Managing Data Against Insider Threats

Dr. John D. Johnson, CISSP

Insider Threat

§  The insider is anyone who has been authorized to access internal systems. They originate on internal systems or are permitted special access across the perimeter (i.e. remote access)

§  The insider threat is not new, however technology can allow greater access, at a distance, to sensitive data, with potentially less effort and less accountability

§  The threat exists for insiders to exploit their authorized access, attack or misuse information systems

Defining The Problem

§  Intentional: Economic or Malicious motivations §  Hacking and Malware

§  Security Avoidance: Rules not aligned with business objectives

§  Mistakes: Insiders try to follow rules §  Ignorance: Insiders don’t know rules

Economic Factors

§  Economic factors may motivate individuals to do things they otherwise wouldn’t do

§  The economy is just one example of external factors that may drive up incidents

§  The economy may reduce security budgets, which may lead to weakened security controls and measures

§  Companies that empower their employees and keep them informed may have fewer data breaches

Global, Legal & Cultural Factors

§  Many gaps in security practices are exposed when a company expands into new markets/countries

§  Data must be managed according to laws in the country in which it resides

§  Not all cultures have the same standards when dealing with intellectual property

§  The reality of how data is treated in different countries and by different cultures may necessitate new controls and measures

Data Breaches

§  According to the Verizon 2009 Data Breach Investigations Report, 285 million records were compromised in 2008.

§  All industries suffer from data breaches, although threat vectors may vary significantly

§  The growth of financial services companies, and advances in technology put larger sets of personal data at risk

§  Historical data shows external hacking, malware or theft (i.e. data tape or laptop) accounts for approximately 80% of data breaches, while the insider threat remains around 20%

§  In 2008, nearly all records were compromised from online sources

§  Approximately 30% of data breaches implicated business partners

Source: Verizon 2009 Data Breach Investigations Report, http://www.verizonbusiness.com/resources/security/reports/2009_databreach_rp.pdf

Protecting The Data

§  Proactive vs. Reactive Responses §  Learn from Past Incidents §  Encryption §  Access Controls & Monitoring §  Segmentation §  Education

Process Improvements

§  People §  Pay attention to employee morale, work closely with HR §  Provide security awareness & education that is targeted and

measured

§  Processes §  Implement processes for managing employee privileges as

their role changes §  Review rights quarterly or annually §  Keep concise security policies updated and published for

easy access

Technology

§  You can’t eliminate all risk, so you need to identify tools that will best address the insider threat based on past incidents at your company

§  Risk management helps identify where security dollars are best spent

§  Protecting data at rest and in motion is important, and this works best if you can identify the data you want to protect up front

§  Most tools exist to keep honest people honest

Survey of Tools

§  Data Loss Prevention §  Identity Management §  Centralized Security Logging/Reporting §  Security Event Management §  Web Authentication §  Intrusion Detection/Prevention Systems §  Network Access Controls §  Encryption

The Security Budget

§  As the economy and other factors drive up the threat, the security budget needs to be maintained

§  Security dollars should be spent where they can have the greatest impact

§  Significant results can be had by starting with simple, low cost solutions that target “low-hanging fruit”

§  Remember the principle of security in-depth

Measuring Success

§  Develop consistent and meaningful metrics for measuring the efficacy of your security controls

§  Develop executive dashboards and favor tools that provide real-time access to data and reporting

§  Review security processes periodically to ensure they are achieving stated goals, as they legal, cultural and corporate requirements may change

Conclusion

§  While the insider threat has always existed, technology magnifies the problem

§  It is too late to react when a data breach makes your company front page news, be proactive

§  Detecting insider attacks requires layered solutions that leverage people, processes and tools

§  Don’t undervalue the impact of user education §  The most expensive solution is not always the best

solution!