Incorrect Insider Threat Perceptions

Search my blog for "insider threat" and you'll find plenty of previous posts. I wanted to include this post in my earlier holiday reading article, but I'd figure it was important enough to stand alone. I'm donning my flameproof suit for this one.

The cover story for the December 2006 Information Secuirty magazine, Protect What's Precious by Marcia Savage, clued me into what's wrong with security managment and their perceptions. This is how the article starts:

As IT director at a small manufacturer of specialized yacht equipment, Michael Bartlett worries about protecting the firm's intellectual property from outsiders. But increasingly, he's anxious about the threat posed by trusted insiders.

His agenda for 2007 is straightforward: beef up internal security.

"So far, we've been concentrating on the perimeter and the firewall, and protecting ourselves from the outside world," says Bartlett of Quantum Marine Engineering of Florida. "As the company is growing, we need to take better steps to protect our data inside."

Bartlett voices a common concern for many readers who participated in Information Security's 2007 Priorities Survey. For years, organizations' security efforts focused on shoring up network perimeters. These days, the focus has expanded to protecting sensitive corporate data from insiders--trusted employees and business partners--who might either maliciously steal or inadvertently leak information.

That sounds reasonable. As I see it, however, this shift to focus on the "inside threat" risks missing threats that are far more abundant.

First things first. Inside threat is not new. Check out the lead line from a security story:

You've heard it time and time again: Insiders constitute the greatest threat to your organization's security. But what can you do about it?

That's the lead from a July 2000 Information Security article called "Managing the Threat from Within".

Let's think about this for a moment. InfoSecMag in Dec 2006 mentioned that "organizations' security efforts focused on shoring up network perimeters," so turning inwards seems like a good idea. Wasn't looking inwards a good idea already in 2000? I'm probably not communicating my point very well, so here is another excerpt from the same Dec 2006 article:

Glen Carson, information security officer for California's Victim Compensation and Govern-ment Claims Board, says the problem stems more from a lack of user education than poor authentication.

His priority is education: explaining to the 350 users in his agency why data security is important and how it will help them in the long run.

"We recently completed a third-party security assessment and got a good test of our exterior shell, but internally our controls were lacking," he says.

I wonder if that "good test of our exterior shell" included client-side exploitation? I doubt it. Do you see where I am going?

Here's one other excerpt.

Mass-mailing worms may have gone the way of the boot-sector virus, but that does mean security managers don't have malware on their radar...

Yet there hasn't been a major outbreak since the Sasser worm in 2004, so what's all the fuss? Security managers will tell you that the lack of activity says a lot about the maturation of prevention technologies, advances in automated patch management tools, effectiveness of user awareness campaigns, and overall layered defense strategies.

Ok, are you laughing now? The reason why we're not seeing massive worms is that there's no money to be made in it. Everything is targeted these days. Even InfoSecMag admits it:

It's no secret that hacker motivations have changed from notoriety to money. Many of today's worms carry key-logging trojans that make off with your company's most precious assets. Attacks are targeted, often facilitated by insiders. Rather than relying on social engineering to move infected email attachments from network to network, hackers are exploiting holes in browsers, using Javascript attacks to hijack Web sessions and steal data.

Exactly (minus the "facilitated by insiders" part -- says who, and why bother when remote client-side attacks are so easy?)

Here's my point: why are security managers so worried about Eva the Engineer or Stan the Secretary when Renfro the Romanian is stealing data right now. I read somewhere (I can't cite it now) that something like 70 million hosts on the Internet may be under illegitimate control. It may make sense to speak more of the number of hosts not compromised instead of those that are compromised. In 2004 the authors of the great book Rootkit claimed all of the Fortune 500 was 0wned. Why do we think it's any different now?

It's possible that taking steps to control trusted insiders will also slow down outsiders who have gained a foothold inside the enterprise. However, I don't see too many people clamping down on privileged users, and guess who powerful outsiders will be acting as when the compromise a site?

Of course we should care about insiders, and the insider threat is the only threat you can control. Outsiders are far more likely to cause an incident because, especially with the rise of client-side attacks, they are constantly interacting with your users. The larger the number of users you support, the greater the number of targets an outsider can exploit. Sure, more employees means more insider threats, but let's put this in perspective!

The fact that you offer a minimal external Internet profile does not mean you're "safe" from outsiders and that you can now shift to inside threats. The outsiders are deadlier now than they've ever been. They are in your networks and acting quietly to preserve their positions. Give Eva and Stan a break and don't forget Renfro. He's already in your company.


Anonymous said…
The reason that there is not too much clamping down on privileged users is probably that it is much harder to do, and leads to the same problems as network security does in terms of interoperability, due to a band-aid fix mentality. Why else would only a handful of about a thousand security vendors address the insider threat?

A solution that impedes business data flow, such as disallowing USB thumb drives, trades one problem for another, and is the reason for user resistance. A proper solution would allow USB keys usage for unclassified data, but not sensitive data. Same for other devices.

