One of the most comprehensive guides on the topic is the Common Sense Guide to Mitigating Insider Threats, 4th Edition, published by the CERT program at Carnegie Mellon University. The guide focuses on 19 best practices for mitigating IP theft, IT sabotage, and fraud:
1. Consider threats from insiders and business partners in enterprise-wide risk assessments.
2. Clearly document and consistently enforce policies and controls.
3. Incorporate insider threat awareness into periodic security training for all employees.
4. Beginning with the hiring process, monitor and respond to suspicious or disruptive behavior.
5. Anticipate and manage negative issues in the work environment.
6. Know your assets.
7. Implement strict password and account management policies and practices.
8. Enforce separation of duties and least privilege.
9. Define explicit security agreements for any cloud services, especially access restrictions and monitoring capabilities.
10. Institute stringent access controls and monitoring policies on privileged users.
11. Institutionalize system change controls.
12. Use a log correlation engine or security information and event management (SIEM) system to log, monitor, and audit employee actions.
13. Monitor and control remote access from all endpoints, including mobile devices.
14. Develop a comprehensive employee termination procedure.
15. Implement secure backup and recovery processes.
16. Develop a formalized insider threat program.
17. Establish a baseline of normal network device behavior.
18. Be especially vigilant regarding social media.
19. Close the doors to unauthorized data exfiltration.
Each of these practices are addressed in the context of six groups within the organization: Human Resources, Legal, Physical Security, Data Owners, Information Technology, and Software Engineering.
CERT’s model places Information Assurance (IA) within the Information Technology function, and assumes that Physical Security is a separate entity. While this does not represent the best arrangement for corporate security governance, it does effectively drive home the point that addressing the insider threat requires a coordinated, multidisciplinary approach.
While organizations with an existing cybersecurity program may have many, or all, of these controls in place, others may find the list overwhelming. Small companies without dedicated security personnel often have too few IT staff to achieve meaningful separation of duties. They may have to place more emphasis on detective controls and monitoring the behaviour of employees with access to sensitive assets.
From a technical controls perspective, the practices highlight the need for an enterprise log analysis capability. A correlation engine or full-blown SIEM can help to to detect unusual behaviour patterns, but despite what some vendors imply in their advertising, the detection capabilities of these systems are highly dependent on correlation rules that customers must create. The absence of industry-wide standards for event log content makes this challenging; even the major security product vendors have yet to agree on a standard. This drives up the cost of SIEM implementations and makes it more likely that important events will not be correlated. The fact that some log analysis and SIEM vendors price their products based on collected log volumes also discourages businesses from centrally collecting all logs.
Fortunately, open-source log management products such Graylog have matured to the point that they are a viable alternative. While it provides only basic alerting capabilities, Graylog simplifies searching and provides a platform on which security correlation tools can be built. Most importantly, from an insider threat perspective, this provides even small business the ability to aggregate logs outside the reach of contractactors and system administrators, and hold them accountable for their actions.
While the practice areas call for the involvement of physical security personnel, they fail to stress the importance of physical security controls in addressing insider threats. Limiting access to server rooms, networking closets, and sensitive paper records is essential. In addition, alarm system and proximity card access system logs should be preserved and reviewed. Events such as employees accessing the office on weekends should be noted, especially when this is unusual behaviour.
Administrative controls, including background checks and, as the practices suggest, addressing suspicious and disruptive behaviour are critical. Many factors can motivate employees to steal from or sabotage their employer.
One or two generations ago, it was common for employees to work with pride for the same company most of their career. While there were obviously exceptions, it was considered normal to join a company and expect to retire there. Today, many large corporations consider employees disposable. Layoffs are initiated not only in response to changing business requirements, but also sometimes as a short-term solution to boost quarterly financial results.
Employers demand loyalty from employees, but many fail to reciprocate. Managers who believe that employees can be motivated by positive performance appraisals without a corresponding pay increase that at least keeps pace with the rate of inflation need to carefully consider their underlying assumptions. While there is never an excuse for employees breaching obligations to employers, it makes little sense to focus on identifying external factors such as gambling, drug, and alcohol abuse while ignoring internal factors that are within the company’s control. Employees who feel valued and respected are less likely to engage in illegal activity against their employer.
It is not possible to completely eliminate internal IP theft, IT sabotage, and fraud. However, with careful planning and a multidisciplinary layered approach, it is possible to effectively address insider threats.
Have a security question you’d like answered in a future column? Email firstname.lastname@example.org
SAMSUNG GALAXY S8 PLUS
The Samsung Galaxy S8 Plus is a beautifully crafted smartphone with nearly no bezel, curvaceous in design and reflects a…
How to: Connect to Exchange Online Using Multi-Factor Authentication
Using PowerShell to manage your Microsoft cloud services like Exchange Online and using multi-factor authentication (MFA) separately is awesome. Using…