The Enemy Inside

A realistic approach to prioritizing actions to prevent privileged user or insider security threats.

For many years external security threats received more attention than internal security threats, but the focus has changed. While viruses, worms, Trojans and DoS are serious, attacks perpetrated by people with trusted insider status—employees, ex-employees, contractors and business partners—pose a far greater threat to organizations in terms of potential cost per occurrence and total potential cost than attacks mounted from outside.

The reason insider attacks "hurt" disproportionately is that insiders can and will take advantage of two important rights: trust and physical access.

In general, users and computers accessing resources on the local area network (LAN) of the company are deemed trusted. Practically, we do not draconically restrict their activities—revoke trust—because an attempt to control these trusted users too closely will impede the free flow of business.

And, obviously, once an attacker has physical control of an asset, that asset can no longer be protected from the attacker.

What Motivates the Internal Attacker?

Internal attackers "perpetrate harm" for a number of reasons.

  • Challenge/Curiosity: Many internal attackers don't think about their acts as "attacks" at all. They would constitute the act instead as a challenge—combining patience, skill and a combination of tactical and strategic thinking. Common examples of these attacks may include breaking into e-mail or IM accounts, accessing sensitive data assets (i.e., salary or financial data) or conducting ad hoc penetration tests.
  • Revenge: Internal attackers motivated by revenge have negative feelings directed not simply to the company, but also toward a particular individual within that company. These attackers can be particularly dangerous because they are patient and targeted. In this category, it is common for the attackers to be a former employee who feels he/she has been wrongfully terminated.
  • Financial gain: Internal attackers motivated by financial gain steal confidential information for a third party.

What's the Inside Attacker Profile?

The United States Secret Service and the Carnegie Mellon University Software Engineering Institute's CERT Coordination Center published an insider threats study report in 2005 which offered critical insights into the mind and motivation of the "inside attacker." According to the statistics gathered, the inside attacker is usually:

  • Male
  • 17-60 years old
  • Holds a technical position (86 percent chance)
  • May or may not be married (50/50 chance)
  • Racially and ethnic diverse

Sufficiently broad pool? Absolutely. Here are some additional statistics, again from the same CERT study:

  • In 92 percent of the incidents investigated, revenge was the primary motivator.
  • Sixty-two percent of the attacks were planned in advance.
  • Fifty-seven percent of the attackers surveyed would consider themselves "disgruntled."
  • Eighty percent exhibited suspicious or disruptive behavior to their colleagues or supervisors before the attack.
  • Only 43 percent had authorized access (by policy, not necessarily via system control).
  • Sixty-four percent used remote access to carry out the attack.
  • Most incidents required little technical sophistication.

What Are Some Common Attacks?

  • Sabotage of information or systems: This category includes physical destruction of network cabling or computing devices, or disabling of electrical or other environmental control.
  • Theft of information or computing assets: This category includes theft of anything from digitally stored information, such as customer credit card information to company critical financial data to internal product engineering plans, to theft of physical devices.
  • Introduction of bad code: "Bad code" may include time bombs (software programmed to damage a system on a certain date), or logic bomb (software programmed to damage a system under certain conditions).
  • Viruses: While the most significant internal threat is the "ignorant" employee who double clicks on an e-mail attachment, activating a virus, results from a number of "insider attack" surveys show that viruses may be exploited by hostile employees.
  • Installation of unauthorized software or hardware: Common attacks include the installation of Trojans by privileged users.
  • Manipulation of protocol design flaws: Protocol weaknesses in TCP/IP can result in a virtual treasure trove of problems, for example DNS spoofing, TCP sequence, hijacked sessions and authentication session / transaction replay, denial of service and TCP_SYN flooding.
  • Manipulation of operating system design flaws: We all know the drill. Operating systems, such as Windows and Linux, have not been designed to be highly secure. Privileged users in particular have easy access to information regarding which vulnerabilities exist and which vulnerabilities have been patched. With the ability to read and administrative access, privileged users can manipulate these design flaws and exercise native vulnerabilities.
  • Social engineering: Attackers may use e-mail, IM or telephone to impersonate employees and administrators to gain username, passwords or escalated privilege to information or systems, as well as to execute Trojan horse programs.

Where Should You Begin to Address the Problem?

As a pragmatist, my recommendation is to start addressing the problem whose mitigation offers me the most "bang for the buck." That problem is that of the "privileged user."