Dan Verton wrote in his book "the Insider" :

“…from the insider threat perspective the age-old security equation of:


may need to be adjusted, placing a heavier weighting on technology. The insider threat is one area of security where people,process and policy have rarely, if ever, proven to be an effective deterrent.”

The author goes on to say that “technology will necessarily become a corporation’s “insurance” against the inevitable: the failure of the people, policy and process security equation”.
Anonymous said…
Hey, why does Renfro get a pass?

But seriously, what do you think about looking at it from the potential damage of insiders versus outsiders?

I mean an insider, if they're planning to remain inside, often has a long-term "bleed" attack style, while the outsider is far less likely to know how to manage this properly. There is the threat of catastrophe or cut and run, but I think the likelihood is lower if basic precautions are taken and warning signs observed. From that perspective, those who worry about insiders are often the same people who worry about operational efficiency and accuracy. Those who worry about outsiders are often those who are most concerned with reputation or profile.

So the in/out dichotomy doesn't need to be answered as though it is mutually exclusive, but rather from within a system of risk management tailored to the business.
Unknown said…
Nice post, Richard. I'm glad you left this to be on its own.

We *should* be angry about the lack of attention to the insider threat, and the warped view of it when people do look at it. Insider threats are older than technology. Technology just lets them be more efficient, just like technology makes business more efficient.

Technology is not a cure for the insider threat. Too often technology is a crutch that poor mgmt leans on to somehow enforce ethics and prevent insider threats. We can help limit the attack footprint of the insider, but we can't really prevent threats. We can track and audit the insider threat, but it is difficult to actually stop his/her attack.

Sadly, as much as IT can get away with protecting against external threats and those subsequent attacks, turning an eye inwards makes people uneasy, like they're automatically distrusting their own people. Also, security measures tend to be intrusive to privacy and impeding to the business. This is still unsettling to mgmt and makes them feel like IT/security impedes business instead of protecting it.

Of course, you could just focus on making all of your employees so terribly happy that you don't have to worry as much about the insider threat. You can give them all the allowances that technology can give (like instead of removing local admin rights, give it to them and let them be happy on the box...which, curiously, can improve productivity...happy=productive). Definitely organization-specific in how you deal with the threat.
Anonymous said…

Your happy camper theory is nice-in theory.

Even happy employees can be compromised though, by blackmail, money for gambling or addiction. What if your sysadmin's family is kidnapped and he is coerced into handing over mission critical secrets? Also, everyone has a price where they can be bought it seems.

Read the quote in my comment above by Dan Verton, about people, policy and process rarely acting as a deterrent against desparate or vengeful employees. How do you protect against an employee whose goal is to bring the company down? Auditing after the fact will be too late if he dumps the data.

I come at this from a different position than you. I am with a vendor whose product converts commercial discretionary access control systems into multilevel/trusted security systems that can protect down to a single file.

It can be transparent to users and does not interfere with data flow. Users only need to have access to data to do their work, and no more. They can play at home. You should see how productivity goes up if you take away access to distractions.

Ignoring the threats can actually be threatening the very existence of the business entity. Stats show that a major breach often leads to the demise of small or even medium businesses, and it does not matter whether it is insider or external source.

If you can not be 100% sure that you can trust all employees, then you must be able to trust the system or data.
Gary said…
Hi Richard.

I think you're providing a false dichotomy. Organizations need to secure secure not against either the inside or outside threats, but both. Fucusing all their efforts on the corporate firewall neglects a substantial part of the total risk, just as concentrating solely on wayward employees would do.

In my experience, the insider threat has been underappreciated for a long time and continues to be widely ignored, partly because "we trust our people" (as if that answers anything!) and partly because doing anything about it is hard, especially for out-and-out technologists. Effective security awareness programs require communications and motivational skills beyond the average Info Sec Pro's capabilities.

Have you read the stuff coming out of the Jericho Forum? They are taking the line that these days the corporate firewall is so much like Swiss cheese anyway that we might as well forget about it as a defensive structure and concentrate on securing the applications and servers sitting on the LAN.

Nice piece anyway. Thanks for the stimulation and best wishes for 2007.

Unknown said…
@rob: You're right, I hadn't meant to imply you can out-nice your employees and be safe. I think I exagerrated to make my point. :) Of note, I'm the opposite. Take away my distractions (I am an adult, or so it looks anyway, and can behave on my own) and I'll be less happy and less productive. At any rate, this is why security is such a varied industry. Every org and everyone is different, and few solve similar problems in the same ways.

Also, I'd rather just write off workstations as indefensible anymore. :)
Anonymous said…
This comment has been removed by a blog administrator.

Popular posts from this blog

Zeek in Action Videos

MITRE ATT&CK Tactics Are Not Tactics

New Book! The Best of TaoSecurity Blog, Volume 4