The Insider Threat: 16 Tips to Protect Critical Data
Last August's arrest of a Countrywide employee in California illustrates the potential impact of a single insider with access to sensitive information. The FBI charged the former employee with taking 2 million names and personal information from the mortgage bank and selling them for a profit.
Another example: Last month's indictment in federal court of an ex-consultant at Fannie Mae for allegedly placing a logic timebomb on the mortgage giant's computer systems last October. If not discovered, this trap would have wiped out all the company's 4,000 computer servers.
These illustrate the need to have monitoring and controls in place, along with an education program to help employees learn about the insider threat as part of an information security awareness program.
The increased number of employers handing out pink slips doesn't help quell the threat, with a record number of people on the unemployment lines and others at work worried about their own positions. "We're going to see some insider events where insiders are tempted enough by money to enable these compromises to take place from outsiders, allowing access to payment data and account information," says Mike Urban, Senior Director of Fraud Solutions at Fair Isaac, predicts,
Urban, with more than 14 years of electronic fund transfer experience and fraud resolution in the industry, says all institutions should review their strength against an insider threat. "When should institutions be concerned about insider threat," he says. "During times before, during and after a merger takes place, or during uncertain times such as the times we're in now."
The areas once thought separate -- financial fraud and information security -- are converging, he notes. "People are laid off, you've got fewer people doing work -- a lot of things that would be normally picked up, or watched or noticed will not be because the person that used to do that isn't there anymore," Urban says. Even employees who are still at the institution and think they may be laid off begin thinking what they could take to protect their own financial future wellbeing," he says.
Senior management needs to consider the risks when system mergers take place. "There's a lot of chances for information to be in places it shouldn't be," Urban says, so a high level of awareness needs to be encouraged.
Tips for Fighting the Threat
Organizations also should take a close look at the "Insider Threat Study" by Carnegie Mellon's CERT Program. Randy Trzeciak of Carnegie Mellon's CERT insider threat research program was recently interviewed by Information Security Media Group on 100 insider cases that the study compiled since 2001 and some highlights from its findings. (LISTEN TO PODCAST).
The study shows the "big picture" analysis of insider IT sabotage and has seven general observations about the cases. Another excellent source for institutions to follow that Trzeciak recommends is the CERT "Common Sense Guide to the Prevention and Detection of the Insider Threat."
Here are 16 practices that CERT says will help provide an institution with defensive measures that could help prevent or detect insider incidents:
1. Consider threats from insiders and business partners in your enterprise-wide risk assessments. This is especially difficult for institutions, as the scope of the "insider" stretches out to service providers and vendors.
2. Clearly document and consistently enforce policies and controls. CERT sees that clear documentation and communication of technical and organizational policies and controls "could have mitigated some of the insider incidents, theft, modification and IT sabotage" it has in its case library.
3. Institute periodic security awareness training for all employees. Developing a culture of security awareness is only the first step, CERT says employees "also need to be aware that individuals, either inside or outside may try to co-opt them into activities counter to the organization's mission."
4. Monitor and respond to suspicious or disruptive behavior, beginning with the hiring process. This should begin even before an employee is hired, CERT says. Things to look out for include repeated policy violations "that may indicate or escalate into more serious criminal activity."
5. Anticipate and manage negative workplace issues. Institutions should carefully review their processes, beginning with pre-employment, employment and termination. Of special note, CERT notes, ""Contentious employee terminations must be handled with utmost care, as most insider IT sabotage attacks occur following termination."
6. Track and secure the physical environment. Most institutions are already on top of this issue, though CERT's reminder about access attempts is clear. "Access attempts should be logged and regularly audited to identify violations or attempted violations of the physical space and equipment access policies."
7. Implement strict password and account management policies and practices. This is important, CERT says, and "password and account management policies and practices should apply to employees, contractors and business partners."
8. Enforce separation of duties and least privilege. By giving employees only the resources they need to do their jobs, "the possibility that one individual could commit fraud or sabotage without cooperation of another individual within the organization is limited."
9. Consider insider threats in the software development life cycle. While this one won't apply to many of the institutions that operate systems but don't develop them, consideration should be made to look into the software development from vendors and core service providers.
10. Use extra caution with system administrators and technical or privileged users. Many institutions already follow CERT's recommendations on this by separation of duties or employing the two-man rule for critical system administrator functions. CERT's insight on this, "Technically adept individuals are more likely to resort to technical means to exact revenge for perceived wrongs."
11. Implement system change controls. In CERT's study of 100 insider incidents, there are a wide variety that relied on unauthorized modifications to the organization's system -- a strong argument for change controls as a mitigation strategy.
12. Log, monitor and audit employee online actions. CERT's study shows new findings in this area that can help institutions to refine data leakage prevention strategy. One example CERT gives is to monitor an employee's online actions around the time the employee is terminated.
13. Use layered defense against remote attacks. CERT's recommendation is based on the premise that should employees know they are being monitored, a disgruntled insider will try to use remote access to gain access. Especially important is disabling remote access and retrieval of company equipment from terminated employees.
14. Deactivate computer access following termination. This should happen quickly, including all physical locations, networks, systems, applications and data.
15. Implement secure backup and recovery processes. CERT admits that no institution can completely eliminate the risk of insider attack. Preparation and implementation of a secure backup and recovery process is critical.
16. Develop an insider incident response plan. CERT says this could prove challenging, "because the same people assigned to a response team may be among the most likely to think about using their technical skills against the organization." CERT recommends that only those responsible for carrying out the plan need to understand and be trained on its execution.