Why we can’t stop malicious insiders

Security experts have been saying for years that insiders — malicious, careless or simply unaware — are a greater threat to organizations, both public and private, than hackers.

And the world got another illustration in support of that argument last week when the most famous whistleblower of the moment, Edward Snowden, admitted he had leaked top-secret documents about the National Security Agency’s (NSA) surveillance —both telephone and online —of American citizens to The Guardian and The Washington Post.

Snowden was technically not an NSA insider. The former CIA technical assistant was working for Booz Allen Hamilton as an infrastructure analyst for the NSA (Since admitting he was the source of the leaks, he has been fired). But, he had insider privileges, which is essentially all that matters.

[Related: NSA can access data without court approval, claims Snowden]

And that raises again the question of whether organizations should put more effort into securing themselves internally than in fighting to keep out malicious attackers. But it also raises the question of whether extra effort is even worth it, since neither training nor technology can stop every insider threat.

Snowden said in a video interview with The Guardianthat his level of privileges meant that, “I, sitting at my desk, certainly had the authorities to wiretap anyone, from you or your accountant, to a federal judge or even the president, if I had a personal e-mail.”

And even if he is extradited from Hong Kong and prosecuted, whatever damage has been done by exposing government secrets isn’t going to be undone.

There is no universal agreement on the level of the insider threat, even though the Snowden case has received international attention. According to Verizon’s 2013 Data Breach Investigations Report, insiders were responsible for only 14 percent of confirmed data breaches. “Our findings consistently show that external actors rule,” the report said.

But other experts say the key word there is “confirmed.” Gary McGraw, CTO of Cigital, said he suspects a majority of data breaches are never announced.

“I wouldnt be surprised if they (insider breaches) are understated.”

Mike DuBose, a former Justice Department official who led the agency’s efforts on trade-secret theft and who is now the head of the cyber investigations unit at the risk-management firm Kroll Advisory Solutions, told Brian Fung of National Journal that, “Amidst all the concern and discussion over foreign hacking, what gets lost is the fact that the vast majority of serious breaches involving trade secrets or other proprietary or classified information are still being committed by insiders.”

[NSA surveillance controversy: Much ado about nothing new?]

McGraw noted that the power of insiders is demonstrated by the fact that the goal of hackers is to become insiders.

And the impact of insider breaches is more significant than frequency, said Carson Sweet, CEO of CloudPassage.

“While there may be a lower frequency of inside jobs, the impact that an authorized insider can wreak is typically far greater, and can happen over a longer period, than that of an outsider,” he said. “Having an employee go rogue —especially one in a privileged position —can turn catastrophic very quickly.”

But it is simply not possible to stop all insider attacks or breaches, experts say.

“Nothing is perfect,” said Bruce Schneier, chief security technology officer at BT and author/security guru. “Because something bad happened doesn’t mean something went wrong.”

Schneier noted that there are thousands of other people like Snowden — government contractors who have top-secret security clearances. Indeed, The Daily Beast’s Laura Colarusso reported that a required report from the president to Congress showed that as of October 2012, about 1.4 million people had top-secret security clearances, and more than 480,000 of them were government contractors.

“It’s amazing that it works as well as it does,” Schneier said.”If it wasn’t working, there would be a leak like this once a month. The reality is that most people are trustworthy most of the time.”

Still, there is a role for technology in combating insider threats, malicious and otherwise. McGraw, Sweet and Schneier all say every organization should “compartmentalize,” so nobody has privileges everywhere.

“You don’t give anyone a key to every room in the office,” Schneier said. “You limit the trust you put in people.”

“How would it feel to walk in the front door of your bank — the firewall — and see all the money, documents, etc. piled in the middle of the room?'” asked Sweet. “Assets need to be compartmentalized, like a bank has tellers behind high counters, safe deposit boxes and vaults.”

“In accounting, you have double-entry bookkeeping,” McGraw said. “You have debits and credits in different books, and you have to balance the books. You have processes set up in banks so one person doesn’t have all the power, so you limit the damage that any one person can do.”

McGraw, who has been an outspoken evangelist for “building security in” to cyber infrastructure, rather than trying to “bolt it on after the fact,” said those designing systems for security should ask themselves what would happen, “if any part of a system was controlled by a bad guy.”

Sweet said cloud and virtualization technologies, especially dynamically automated control systems, “make dynamic compartmentalization of internal resources a hands-off process. Companies and agencies need to start using these technologies. They can ‘see’ when something bad is going on, even if it’s for an authorized user.”

The Snowden case is also a reminder that security, on any level, can be improved by rigorous background checks and personality profiling. McGraw said heavier screening of developers and architects is worthwhile, since, “the worst kind of insider would be a rogue developer, who have the ability to create systems that will do anything they want.”

Technology and training can also help protect the organization from workers who are not malicious, but who fall victim to scams like phishing.

“You can do things like virtualizing browsers or mail accounts, so if they click on something, you can see that its not kosher,” McGraw said. “But you need to understand that they are going to get phished.”

Sweet said companies should, “hit their employees constantly with company-managed phishing attacks. This is a service you can pay trustworthy outside providers to do. It keeps the awareness level exceptionally high.”

Schneier added that things like one-time passwords can help protect against employee vulnerabilities.

But nothing is foolproof.

“These are all tricks around the edges,” Schneier said. There is no panacea. There will always be exceptions. You are never going to catch everything.”