What you will learn from this tip: Five simple measures you can take to protect your organization from insider attacks.
The greatest information security threat facing your organization is in your office right now. It has the ability to bypass the physical and logical controls you've put in place to protect the perimeter of your network and has already obtained credentials to access a significant portion of your infrastructure. What is this threat? It's the often underestimated insider threat -- the risk that your users will violate the trust you've placed in them to conduct malicious activity on your network.

What can you do to protect yourself? First, you must understand the nature of the threat. The National Threat Assessment Center of the U.S. Secret Service recently completed an Insider Threat Study in conjunction with the renowned Software Engineering Institute at Carnegie Mellon University. Here are a few interesting facts discovered by the study:

  • Most insider events were triggered by a negative event in the workplace
  • Most perpetrators had prior disciplinary issues
  • Most insider events were planned in advance
  • Only 17% of the insider events studied involved individuals with

    Requires Free Membership to View

  • administrator access
  • 87% of the attacks used very simple user commands that didn't require any advanced knowledge
  • 30% of the incidents took place at the home of the insider using remote access to the organization's network
These facts are sobering and help put the problem in perspective. Protecting your organization against insider threats requires careful planning and foresight to develop a layered defense that reduces the scope of the risk and mitigates the effects that an incident might have on your network. Here are five simple measures you can take to protect your organization against insider attacks:
  1. Conduct background checks on all new users. In these days of post-9/11 security, many organizations conduct background checks on new hires. However, there are quite a few that don't. Coordinating with your HR department to conduct background verification, reference checks and other pre-employment screening can go a long way toward ensuring that you don't hire the wrong people. It's important to remember that these types of checks should be conducted for all individuals granted a user account, even if they're not directly employed by your organization.

  2. Monitor employee behavior. Remember that the Secret Service study showed that most perpetrators of insider attacks had prior disciplinary problems. Here's another item to discuss with HR -- ensure that procedures are in place to refer troubled employees to appropriate counseling resources and to take additional corrective action when necessary.

  3. Restrict accounts that access resources remotely. The majority of attacks in the study used some type of remote access mechanism. If you offer VPN or dial-up access to your employees, consider limiting remote access accounts for those with a legitimate business need.

  4. Restrict the scope of remote access. Don't automatically grant remote access users the same level of privilege that they would have in the office. Limit access to critical resources through remote connections. You'll not only be protecting yourself against the insider threat, but also against the increased risk of malware propagation through a remote access link.

  5. Enforce the principle of least privilege throughout your infrastructure. Every security professional knows the least privilege mantra. Each user should have the minimum necessary set of permissions required to fulfill his job responsibilities. However, this is a principle that often gets quite a bit of lip service, but very little action. Take the time to conduct an account audit and ensure that changing roles and responsibilities within your organization haven't led to privilege creep.
These simple measures can go a long way toward helping you protect your organization against the insider risk. Remember, however, that there is no single cure and the most important component of any security program is vigilance!
MORE INFORMATION:
About the author
Mike Chapple, CISSP is an IT Security Professional with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Mike is a frequent contributor to SearchSecurity, a technical editor for Information Security magazine and the author of several information security titles including the CISSP Prep Guide and Information Security Illuminated.

This was first published in June 2005

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.