Users who have been delegated absolute control are called privileged. In the real world, we generally refer to privileged users as "administrators," "super users" or "special." Here are some simple facts about privileged users, which are referred to as administrators:

  1. Human beings do dumb things, inadvertent things and sometimes even deliberately bad things.
  2. Administrators are human beings.
  3. Administrators, as human beings, will likewise do dumb, inadvertent or potentially bad things as well.

Why do these simple realities matter? Your administrators have the "keys to the kingdom," literally. Dumb, inadvertent or deliberately bad acts can have potentially dreadful impacts within the business environment powered by the IT infrastructure. If you have doubts, just look at the statistics: Internal attacks cost U.S. business $400 billion per year, according to a national fraud survey conducted by The Association of Certified Fraud Examiners, and of that, $348 billion can be tied directly to privileged users. Another way to look at it, the same survey shows U.S. businesses lose 6 percent of their gross annual revenue to internal attacks, again with the vast bulk of that at the hands of privileged users.

Staggering, indeed: A small group of individuals perpetrate the maximum damage. Unfortunately, the problem with managing this threat effectively is that traditional and foundational security concepts—particularly that of the "principle of least privilege"—are ineffective. In computing, the principle of least privilege holds that a user is given the minimum possible privileges necessary to permit an action, thereby reducing the risk that excessive actions will negatively affect the system. In the real world, "operationalizing" this principle would mean that you are reducing the ability for IT administrators to do their jobs quickly and effectively.

Below, I have taken a nontraditional (a.k.a. realistic) approach to prioritizing the "things you should do" to address the privileged user/insider threat:

1. Log and Audit. Cyber-security is akin to playing the "whack-a-mole" game. Every time you identify a potential issue, another one pops up. Privileged user monitoring and audit (PUMA) solutions make it possible for an organization to continuously log and monitor how and why this class of user is using or abusing this privilege. With appropriate policies in place, it is then possible to identify and investigate inappropriate activities and process failures. As part of this process, it is critical that the organization collect and save log data for use in investigations. It's not a question of if, but when.

2. Manage Accounts. Insiders have an opportunity to circumvent traditional security controls because they have trust and physical access. It is therefore critical that those users with the most unfettered access to systems and data be made "accountable." Properly instituted account management policies and technologies make it possible to audit the individual, and not just the network noise. It is critical, as part of this program, that computer access is deactivated following termination. While this may appear to be a simplistic recommendation, it is often overlooked.

3. Defend against Remote Attacks. Most attacks by insiders are perpetrated remotely. Layered defenses, which include monitoring and logging of all remote activities, are essential to reducing the risk of insider attack.

4. Defend against Malicious Code. A common type of insider attack that can be executed by privileged users is the installation of malicious code or the use of logic bombs on the system or network.

5. Monitor for and Respond to Disruptive Behavior. Having exhibited disruptive behavior is one of the key traits of an inside attacker. Therefore, in addition to continuous monitoring of network-based actions, organizations should institute formal procedures to respond to suspicious or disruptive behavior by employees in the workplace. Effective procedures make it more likely that employees will report disruptive or suspicious behavior when they observe it in coworkers, and that management will respond effectively.

Bonus Control: Implement Security Awareness ("Neighborhood Watch") Training Programs. The first line of defense from insider threats is other insiders. In fact, according to a recent CERT study, most insider attacks were identified by other insiders. As a general rule, security awareness and training programs should cover all employees and contractors, define why security policies and procedures exist, define how they are enforced and outline what the consequences will be for infractions.

There are three "gotchas" associated with this control. First, the value of awareness programs degrades over time. Effective awareness programs must be REPEATED. Second, it is hard to justify the ROI for training. Therefore these programs are traditionally underfunded. Third, they are often conducted by personnel who lack teacher skills or by those with no security knowledge.

In Summary

Theodore Roosevelt once said, "The best executive is one who has sense enough to pick good people to do what he wants done, and self-restraint enough to keep from meddling with them while they do it." While we all know this to be true, we also need to recognize that without control and accountability, our privileged insiders can cause us the greatest harm.

With the ever-increasing reliance on the Internet and connected companies, the lines have disappeared between insiders, outsiders and traditional internal and external boundaries.

The root of internal compliance policies is to protect the rights and interests of the employees, including privileged users, and shareholders. The good news is that reducing the risk of insider attack by privileged users without inhibiting our business operations is possible. It just takes some common sense, a crash course in human psychology and a good dose of technical savvy. Or, in other words, "Speak softly and carry a big stick; you will go far." (Theodore Roosevelt)

Copyright © 2006 IDG Communications, Inc.

How to choose a SIEM solution: 11 key features and considerations