Don’t look behind you: Insider threats increase internal risks

By Juniper Networks

The increased velocity of business has forced organizations to face challenges that years ago were not even considered. One of the biggest challenges involves a security issue that has taken center stage and threatens the very existence of the enterprise. In 2008, attacks from the outside have been eclipsed by the threats from within, both in terms of the sheer number of incidents and also the associated dollar figure of the damage that can result from this type of breach. The average dollar figure for damage due to an insider attack has grown by over 108 percent in just 12 months. Even while these attacks were increasing, firms have been actively pursuing the deployment of various security solutions across the network and onto the desktop. This leads us to ask the question, while we continue to deploy security, why are organizations at greater risk than ever before?

The Challenge
The traditional approach to security has been based on the assumption that the threats which enterprises needed to protect against came from somewhere outside of their network. As a result, network security deployments focused largely on providing perimeter-based protection – devices at the edge of the network designed to define a clear demarcation between “inside and trusted” and “outside and “untrusted.”

The insider threat opens up an entire new attack vector that bypasses the traditional perimeter security strategy. Employees are the most often cited insiders who compromise the organization’s security, but they are certainly not the only insider threats. Insiders should be considered as anyone who has access permissions above and beyond those of the general public. This often includes partners, contractors, and guests—just to name a few. For purposes of discussion, we will examine two of the more common insider threats involving the organization’s employees.

Good employees unknowingly doing bad things: In this case, an employee commits an act that unknowingly and unintentionally exposes a network to risk. This includes actions such as internal errors, abuses, sloppy use, and ignoring security safeguards. A common occurrence involves Trojan Horses that are unknowingly downloaded from legitimate sites. Users accessing this site have their PCs quickly compromised. When a user logs into the corporate network, the implanted script begins harvesting password and user credentials, shipping them off to the hacker without the user’s knowledge. An innocent employee visit to a legitimate Web site exposes the organization to substantial risk with no knowledge or malicious intent. Another similar example occurs when users take home their computers and use them for personal activities. The user, or even his/her family members, downloads what appears to be harmless applications or images, only to infest the machine. When the worker returns to work and logs into the network, the network becomes open to exploitation. Of course, such unknowing attacks can be initiated by anyone at any level of the organization.

Bad employees exhibiting bad behavior: A disconcerting trend is the increased incidence of trusted employees who knowingly expose their organization to risk. Disgruntled employees and those looking to inflict harm to the organization are among the biggest security threats because they know the network, know what security is in place, and know how to best “fly under the radar” to avoid deployed security and detection.

The Motivation
Some insider threats are launched to exact revenge for what the attacker takes to be offenses made by the organization. A recent case that made the news describes an IT manager who had left an organization, but also left a “logic bomb” behind that was configured to erase critical data two weeks after his departure from the organization.

In other cases, the insider will knowingly expose the organization for his/her private financial gain. This was the case with a New York-based hospital where a billing clerk sold patient insurance information to a third party who then resold it to patients who required a procedure but did not have health insurance. The damage was twofold because not only was an identity stolen, but the legitimate patient’s health records were no longer accurate, as procedures were being performed on a person who claimed to be the legitimate patient but was not.

The Exposure
Regardless of the motivation behind an employee committing the “insider threat,” the results can be devastating to the organization, to the shareholders, and to an individual if their credentials are involved in the breach. Attacks occur quickly and are usually over within hours to days. Unfortunately, the detection of an attack has historically not been as fast, often taking weeks or even months to detect. This is particularly concerning because the breach has been committed and the breached data is long gone before the breach is ever discovered and acted upon by the organization.

In the case of an insider threat, the breach can affect the organization’s bottom line and irreparably damage the company’s reputation – the kiss of death in the world of finance where trust is the true capital. This was the case with CardSystems. At one time, CardSystems was among the world’s largest dealers of credit card transactions. With a breach that exposed tens of millions of credit cards and CVV2 security code information, CardSystems’ business and reputation were irreparably damaged and the company was ultimately forced out of business.

The Access Control Solution
A comprehensive security solution combining a number of disciplines can help organizations avoid, remedy and document internal threats. Such a solution would include access control, enforcement points throughout the network, endpoint security, centralized network management and visibility, tight integration among solution components, and interoperability with existing network infrastructure.

