The enemy within - beware the insider threat

Being alert to the danger of outside attacks is one thing, but like charity, security begins at home. Expect the unexpected, warns Geoff Sweeney, CTO of Tier-3.

The enemy within - beware the insider threat
The enemy within - beware the insider threat

Hackers, viruses and worms may grab all the headlines, but the biggest security threat to your information systems is just as likely to come from an unexpected source, like the accounts clerk with money worries or the disaffected middle-level manager seeking to misappropriate customer details before resigning to move across to the opposition. 

If these thoughts have been keeping you awake at night then you are in good company. Figures from the Department of Trade and Industry show that 52 percent of the most serious threats affecting large organisations originate from inside, and two-thirds of large organisations have suffered from staff misusing their systems.

Yet despite this, most organisations still focus their security spending on protecting themselves from outside attacks, installing anti-virus software and other systems to prevent spam and unwanted intruders from penetrating their networks.

While these systems perform a worthwhile and necessary job, they can only do so much. Anti-virus software, for instance, reacts only to the threats it recognises. Unless a virus has been spotted before, it will pass into the enterprise unnoticed. It's a bit like having a bouncer on a nightclub door who will let in anyone so long as they aren't on his list of banned characters.

And, of course, anti-virus software and intrusion detection systems will do nothing to stop the wrongdoer on the inside who decides, for instance, he would like to sell private information from your customers' files, or snoop sensitive intellectual property.

So, it is time to re-examine the security landscape and to apply some basic risk management principles to target security investment more tightly against the real dangers. What are the potential threats facing the enterprise, how likely are they, what will be their impact and, most importantly, what is the management process for combating these threats? Brief contemplation highlights the potentially broad nature of threats facing the enterprise: They may not be solely from beyond the perimeter or they may be specifically designed to circumvent the protective capabilities of existing rules.

Instead of constantly fire-fighting, we need to build our defences with a view to preventing attacks, and in the worst case, detecting them in real time so we can take immediate action against them and their consequences.

Let's go back to the bouncer on the nightclub door. If he's any good, he not only looks out for known offenders, but he'll spot the people who are behaving badly or look as if they might cause trouble. He will learn to spot situations where trouble is starting and step in before any real damage occurs. And, if there are any arrests and prosecutions, he'll have CCTV footage to record his actions.

It is time we started to take a similar approach with information security. We need to be able to monitor behaviour patterns on our networks and spot inconsistencies before they cause any real problem. Remember that it is always things you don't expect and are unprepared for that will bite you the hardest.

So how do we do it? Well, for a start, we can use the IT equivalent of CCTV footage to record everything that happens on our networks. By logging everything that occurs – from files accessed on a workstation to incoming mail to website activity – we can pull it all together and build a complete history of who did what on all our systems. And like CCTV, it can be filed away for future reference on some storage medium.

With the basic recording in place, we can begin to build models of what is – and what is not – normal or accepted behaviour. So when unusual behaviour occurs, the system can immediately send out an automatic alert and, if necessary, take remedial action.

By monitoring every piece of communication on the network, this approach can help an organisation decide on a baseline for every aspect of normal operational behaviour. And it can learn from experience to finetune the baseline as time goes by.

Such a system can apply intelligence in detecting anomalous behaviour at an early stage and respond quickly. It does not replace anti-virus software or intrusion detection systems, but it adds a vital new dimension to risk management by co-ordinating the various defensive measures to contextualise events as they occur and provide a proper strategic view of information and communications technology (ICT) activity.

And there is another benefit too. The stored record provides a complete audit trail of events, a factor of increasing importance in our ever more regulated commercial world.

In this way organisations can comply not only with the letter of the regulations, but also with the spirit. In other words, they can start to tackle the unknown and previously unseen dangers, as they occur, rather than reacting only to easy targets.

One final point: Organised crime has moved in on the internet and information systems. Identity theft, phishing attacks and denial-of-service attacks have become lucrative new forms of criminal activity, with the chances of detection and prosecution virtually nil.

And the criminals have also worked out that it is far easier to attack an information system from the inside than trying to penetrate from the outside. And that disaffected accounts clerk with money worries could be their perfect accomplice.

Threat management tools are available which can detect anomalies, abnormalities and threats, acting like an army of detectives safeguarding your organisation from any attack – whether external, internal or from a known or unknown vector. You can get on with the day-to-day challenges of your job and trust your threat management detectives to alert you automatically to the few incidents that require your attention.