Every business faces the possibility of external attacks, but the real threat could be buried within, in the form of the disgruntled employee, says Dan Raywood.
The biggest difference between insider and external threats is that while businesses are often equipped to deal with the latter, they tend to be left wanting when it comes to monitoring and detecting unusual or suspicious employee behaviour.
In a recent poll of 300 IT decision-makers, Clearswift found that 83 per cent had experienced a data security incident in the past year. Interestingly, 58 per cent of these respondents believed an insider was the culprit, while seven per cent laid the blame at the door of former employees.
“Look at the statistics on data loss – only seven per cent of it comes from misuse, which could be someone doing something they shouldn't, or theft,” says Chris Cheyne, senior consultant on cyber security at the merchant bank and operational risk business Salamanca Group. He adds: “It is not always about volume. The reality is that, while an opportunist might hack into your network and pull data, which he or she will analyse later and try and sell [if they deem it valuable], the insider has access to what they already know is high-value information.”
The modern age
In truth, the insider threat should be as big a concern for businesses as the threat posed by external hackers, if
not bigger, because it is so hard to spot and stop.
In early June, the whole insider threat concept was blown open with Edward Snowden's revelations about the US government's monitoring campaign and its Prism programme. Aside from raising questions about the morality of such state surveillance, what Snowden did was show how powerful one individual could be in the face of the world's biggest superpower, arguably bringing the reputation of his employer – the National Security Agency (and, by extension, the US government) – crashing down in the process.
The US did seem to be aware of such a threat. Last November, Barack Obama issued a Presidential Memorandum on ‘minimum standards for executive branch insider threat programs', where he permitted “the development of effective insider threat programs within departments and agencies to deter, detect and mitigate actions by employees who may represent a threat to national security”.
Obama said the insider threats could include “unauthorised disclosure of classified information”, which might damage US networks and systems, and this was a potential challenge to be addressed as defences needed to be reinforced “against both adversaries and insiders who misuse their access and endanger our national security”.
Little was the president to know what was to come, but his Memorandum was obviously ineffective against Snowden's whistleblowing.
Threat to society
Looking at the Clearswift research and the Snowden affair together, it would appear that while insiders pose an enormous threat to organisations, awareness of the task at hand has perhaps never been higher.
James Gosnold, a CSO in Fujitsu's central government business area (pictured), believes that businesses have always been paranoid about the insider threat, and says Fujitsu has always put lots of stock in managing privileged user activity. “In getting people to look at what is coming out of systems, you can see what the trusted users are doing. If anything, episodes like Snowden and WikiLeaks have given me ammunition to reinforce those key messages,” he says.
Gosnold has worked with the UK government, which is now likely on high alert, and claims it is prepared for whistleblower-type scenarios within its secure policy framework and recognises the importance of trusted users.
In terms of the ‘security triad' of confidentiality, privacy and integrity, Gosnold reckons the first is the most important, and that it is therefore vital to have an audit trail of who has accessed what and when. “Security clearances are a key control in government and remain so,” he says.
For Gosnold, minimising the insider threat is a case of going back to basics by remembering the security principle of separation and segregation of duty. “Snowden has not made a huge amount of difference to what we are doing in that space, but he has given us that extra ammunition,” he adds. “I have given talks before on having an active security monitoring programme, and it is easy to make a case. It is not about exceptions and users who fail to access files or logon, or suspicious activity. Sometimes you need real people sitting down to look at the ports and pick out unusual activity you might want to question.”
The impact of the insider threat is not something new, but follows a trend of the employee being the weak link in a company's security, according to the former CISO of the UK's civilian airspace control, Paul Swarbrick.
There are a number of reasons a member of staff might turn against their employer (being passed over for promotion, etc) and leak company secrets. Swarbrick says the best solution is a “boring answer”, explaining: “There are 99 per cent [of employees] who are fine – it's the other one per cent you need to control. Without controls, you cannot know what is going on.”
Swarbrick agrees with Gosnold's point on the importance of segregation, pointing out that while CISOs will never mitigate the risk, they can manage it through segregation and by questioning how much risk is acceptable. “If someone argues to have access to everything, how much risk are you prepared to carry?” he asks.
For Gosnold, it is possible to control privileged users by regularly questioning them about activity and changes, but he says it is important to make them understand why you are monitoring them – that it is for everyone's benefit.
A solution in tools
So, could controls have prevented what Snowden did, and can tools protect companies in the event of such a threat? Firewalls, anti-virus, intrusion detection and sandboxing technologies exist to stop the bad stuff coming in, but what can really stop an employee downloading multiple records to a USB, or placing them in the cloud for a large fee to the highest bidder?
