For companies, threats come from two sources—outside the organization and inside (reads: disgruntled, unethical employees). Insider threats can be very difficult to handle and the number of annual incidents is on the rise.
The insider threat can come in several forms:
- Employees who steal intellectual property
- Unhappy IT professionals who damage data and systems
- Professionals who use confidential information for financial or political gain
What can a company do when its best assets become its biggest enemies?
A part of the answer lies in the question itself: engage employees more. In other words, make your best assets, your employees, responsible for identifying and reporting evidence, both technical and behavioral, that points towards a possible defection of an employee from compliance and policy. The second part of the puzzle is to employ technical controls to monitor potential risks and the network to detect and nullify criminal intention and behavior.
Together, these two constitute a security system that can tackle internal threat as soon as it hints to raise its ugly head. The system’s effectiveness, however, lies in how well it is implemented.
Certain employee characteristics often are a prelude to defection from organizational policy and norms.
- A history of disregarding rules and regulations
- Participating in questionable activities; enticing others to participate in them
- A history of deception or lying to supervisors or co-workers
- Argumentative behavior towards peers and supervisors
- Previous attempts to avoid or defeat security audits and/or security systems
- Coming to office under the influence of drugs/alcohol
- Threatening to use violence
These behaviors can help detect potential problem-makers. In general, any negative behavioral change is a cause of concern and must be dealt promptly and appropriately.
Dealing with Potential Defectors
Here is a step by step approach for improving behavioral monitoring, preventing defection, and appropriately handling defectors.
- Ensure employees know all that they must know. A company must ensure that its employees know and completely understand the company’s policy in respect to use of information resources and employee behavior.
- Additional monitoring for potential defectors. An unsatisfied employee may be tempted in destroying, stealing, or sharing confidential data if he or she feels sidelined or unappreciated. Organizations can prevent such incidences by identifying potential defectors and monitoring them.
- Train employees to detect suspicious behavior. All employees must be adequately trained to detect suspicious behavior. Equally importantly, they must be made to understand the need of promptly bringing such behavior to the notice of authorities.
- Safeguard the interests of the whistleblowers. Employees often don’t want to become personally involved, so a mechanism should be in place that protects their anonymity. This can be achieved in different ways, for instance, by installing a toll-free number for registering tips to suspect behavior.
- Take prompt and adequate action. Organizations should respond quickly to any breach of faith and the response should be in line with the level of the offense. Remediating the problem should be the first preference, rather than termination, which can lead to litigations if used without much deliberation.
Behavioral monitoring alone cannot provide protection from every internal threat. To be precise, it usually fails in two scenarios: when IT professionals, like network administrators, go rogue and when an employee does not give any behavior signals. In such situations, technical monitoring comes to the rescue and does the all important job of alerting us. Both the listed scenarios are separately discussed below in length.
To technically monitor non-administrators, organizations must control the information employees can access and how they use accessed information. This can be done by enforcing the following:
- Least privilege
- Separation of duties
Properly-managed authorization processes and policies allow companies to enforce them.
While need-to-know ensures that an employee cannot access information beyond what he or she needs to complete daily tasks, the least privilege keeps a check on what the employee can do with the accessed information. For instance, an employee may access top-secret information but he or she cannot copy, edit, or delete it unless his or her role requires those privileges. The first two are closely related and together limit damage that can be inflicted by internal threat.
The third in the chain, separation of duties, ensures that no single person performs all tasks of a critical process. This, too, seriously limits insider threat damage. For instance, by disallowing developers from placing their programs into production systems, a disgruntled software developer can be prevented from placing a rogue program into a production environment.
Organizations must also keep the movement of sensitive information in check using data rights management or other direct means or indirect means. NetFlow analysis, which provide near real-time identification of anomalous flow of traffic at different points across the network, is an effective, perhaps the most effective, method of monitoring traffic flow indirectly. It works by checking traffic flow information at different points across the network and raises a red flag if it finds anything unusual going on. Timely notification, in turn, gives a chance to stop or control the anomalous behavior or mitigate its effects.
Apart from NetFlow, SIEM (security information and event management) also gives information of unusual network or server behavior. It aggregates logs from various systems and devices into a correlation server. The aggregated information, then, is checked by an event application and anomalous patterns are identified. Lastly, security is told of unusual patterns via SMS, a web portal, or email.
Companies must follow the right procedure in case of job change or employee termination. In both all privileges and rights to information previously accessed must be immediately revoked. In case of job change, this step must be completed before granting new accesses required for the new role.
The controls discussed above work to mitigate suspicious activities by IT administrators, but they alone are not sufficient. This is because administrators enjoy privileges that other employees don’t. For instance, administrators, if they want to, can create backdoor accounts or tweak logs. Both vulnerabilities can be effectively eliminated with aid of monitoring duties and separation of duties.
It is necessary to include changes done to special-purpose files, like log files, in administrator monitoring. For instance, changes done to log files can be effectively monitored by 3rd party solutions or operating systems and information such as who doctored the changes and when can be quickly learned. This kind of tracking will allow security teams to promptly and adequately respond to unauthorized changes.
Unauthorized creation of privileged accounts, like unapproved changes to files, should be carefully looked into. One way of monitoring the former is by running daily audit of newly-created accounts to check if any rogue account was created the previous day. Any discrepancy should be reported immediately to the right authority. Auditing privilege accounts periodically is also an effective way of identifying and keeping in check the menace of unauthorized IDs.
Another thing that must be done to nullify insider threats from administrators is proper handling of shared admin accounts, which includes:
- Log the use of a shared admin account every time
- Change passwords of all shared accounts every time an administrator leaves the organization
- If budget allows, use a password-management solution
Threat from inside is closer and more dangerous. It can be effectively thwarted and its effects mitigated through the security measures discussed.