Car wrecks and “The Insider Threat”

Ok – so the title of this entry seems a bit counterintuitive… but stay with me on this.

I was involved in a car accident about two weeks ago.  Someone sailed through a stop sign and hit me as I was making a left turn — and I have the almost totaled car, a police report, and about a gazillion solicitation letters from various lawyers to prove it.

So (you ask yourself), what in the world does this have to do with security?  Well, nothing really.  But I think that it can serve as a ‘life lesson’ in which a few things can be abstracted and applied.  A company can be seen as a microcosm of a city.  Everyone is bustling around just trying to get through the day.  They have tasks on their lists that they seek to check off.  They utilize computer systems as a means to an end; the same way we use transportation systems as a means to an end.

In both scenarios, there is the inherent possibility of good people making simple mistakes.  These mistakes have consequences.  With the transportation system, it can lead to accidents.  With corporate computer systems, it can lead to a compromise of data.  Whereas, in the physical world, someone may be negligent and run a stop sign, in the corporate world, someone may forget to lock their workstation or may ‘innocently’ email sensitive documents to their home email address so that they can catch up on work — a car wreck on the Information Superhighway

In the end, we must realize that people, humans, are destined to make mistakes.  Thus, when we consider the “insider threat,” we must realize that the insider threat is not limited to intentional malicious activity – most people just want to do their job and go home.  The insider threat must also include simple human nature – the stupid little mistakes that people make each and every day.  Most of the time these little mistakes are innocuous; but sometimes cars get wrecked, data gets lost, or systems get compromised.

So, how do we address the ‘negligent insider?’  As with most security initiatives, you should take a layered approach.  In this case, I suggest that you start by examining your corporate culture.  Can you raise the cultural awareness around security issues?  Probably so; that’s what training and awareness is all about.  The other thing you should include is technical controls.  This like password protected screensavers that activate after 10 minutes of inactivity.  Role Based Access Control methodologies can also help by ensuring that people cannot access data that is outside their scope of duty.  In addition, I suggest looking at data loss prevention (a.k.a. content filtering) technologies from vendors like Vontu, Vericept, Oakley Networks, Tablus, and Reconnex.

In the end, we are all flawed creatures who are bound to make mistakes.  Our job, as security professionals, is to help curtail these mistakes.  Training & awareness plus a liberal dose of technical controls are the 1st place to start.