Often, as was the case with Snowden, that disillusioned employee has legitimate access to sensitive data. Snowden was one in 1.2 million in the US with that high level of clearance, says Malcolm Marshall, head of information protection and business resilience at KPMG (pictured).
Marshall believes that the tools to track employees are not too far off. “It is difficult to monitor behaviour,” he says. “What I do see are good examples with banks that monitor high-profile accounts that they have flagged and monitored. They sometimes create honeypots to see who is looking around; behavioural technologies only apply to the external threat. As Big Data analytics mature, the ability for monitoring should become easier.”
One problem with monitoring is the noise created, but if the solution of Big Data analysis is some way off, could a more ready solution exist within IT policies?
Steve Wright, global privacy officer at Unilever, argues that the only way to mitigate an insider threat is awareness and using technology that does not inhibit the business's day-to-day activity. While accidental loss can be down to basic errors, the insider threat can be the Achilles' heel of a business that can bring down an entire organisation's reputation, he says.
In agreement is Heyrick Bond Gunning, managing director of Salamanca Group. For him, an incident such as Snowden is probably the biggest fear for businesses – that they have an employee who will say ‘I don't care what I've signed, I fundamentally disagree with the way this organisation is being run'.
“It is a pretty difficult thing to prevent from happening, and you can go back to the basics of who is seeing what information, and making sure the business has engagement with employees,” Gunning says. “Yet the bigger the organisation, the more difficult that is going to be, and it doesn't take much for someone to get upset for a particular reason, no matter whether they are right or wrong.”
Who is to blame?
An active monitoring programme can be achieved by using security incident and event management (SIEM) solutions to see what people do. Gosnold points out that it is not just about watching people who don't have access to restricted areas, but more about monitoring those who do.
“You get a baseline of normal activity, and if someone in accounts looks at, for example, ten files in a usual week, and then starts copying gigabytes of data, that should flag an alert. If you are lucky to have an SIEM solution that is well optimised, it will do that automatically,” Gosnold explains.
Output from SIEM and log events from different technologies across a company can be analysed to look for the biggest offenders or most questionable activities. Gosnold says this enables businesses to contact employees, whether administrators or end-users, to check that everything is as it should be and that no accounts have been compromised.
However, telling colleagues you have spotted numerous failed logins, or questioning why they moved files, can present its own problems, claims Gosnold. “You can understand why people might be taken aback, until they realise why you are doing it, but in the mid-term it can have a positive effect on security awareness,” he adds.
In 2011, a number of CIOs at government departments declared their support for employee monitoring software, particularly in the aim of growing awareness and understanding of why closer monitoring of employees' use of sensitive data was critical to reducing the spiralling insider threat.
Gosnold says most systems he is working with will have a pop-up statement that tells users they could be monitored for audited processes. He has not gone to the level of active monitoring or recording people's sessions, but says there are technologies that will do that.
Steve Durbin, vice president of sales and marketing at the Information Security Forum (pictured), says feedback from CISOs confirms they are in a difficult position when it comes to monitoring their own colleagues, and it is an issue that goes beyond security to involve HR and legal departments.
“CISOs are shaking off the role of the traffic cop who says ‘no' and ‘you can't do that', and the role of Big Brother
who is always watching you, and are instead building relationships within the business,” Durbin comments. “But senior management [often] don't want to know [about these security and monitoring problems] – they are [more] concerned with brand perception as they don't want a big noise.”
In the future
The Snowden incident has had a major impact on privacy awareness, but will this drive businesses to invest in technology, training and policy revision to ensure they are not the next to be in the headlines?
Durbin is doubtful. While some businesses will have battened down the hatches, he says the general enterprise will see the affair as a one-off. “They will realise that it is a challenge to their intellectual property and research and development, but also that this is so difficult to guard against,” he says.
Wright disagrees, arguing that Snowden's actions have raised questions about data storage and protection. He says: “From our perspective, we use cloud-based solutions for the campaigns we run, so it has highlighted challenges on data protection laws, and raised questions around what we are hosting, where the data warehouses are and whether we have adequate safeguards in place to protect it.”
Gosnold concurs. “Every time something like this happens, it must raise the bar for the industry as a whole, just as APT became the buzz phrase,” he says. “When it comes to well-publicised insider breaches, there must be organisations for which this is a consideration.”
He adds that when it comes to using contractors, the situation becomes an issue of “security vetting standards, and in the wider industry that could be a potential weakness”.
WikiLeaks' publication of secret government data in 2010 still hangs heavily over many businesses, fearful of what could be publicly released about them. Marshall says Snowden's action is of equal concern for organisations, as the concept of the insider posing the biggest threat gains traction.