The truth about the insider threat

Your biggest threat is your most trusted employees. But that news is not as sinister as it may sound. It may conjure visions of evil villains hunched over lab tables working on the next great attack on your organization. Reality, however, is far less dramatic.
Most employees in your organization are probably good people with honorable intentions. And there’s no reason to assume that your employees are out to cause harm to your organization. But the evil villain scenario is rooted in some truth. A number of highly publicized security breaches have recently highlighted the worst-case scenarios; each story with its own evil villain(s).

At Société Générale, one employee’s devious behavior resulted in a company loss of over $7.2 Billion. Former LendingTree employees pilfered data from the company’s systems exposing names, addresses, email addresses, telephone numbers, social security numbers, and income and employment information. A DuPont employee, while transitioning to work for a competitor, attempted to steal trade secrets worth over $400 million. An employee at Progressive Casualty Insurance Co. wrongfully accessed information on foreclosure properties for personal use. And just this past March, U.S. State Department employees were caught snooping through the passport files of three U.S. presidential candidates.

Are your employees prone to such reckless and malicious behavior?  Maybe. But, that’s not what should keep you up at night. The examples cited above represent the extreme in regards to both publicity and financial damage. They’re not representative, though, of the breaches to your security policy which are far more likely to be occurring every day.

What should worry you more than the outrageous stories that make news headlines, is that according to recent research, a third of your employees may believe that they need to breach security in order to perform their daily job activities.

These types of breaches don’t often cause direct financial harm and they don’t make headlines in major media outlets. In fact, they generally aren’t reported at all and often aren’t even known-about by your organization’s security team. But, these seemingly innocuous security breaches could result in failed security audits, non-compliance penalties, and an increased (and unnecessary) level of risk for your organization.

Manage Perceptions
The fact that employees believe that they need to subvert policy doesn’t mean that their perception is true. It could mean that employees don’t have the right tools in place to perform their job functions efficiently without breaking policy. It may also mean that employees have misconceptions about security policies or that security just isn’t a part of the culture in your organization.

Employee education about security policies and best practices is an important component in reducing risk. Although the general systems user population is slow to adopt new behaviors, it’s vital that employees know what policies are in place. Total automation of security controls is generally not achievable. So, some level of education is necessary to ensure policy enforcement. Business risk can not be mitigated with technology alone.

System administrators, for example, have been given full access rights over the systems they manage. Many systems store sensitive corporate information or even personal employee information that should remain confidential. Since the administrators have been officially granted access rights on a system, they might believe that they are permitted to view the confidential information contained within it.

That is often not the case. Administrators are granted full permissions so that they can manage the access rights of other system users. They are the people who need to understand how to grant and deny privileges within the system. But they do not have a business need to view confidential or sensitive information such as employee salary information, health records, or social security numbers. That information should be safeguarded against unauthorized access – even from the people who have been explicitly given rights to that information.

The same is true for employees of the Human Resources department. They may have a business need to access sensitive employee information for payroll processing, processing life change events, or managing other important HR processes. Typically, though, policy prohibits these employees from accessing the same sensitive information simply out of curiosity or amusement. And if that policy is backed by law, then where an employee performing a particular action in one scenario is just standard business practice, the same action in another scenario may result in fines or other penalties.

Across your organization, it needs to be made clear what information is considered sensitive or confidential. And your employees need to understand the information usage policies that relate to them as individuals. This is particularly important for information to which an employee has been explicitly granted rights. If you can put a failsafe security control in place to protect an asset (like a locked safe with armed guards), then publicizing the access policies becomes less critical.

Monitor and Evaluate
In addition to clearly articulating security policies, additional measures should be taken to protect your sensitive assets and prove that policies are being enforced. A thorough system of access audit and monitoring will cover three key areas:

• Controls – Ensure that security controls are in place and functioning as expected.
• Behavior – Monitor user behavior to ensure that policies are being upheld.
• Power – Perform regular audits of user rights and permissions to verify that appropriate levels of access have been granted.

Controls
Routinely verify that the security mechanisms in place are effective at performing their expected functionality. Check that controls are enabled and adequate to meet your security needs.

Behavior
Monitor user behavior to ensure that activity doesn’t extend past the boundaries of acceptable behavior. Especially in scenarios where people have explicitly been granted rights to access systems or information, monitoring is an important tool to ensure that policies are being upheld and to alert or report on policy breaches in real time. Watch for authentication attempts, information access attempts, changes to data, data creation, and data deletion.

In addition to providing an invaluable tool for responding to auditors and regulators, monitoring becomes an effective deterrent against casual policy breaches. Once administrators know that you’re monitoring their access to files, for example, they will be far less likely to open a file at which they should not be looking.

Power
Perform periodic review of what rights have been granted within the environment. Look at what potential breaches could occur and attempt to align rights and permissions with current business needs. People move in and out of organizations and often switch roles within a company. At the same time, business needs and goals change over time. Periodic reviews of user power minimize the potential threat that may exist within your environment.
In addition to periodic reviews, enable real-time monitoring of new account creations, account removals, status changes, and alterations to user account rights and permissions. This gives you a continuous view of user power from what rights were in effect on a particular date three months ago to what permissions have been changed over the past three hours on what servers and by whom.

Conclusion
The insider threat is real. Even in an ideal environment where every employee has the best intentions and all employees work harmoniously together toward common goals, humans are prone to error. And we’re conditioned to look for efficiencies that save time or effort (also known as short-cuts). These errors and efficiencies are at the root of the numerous security policy breaches that likely occur in your environment every day.

Information security auditors and government regulators make no exceptions based on good intentions. So, the risk needs to be mitigated even in environments where employees are not malicious. And security holes obviously increase the risk of the occasional catastrophic breaches that would cause significant damage to your organization’s reputation, business opportunity, or bottom line.

Clear articulation of security policies and effective audit and monitoring solutions can provide tremendous value in mitigating the insider threat while killing the proverbial two birds with one stone:

• Reduced Risk / Improved Security
• Simplified Audit and Compliance

Audit and monitoring solutions provide real-time alerts of policy breaches, serve as a deterrent for would-be bad actors, and eliminate the effort associated with providing reports on security controls, user behavior, and user empowerment. Security auditors, IT managers, and business line executives are given a clear view into insider activity and the administrative behavior that empowers those insiders. Threat mitigated.

About NetVision
NetVision provides periodic assessment and real-time monitoring of all three components that comprise the power of digital identity: Controls, Behavior, and Power. NetVision is focused on providing relevant answers to critical identity and access related questions across platforms on core network directories and file systems.

Matt Flynn is Director of Marketing and Strategy at NetVision Inc., responsible for communication and strategic direction. Prior to NetVision, Matt spent the past decade consulting on identity and access management strategies for many of the world’s leading companies.