The Insider Threat Will Eat Your Babies

Written by rmogull | Filed under Misc, Non-Geek, Risk | 11 comments



I was reading this post by Richard Bejtlich and it reminded me of a little pet peeve.

It seems some people out there criticize Richard for focusing more on external threats than the big bad, “internal threat”. I’ll admit I used to use the term frequently when I was a little naive, but I finally realized it became code for “scary stuff you’ll never be able to protect yourself from without spending a lot of money on our products.”

Yes, there is an insider threat, but we abuse the heck out of the term.

There are a few principles I like to keep in mind when discussing the insider threat. Some are a little redundant to make a point from a slightly different perspective:

  1. Once an external attacker penetrates perimeter security and/or compromises a trusted user account, they become the insider threat.
  2. Thus, from a security controls perspective it often makes little sense to distinguish between the insider threat and external attackers- there are those with access to your network, and those without. Some are authorized, some aren’t.
  3. The best defenses against malicious employees are often business process controls, not security technologies.
  4. The technology cost to reduce the risks of the insider threat to levels comparable to the external threat are materially greater without business process controls.
  5. The number of potential external attackers is the population of the Earth with access to a computer. The number of potential malicious employees is no greater than the total number of employees.
  6. If you allow contractors and partners the same access to your network and resources as your employees, but fail to apply security controls to their systems, you must assume they are compromised.
  7. Detective controls with real-time alerting and an efficient incident response process are usually more effective for protecting internal systems than preventative technology controls, which more materially increase the overall business cost by interfering with business processes.
  8. Preventative controls built into the business process are more efficient than external technological preventative controls.

Thus, the best strategy includes a mix of technology and business controls, a focus on preventing and detecting external attacks, and reliance on a mix of preventative controls and detective controls with efficient response for the insider threat. I really don’t care if an attacker is internal or external once they get onto a single trusted system or portion of my network.

The “insider threat” isn’t a threat. It’s become a blanket term for FUD. Understand the differences between malicious employees, careless employees, external attackers with access inside the perimeter, and trusted partners without effective controls on their systems and activities.

Posted on October 31

11 comments

  1. Rani Osnat Oct 31

    Hi Rich,

    Everything you say is correct, and yet… it’s true that there are a lot more outsiders “out to get you” than insiders, and among them some pretty nasty characters with hacking skills to match their lovely personalities.
    OTOH, the chances of a malicious insider succeeding in doing what they want to do are higher, and the potential damage they can do (per incident) is higher. The technical solutions to this are mentioned in your post under 7 and 8, but the best solution is probably to treat your employees well so they feel “gruntled” :) as opposed to disgruntled.

    One last point, which is often missed - most of the intentional, malicious insider stuff is small potatoes. Much of it goes under the radar, but it happens. I’m talking about something like a DBA in a telco selling customer call records to private investigators at $200 a pop, which could go on undetected for years, and if it is discovered it is usually dealt with quietly. Or perhaps something even less sinister, like a privileged user accessing salary data towards renegotiating his contract. There is a LOT of that going on, and it’s a liability though not a huge one - but then again so is what DLP is trying to prevent, and DLP vendors are being acquired left right and center.

  2. Adrian Lane Oct 31

    There is a lot of FUD around the insider threat, and abuse rampant. You did not even have to go into the blatantly misleading uses of CSI data theft statistics. But I tend to think of the FUD as a reaction to market that has seen increased spending on facilities that are blind to the problem, and the vendor community as one of the major sources of FUD as a frustrated outcry. The meaningless blanket term has raised awareness and invited a dialog about what should be done and where best to spend resources. I am not ready to throw the term onto the scrap pile of misleading slogans (like ‘war on terror’) as consumer awareness of helpful products like Data Leakage Prevention is just now reaching the main stream.

  3. Gary Nov 3

    I beg to differ.

    The “Insiders” of insider threats are materially different from “Outsiders” such as hackers, competitors and the NSA. They are employees with privileged internal access to information (not just IT systems), numerous opportunities to probe controls without much fear of retribution, and all sorts of motivations to defraud or steal their employer’s information assets. Generally speaking, Insiders are “trusted” which means the organization settles for weak or missing controls that they would not tolerate for Outsiders.

    Many technical and non-tech controls apply to Insiders but not all of them apply to Ousiders - some controls (e.g. employee anti-fraud controls, security awareness and ‘divisions of responsibility’) are intended and designed specifically to prevent or detect insider abuse.

    Outsiders who breach the network or physical perimeters are still at a disadvantage relative to Insiders with legitimate access to the network, application systems, data and a raft of corporate information. If the infosec people are focused on Outsiders, they leave the door open to abuse from Insiders. A balanced approach is entirely appropriate, reflecting the risks from Insiders AND Outsiders.

    Kind regards,
    Gary

  4. Rob Lewis Nov 4

    @Rani,

    “One last point, which is often missed - most of the intentional, malicious insider stuff is small potatoes.”

    Unfortunately those small potatoes add up to more than $300+ billion a year according to the Attorney General of the US. Small businesses are also less likely to be able to survive a major hit, as opposed to a larger enterprise.

    @ Gary,

    Your overall post is sound, but I agree with you that the overall degree of internal controls for insider abuse generally remain lacking, or absent altogether. New organizations routinely hand over the keys to the kingdom to new hires that they barely know. Depending on the sensitivity of the data to be protected, systems should be able to protect data even if VERY TRUSTED personnel have been compromised.

    Fine-grain access control at the datafile level on a per user basis can prevent both insider and outsider breaches.

  5. Rani Nov 4

    Gary,

    If you read my entire comment, then you know we’re in agreement. What I meant to point out is that most of what’s going on in terms of insider threat is unreported, often undetected. It’s easy to focus on the big, publicized breaches (a la Fidelity) but this is not representative of the nature of what we’re dealing with here.

  6. Gary Nov 4

    OK. I thought the original piece argued that the Insider Threat is over-rated which I don’t agree with at all. There’s more to it than FUD. You’re dead right about it being unreported and often undetected. Internal fraudsters and hackers, for example, typically exploit control weaknesses and loopholes to conceal or disguise their activities. If insider abuse is discovered, it’s often brushed under the carpet. Managers hate to admit that their staff may have been abusing privileges because this implies inadequate supervision and misplaced trust. Wayward managers are a particular problem because they mostly self-supervise apart from fleeting audits, and they often have the widest access to systems, data and information in general.

    Sorry, I’ll stop preaching to the choir now! I wrote a security awareness module on this topic a few months ago and found it fascinating to research. We followed-up with another module on outsider threats such as industrial espionage and competitive intelligence - another interesting area.

    G.

  7. rmogull Nov 5

    I think we’re all in agreement- what I was trying to address is the marketing FUD around some nebulous “Insider Threat”, as opposed to good security practices to effectively apply controls on insiders without interfering with business.

    “Insider Threat” is probably one of the most abused terms in infosec today, and I didn’t mean to imply that there isn’t any risk from insiders- just take a look at the recommendations. I think we need to focus on business process, not new security tools, to reduce insider risk.

  1. Curso de Snort, Hex-Rays SDK, Nessus 3.2 beta e Insider Threat « security::h0p /* by Alberto Fabiano */
  2. YSTS v1.0 « security::h0p /* by Alberto Fabiano */
  3. Blog Tips #3
  4. Right on the bullseye about the insider threat | Security Balance

Leave a reply

Related Posts

Crime, Communication, and Statistics
No Fly List Protects Airplane From 5-Year Old Security Risk
Now That’s Planned Parenthood!