Control the Insider Threat

There is a sea of products and services on the market offering the same with different names – essentially you would be interested to detect intrusions shortly after their occurrence (it is inevitable) – no matter if they are external or internal.

Please remember the statistics – the majority of incidents happen with the help of insiders, not from external sources. It only makes sense to focus on the most likely risk and move further from there, once you have a pretty good grip on it.

It would be an overkill to try and beat the best paper written on the matter by CMU University staff – “Common Sense Guide to Mitigating Insider Threats” – http://resources.sei.cmu.edu/asset_files/TechnicalReport/2012_005_001_34033.pdf

Controlling what people copy to their personal devices via any medium (Bluetooth, USB, WiFi) or personal mailboxes or what and how much they can upload to external sources is essential. Blocking HTTP(S) POST requests larger than X KB unless specifically whitelisted is a very good idea I’ve seen at one of the places I worked at.

Even then – there is a way to establish an encrypted session with the outside world and push (stream) data slowly over time – which is what many advanced intruders do. Whitelisting is essential in this case.

People associate the insider threat with an individual with malicious intentions – which is not always the case.

Most times when an incident occurs where the cause is an insider this is due to someone with privileges deciding to slightly bend the rules to ease their life.

Think of a user with admin privileges on a machine, who decide to install non-approved application because they “know” it’s “clean”.

Or someone bringing in a portable app, to make their life easier – and bypass installation policies.

Or someone being logged in the whole day with their admin account, ‘just because it’s easier to do my job this way’.

You might be surprised at the LOW level of information security awareness of people with an extensive IT background. The ones who are the pillars or your IT environment are often either oblivious or not aware at all – or don’t care, which is worst – about cyber security risks.

So you have two ways to deal with that.

One is total control of admin accounts and their allowed use. For example, you could completely restrict interactive logons for admin accounts, only allowing them to execute the “Run As” or “sudo” functionality, but not being able to login. You could also completely restrict Internet access for admin users – thus even further reducing the motivation to work all day logged in as an admin.

You could define it as a violation of policy – and impose punishment for violating it, with strong monitoring and detection rules in place, which would alert you when someone is abusing their admin rights.

The other way is education. You could provide your system admins with the proper training for them to understand the risks of not following the official policies and guidelines, as they should understand them first before agreeing to following them (there is such a thing with IT people and not only them).

In the Information Security Awareness chapter I referenced some materials which might be helpful in that task.

There is also another aspect of controlling the insider threat, which is rarely mentioned in professional literature (at least not in infosec literature) – and that is the emotional and psychological environment people work in.

If people are stressed and pressured, if they live in a bitter environment of gossip and dirty games they will naturally be less motivated to follow the rules and maintain the security of your data.

If people are happy with their job and their colleagues, they will naturally try to protect this environment from internal and external threats – as this essentially protects their well-being.