows every interaction with a document to be logged, along with its time, user identity and geographic location.
Underlying the deployment of user-level security tools such as user monitoring, full disk encryption and document tracking is the notion of “zero trust.” You can’t trust anyone, not even your most senior or long-standing staff members.
Insider risk requires “a new look at how you’re securing your information and access,” said Ken Ammon, chief strategy officer at Xceedium. “We’re moving down this path of supporting a model called zero trust, where you don’t really trust anyone — a partner, a provider or an employee — to do what’s said in a [security] policy. You have to have an infrastructure that can enforce that policy, report on alerts and support response and investigation, if necessary.”
About the author:
Richard W. Walker is a freelance writer based in the Washington, D.C., area who has been covering issues and trends in government technology for more than 10 years.
This was first published in May 2011