“There is no patch for people.” That one-liner, made at a recent symposium in Washington on the Wikileaks insider threat, is no joke. It succinctly captures the hurdles facing federal managers when it comes to information security risks posed by their own users. And those hurdles are getting higher, as the Wikileaks case illustrates. Nor is Wikileaks just an isolated case: public data breaches by insiders in both the private and public sectors are on the rise.
You don’t know who the people who are managing your systems are anymore.
Homeland Security Department member
While system breaches caused by the unwitting insider -- the employee who opens up an email message and falls for a phishing scam, for example -- are still a concern, it’s the malicious insider who represents the greatest risk. And, that risk means government cybersecurity managers will have to shift their efforts more towards actively combating that threat.
Particularly worrisome these days is the trusted insider “gone wrong”—the system administrator or IT executive whose actions turn malicious, for instance.
“You have a lot of folks that…pretty much have the keys to the castle,” said a security expert at the Homeland Security Department who asked to remain anonymous. “The enterprise admins have the ability to scour the entire network. That’s a hurdle that everyone has, especially with the move to managed services. You don’t know who the people who are managing your systems are anymore.”
Ken Ammon, chief strategy officer at Xceedium Inc., agreed that the ever-growing size, sophistication and complexity of systems have amplified the insider threat. “If you flash back 15 years ago, people who were considered privileged users -- those who had the ability to get to any platform or to any information within the infrastructure -- were a smaller group,” he said. “They tended to be the higher-assured employee or to be more fixtures than transients. Now you flash forward 15 years and the number of people and resources it takes to keep the systems running and number of people you give elevated rights or privileges to have dramatically increased.”
The advent of cloud computing also has expanded the insider threat, and even blurred the distinction between insiders and outsiders, Ammon added. “It has spread to vendors and contractors you have no control over,” he said. “You have a security boundary that has evolved and eroded from this inside-outside issue.”
The increasing visibility of the insider threat is shifting the focus from security policies and user training -- which likely have negligible impact on the determined malicious insider -- to technologies and tools designed to mitigate the threat. Testifying recently at a Senate Homeland Security and Governmental Affairs Committee on “Information Sharing in the Era of Wikileaks,” Corin Stone, the information sharing executive for the Office of the Director of National Intelligence, said the government must develop a comprehensive insider threat capability, of which technology is a vital part.
The Intelligence Community’s strategy involves three interlocking elements, Stone said:
- Ensuring the right people have access to the networks and information they need to perform their duties, but not to information they don’t need.
- Technically limiting the ability to misappropriate, manipulate or transfer data, especially in large quantities, such as by disabling or prohibiting the use of removable media on classified networks.
- Auditing and monitoring user activity on classified computer systems to identify anomalous activity and follow up accordingly.
“In general, the idea that you can depend on written policy or that you have policy as a control for security is something that has to be retired,” Ammon said. “You have to modify that and put some technology in place. The days of … trusting someone to follow policy are gone, so you have to build in technical controls.”