Any employee with access to sensitive data is a potential threat, whether they know it or not. Even if they don't have malicious intentions, the inherent nature of their privilege is what makes them so dangerous.
Vormetric recently published its 2013 Insider Threat Report exploring the very nature of these dangers while also tallying the results of a survey it conducted over two weeks in August of this year. The numbers, which were tabulated in September, indicated the responses from 707 IT professionals to questions regarding insider threats and they choose to combat them. Needless to say, the pervasive theme of the survey results was that insider threats are a very serious concern to just about everyone.
The respondents were likely fearful, at least in part, due to what they had been hearing about in headline news about data breaches and insider threats, said Vormetric CEO Alan Kessler. He pointed to recent examples in Bradley Manning and Edward Snowden, adding that many businesses are beginning to see these problems themselves.
Vormetric CSO, Sol Cates, meanwhile, said that enterprises are concerned about insider threats because they are realizing that beyond an employee going rogue — as was the case with Manning and Snowden — there is the idea of privileged users whose identities are being compromised.
"That's becoming another concern," said Cates, "this idea of unchecked privilege that these companies don't have enough controls around."
The report also indicated what specific types of insiders the respondents perceived to be the biggest threats, with non-technical employees with legitimate access to sensitive data accounting for 51 percent of the vote. Though it may not necessarily seem obvious at first, there are scores of employees that fit the description in question, including employees in HR, who often find themselves needing to interact with personally identifiable information (PII).
"The question is, do you have proper control over how they interact with this information?" asked Kessler. "But the technical aspect of controlling this kind of access is very hard, especially if you're trying to retrofit older systems."
Cates added that executives also fit the bill here, as their jobs are not technical in nature, but they often need access to sensitive information in order to do their job.
"That's the whole point of data and information, to make it usable." said Cates. He did, however, have one suggestion for mitigating such a threat.
"Education and empowerment of the business user is a good way to counteract this problem," he said.
With insider threats posing such a significant problem, another obvious solution would be to conduct thorough background checks on potential employees before they are hired to determine whether or not they can be trusted (or whether or not they are a liability). While Cates maintains that this is a common procedure these days, the tricky part is limiting those employees' exposure to sensitive data while still allowing them to do their jobs and administrative functions.
"There are tools that blind operators to sensitive information," said Cates. "Businesses have ways to never expose certain employees to the information in their systems."
Surprisingly, however, the very employees who should be trusted to manage these systems and protect the data within them are the ones that present the most risk. The report indicated that 34 percent of security professionals said that IT administrators were one of the biggest threats to their organizations. That said, it's not always an individual or an actual person that presents the risk, said Cates. The inherent risk is their privilege.
"You can watch what [IT administrators] are doing, but they get to make these decisions," said Cates. "They authenticate, oversee data flow, and determine what apps your company is interacting with."
So from a control perspective, businesses need to determine, can they or do they need to look at sensitive information in order to do their jobs? One possible solution here, said Cates, is to audit what your IT administrators are trying to do.
"It's important to understand what they're doing with your info, because they're the ones protecting it," said Cates. "You need to manage the privilege, not the user."
It would appear that that's what many businesses are trying to do. The survey results indicated that 31 percent of respondents rated "network security tools" as the most important protection against insider attacks. Kessler explained that this could include anything from firewalls to intrusion detection/protection services (IDS/IPS) to network-based malware detection solutions. This is, of course, because a lot of the time malware is targeting specific users based on their privileges.
Kessler agreed that the gatekeepers and their privileges need to be monitored, using the postal service as a metaphor. They manage and deliver your mail, but they have no right or need to see what's inside. "Here, it's the same thing," he said. "We're limiting their ability to see data but still allowing them to do their job."
Employees aren't always in the office though, so what about insiders who find themselves frequently working on the road? The use of mobile devices and connecting to company networks from remote locations pose inherent risks, both of which were addressed in the report. To put the concern into perspective, 49 percent and 41 percent of respondents said that their organizations' data was most vulnerable on a desktop/laptop or mobile device, respectively.
Cates went beyond the statistic, however, and clarified what the numbers meant by reading between the lines. Unless companies have enabled special privileges on these devices, he said, they are nothing more than vectors to information. So the real risk isn't localized, but there is still concern about where they could lead.
"The actual amount of data or records being stolen from these devices is fairly minimal," he said. "They're just a way to get into data centers. But there is a lot of risk on those endpoints."
Employees accessing their company's network or files remotely, said the Vormetric report, is a situation in which businesses need to take user context into consideration. A CEO, for example, should have complete access to all data when he or she is connected via the corporate LAN, but not when accessing the files remotely from an internet café. Current, typical measures for remote access are often not sufficient in this sense, said Cates.
"As it stands now, VPN is not strong enough. Things can be spoofed," said Cates. "You need better monitoring of database access and activity. In the future, there's going to be some innovation where you can get more info about whether where you're coming from is safe."
The report also suggested that a viable approach to fighting insider threats is pervasive coverage. While this may raise concerns about whether or not this creates more work for security teams, Cates argues that this isn't the case.
Cates suggested implementing controls so that access is on a "need to know only" basis. Organizations can take privileged access away and use methods like keystroke tracking and heavy auditing to protect their data. By taking a policy approach to data access and reducing total ownership, he said, Vormetric's idea of pervasive coverage doesn't actually take more time or work since it reduces what teams need to focus on.
"You want to make it so the only way to your information is through the front doors," said Cates. "Now I only have to watch the front doors. My time is more focused."
Kessler also talked about de-perimeterization and, more specifically, situational awareness when approaching security. While there are some solutions that are focused and tactical, he said, they are often expensive and require training. Rather, teams should focus on the prevention and reaction aspect of security and try to reduce reaction times when dealing with a threat.
"Yes, there are expensive options, but you can always start off by just collecting information [about threats] for faster response times," said Kessler. "Boil up your data to discoverable problems and actions, and that way folks can get to the bottom of issues quicker.
"Reduce your attack surface with preventative measures, and then solve problems quicker with your reaction."