What you will learn from this tip: Five simple measures you can take to protect your organization from insider attacks.
The greatest information security threat facing your organization is in your office right now. It has the ability to bypass the physical and logical controls you've put in place to protect the perimeter of your network and has already obtained credentials to access a significant portion of your infrastructure. What is this threat? It's the often underestimated insider threat -- the risk that your users will violate the trust you've placed in them to conduct malicious activity on your network.
What can you do to protect yourself? First, you must understand the nature of the threat. The National Threat Assessment Center of the U.S. Secret Service recently completed an Insider Threat Study in conjunction with the renowned Software Engineering Institute at Carnegie Mellon University. Here are a few interesting facts discovered by the study:
- Most insider events were triggered by a negative event in the workplace
- Most perpetrators had prior disciplinary issues
- Most insider events were planned in advance
- Only 17% of the insider events studied involved individuals with
- administrator access
- 87% of the attacks used very simple user commands that didn't require any advanced knowledge
- 30% of the incidents took place at the home of the insider using remote access to the organization's network
- Conduct background checks on all new users. In these days of post-9/11 security, many organizations conduct background checks on new hires. However, there are quite a few that don't. Coordinating with your HR department to conduct background verification, reference checks and other pre-employment screening can go a long way toward ensuring that you don't hire the wrong people. It's important to remember that these types of checks should be conducted for all individuals granted a user account, even if they're not directly employed by your organization.
- Monitor employee behavior. Remember that the Secret Service study showed that most perpetrators of insider attacks had prior disciplinary problems. Here's another item to discuss with HR -- ensure that procedures are in place to refer troubled employees to appropriate counseling resources and to take additional corrective action when necessary.
- Restrict accounts that access resources remotely. The majority of attacks in the study used some type of remote access mechanism. If you offer VPN or dial-up access to your employees, consider limiting remote access accounts for those with a legitimate business need.
- Restrict the scope of remote access. Don't automatically grant remote access users the same level of privilege that they would have in the office. Limit access to critical resources through remote connections. You'll not only be protecting yourself against the insider threat, but also against the increased risk of malware propagation through a remote access link.
- Enforce the principle of least privilege throughout your infrastructure. Every security professional knows the least privilege mantra. Each user should have the minimum necessary set of permissions required to fulfill his job responsibilities. However, this is a principle that often gets quite a bit of lip service, but very little action. Take the time to conduct an account audit and ensure that changing roles and responsibilities within your organization haven't led to privilege creep.
- Why you should stop using the 'Wagon Wheel' approach to protect your network.
- Find out who may be stealing your data.
About the author
Mike Chapple, CISSP is an IT Security Professional with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Mike is a frequent contributor to SearchSecurity, a technical editor for Information Security magazine and the author of several information security titles including the CISSP Prep Guide and Information Security Illuminated.
This was first published in June 2005