Several key tenets must be employed to architect such a solution:

• Ensuring that the “right” people have access to the right information and applications. The sheer volume of personnel accessing critical network resources expands almost daily. A heterogeneous audience demands a granular access control that ensures that only authorized personnel get access to the resources they require and nothing more. Locking down everything else helps to limit exposure and is a good start at securing the network.
• Organizations are fluid. New employees are hired, roles within organizations change, and people leave organizations. It is essential that permissions and access rights are fluid and change as employee roles within organizations change. Furthermore, it is important to verify the identity and role of the individual before allowing access. Challenging the employee helps ensure that the user is, in fact, the stated individual.
• Sometimes employees with the appropriate access will take advantage and commit a breach with the data to which they rightfully have access. For security forensics as well as compliance, it is essential to log who is accessing what, and when. Moreover, reporting information must be complete, easily accessible, and simple to understand. This provides the virtual paper trail necessary to quickly react to any potential breach—both from a security and a compliance perspective.
• As indicated earlier, some of the biggest insider breaches are a result of an infected endpoint contaminating the network. Starting clean helps to ensure that your network stays clean, and this is done through ensuring that endpoint devices are clear of infection from viruses, key loggers, Trojans, worms, and other malware. If a device (whether it is a corporate device or third-party/unmanaged device) is infected, it is important to limit access (for example, quarantine the infected device) until remediation is complete. In order to ensure minimal disruption, self remediation may be indicated where employees are able to take action on their own to cleanse their infected endpoint and attain or regain network access as quickly as possible.
• Visibility and control must be complete and centralized. It is impossible to find or report on security without a single and comprehensive view of the network from both a real-time and historical perspective. Aside from saving on OPEX costs, it is the only way of getting an accurate picture on the security posture of the organization.
• Gone are the days of “rear view mirror” security. It is no longer acceptable to wait weeks to months in order to ascertain that a breach has. The ability to detect, mitigate, and report on exploits and breaches must be in real time. This means that the various deployed security elements must work together and collaborate in rooting out those attacks that are stealthy, sophisticated, and built to evade traditional security point products. It also means automating the tedious process of log correlation, which is still largely done on an ad hoc and/or manual basis. This, however, can only be relied upon with a comprehensive, standards-based solution that is able to take multiple feeds from multiple vendors into account, and deliver a prioritized list of violations that are actionable at a moment’s notice.
• Not every violation requires a complete shutdown. Blocking traffic every time a suspicious incident occurs simply does not address the requirements of today’s high-performance businesses. Rather, it is important to be able to flexibly and dynamically provision access by selecting the “appropriate response” based on the violation that has occurred. This may include actions such as rate limiting, reporting, quarantine, or update.

Solution Components
No single network device can provide all of the functionality required to effectively address the risks posed by insider threats. The tenets above indicate that a comprehensive solution requires a collection of products that work together, interoperate, and extend functionalities enterprise-wide. These products include:

• Access control appliance – A centralized policy management server to determine what access should be provided to individual users when the access the network.
• SSL VPN – A virtual private network solution based on SSL technology, which provides granular access control to remote and distributed users while reducing operational expenditures.
• Firewalls – Devices deployed both at the network edge and between network zones to both provide traditional firewalling and to act as enforcement points for the access control appliance.  Often, firewalls can provide additional functionality on-board, including intrusion detection and prevention, anti-virus, and more.
• 802.1X compliant switches – A comprehensive solution can leverage existing 802.1x compliant switches for enforcement. A cost-effective solution supports both 802.x as well as firewalls for enforcement, leveraging existing switches or providing cost effective entry until such switches become ubiquitous in the network.
• Intrusion Prevention System appliances – Network optimized devices that look deeper into packets for a broad range of threats and anomalies, and can block and/or report suspicious traffic.
• Network and Security Management – Centralized network and security management to control and monitor the broad solution, monitor threats, and maintain logs as well as managers to centrally control individual devices.

Summary—Mitigating the Insider Threat
To maintain a strong security posture, ensure regulatory compliance, and protect the company’s reputation, organizations must expand their security horizon by looking inwards. Serious risks exist inside organizations in the form of insider threats posed by both malicious and innocent users. Organizations today are mitigating this threat through the implementation of a comprehensive access control solution that provides flexible, secure and differentiated network and application access to ensure continued business productivity.

Contact details:
Doron Abrahami, Senior Manager
T: 201-913-9975, E: dabrahami@juniper.net, W: www.juniper.net