Attacks/Breaches
3/12/2012
03:55 PM
50%
50%

10 Best Ways To Stop Insider Attacks

Consider the smartest ways that companies can detect, block, and investigate insiders with malicious motives. The advice comes from CERT and the Secret Service, after a review of hundreds of attacks.

10 Massive Security Breaches
(click image for larger view)
Slideshow: 10 Massive Security Breaches

What's the best way to spot and block insider attacks? Start by putting an insider attack prevention program in place.

So said Dawn Cappelli, technical manager at Carnegie Mellon University's CERT Insider Threat Center, speaking last month at the RSA conference in San Francisco. Cappelli is the co-author, with Andrew Moore and Randall Trzeciak, of the just-released The Cert Guide To Insider Threats.

Working with the Secret Service, Cappelli and company have reviewed hundreds of hacking cases to deduce how businesses can better block a greater number of malicious insiders. Here are her top 10 recommendations for spotting and stopping insider attacks before they get out of hand:

[ Do you employ a hacker? See How To Spot Malicious Insiders Before Data Theft. ]

1. Protect crown jewels first. To put an effective insider-threat program in place, first ask: What's the single most important piece of information in your company? Think the equivalent of the secret recipe for Coke or Gore-Tex. "We've worked with a number of organizations, and they tell us everything is important," said Cappelli. "So we say, what's the one thing that if someone took it to a competitor, or out of the United States, would be worth millions--or billions--of dollars?" Then secure it, preferably not just with encryption, but also by restricting access, as well as logging and monitoring who touches that data.

2. Learn from past attacks. Don't let insider attacks--successful or otherwise--go to waste. "If you experience an attack, you're not alone, but learn from it," said Cappelli. For example, she cited a case of a financial firm that happened to catch an employee who was trying to steal its secret trading algorithms. Seeing a weak point, the security team put new controls in place to explicitly watch for similar types of attacks. Thanks to the improved security, they later caught another employee who was trying to copy the algorithms to his personal email account and an external hard drive.

3. Mitigate trusted business partner threats. Who has access to your business' sensitive information? Although that list will include employees, other "insiders" will be trusted business partners, who might enjoy equal levels of access with less accountability, and opt to take sensitive information with them when they switch to a new employer. "The good news is, if they take it to a competitor in the U.S., there's a good chance that they may report them to law enforcement and they'll get it back," Cappelli said, since most will want nothing to do with trade secrets. The bad news is that one-third of all intellectual property theft cases result in the information being taken outside of the United States, at which point recovering the data becomes unlikely, if not impossible.

4. Make suspect behavior cause for concern. Watch for human-behavior warning signs. Indeed, in reviewing numerous cases of insider theft, Cappelli said that concerning behaviors were the fourth most likely sign that there was an inside-theft issue. "We usually call these people as being 'on the HR radar,'" she said. Accordingly, watch for warning signs, and have a response plan in place for when such signs get spotted.

5. Train employees to resist recruiters. "Many employees who commit fraud are recruited from outside," said Cappelli, and insiders often say that they're not committing a crime, but rather just giving data to someone else, who then commits a crime. Alter such thinking by creating clear, related security policies, and broadcasting the fact that all data access is audited. Via Cappelli, here's sample boilerplate: "If you get caught, we log everything that everyone does here, and the evidence is going to point to you."

6. Beware resignations, terminations. Most insider attacks occur within a narrow window. "The good news about [insider] crime, theft of intellectual property, is that most people who steal it do [so] within 30 days of resignation," said Cappelli. (The exception is fraud, which--as long as the attacker is making money--can continue indefinitely.) In other words, malicious insiders are most likely to strike 30 days before or after they leave. Accordingly, keep a close eye on departing or departed employees, and what they viewed. "Know what your crown jewels are," she said. "If someone resigns who had access to your crown jewels, you need to go back and proactively investigate that."

7. Apply current technology How can businesses take their current technology and use it to spot suspected insider theft? "A lot of people spend a lot of money on tools, on technologies, and most of those tools are focused on keeping people outside of your network," said Cappelli. "What we've found is that you can use those same tools, but differently," to watch for information that may be exiting your network. For example, centralized logging tools can be used to spot signs of data exfiltration, for example if a "departing insider" has sent an email in the past 30 days to someone outside the corporate domain, and which exceeds a certain specified file size.

8. Beware employee privacy issues. When creating an insider-theft-prevention program, always work with your company's general counsel, because privacy laws vary by state and country. "There are a number of issues regarding employee privacy, I know they can be overcome, but it has to be done very carefully," said Cappelli.

9. Marshall forces. As with many aspects of security--including data breaches--businesses that prepare for attacks in advance tend to better manage the aftermath. When it comes to combating cases of suspected insider threat, include "HR, management, upper management, security, legal, software engineering--you need to involve all of those organizations--and of course IT and information security," Cappelli said.

10. Get started. Perhaps the most important insider-threat tip is simply to get a program in place, as soon as possible. "I'm not saying the sky is falling," said Cappelli. But creating such a program takes time. Perhaps the best place to start, she said, is to get buy-in from all senior managers. For example, she recently worked with a business that gathered all 23 of its c-level managers in a room for two days, during which time they created--and agreed on--an insider-threat program from the ground up.

One of the biggest insider-theft-prevention lessons to learn, said Cappelli, is that technology alone often won't block such attacks. A corollary to that, meanwhile, is that by combining proper policies and procedures with awareness and having an insider-theft reaction plan already in place, businesses can more quickly combat suspected attacks. Because whether it's a question of preventing intellectual property from leaving the building or spotting fraudulent activity, "our goal is to stop an insider as soon as possible," she said.

InformationWeek is conducting a survey to determine the types of measures and policies IT is taking to ensure the security of the full range of mobile assets on cellular, Wi-Fi, and other wireless technologies. Upon completion of our survey, you will be eligible to enter a drawing to receive an 32-GB Apple iPod Touch. Take our Mobile Security Survey now. Survey ends March 16.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Mathew
50%
50%
Mathew,
User Rank: Apprentice
3/15/2012 | 9:20:01 PM
re: 10 Best Ways To Stop Insider Attacks
Data masking or obfuscation is an excellent idea, especially for keeping "real" data out of test environments. That's another great technique for helping to prevent data from going missing, or keeping it out of the hands of malicious insiders.
A number of developers I've spoken to said they're much happier to work with "real enough but fake" data when they're coding, testing, or conducting QA, as it keeps them from being suspected if said data should go missing and turn up on Pastebin or BitTorrent.
jsantangelo101
50%
50%
jsantangelo101,
User Rank: Apprentice
3/15/2012 | 8:30:26 PM
re: 10 Best Ways To Stop Insider Attacks
Matthew,
Insider attacks are often overlooked as a potential source of breaches. As you do additional research for Insider Attacks, you may want to consider the user of Data Masking (aka de-identification) as a part of the overall solution. Once data is masked or de-identified, it is no longer a threat. Case in point is that HIPAA 164.502(d)(2) provides for the uses and disclosures of de-identified information (aka Masked, Obfuscated, Redacted). Health information that meets the requirements for de-identification is considered not to be individually identifiable health information.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-0547
Published: 2015-07-04
The D2CenterstageService.getComments service method in EMC Documentum D2 4.1 and 4.2 before 4.2 P16 and 4.5 before P03 allows remote authenticated users to conduct Documentum Query Language (DQL) injection attacks and bypass intended read-access restrictions via unspecified vectors.

CVE-2015-0548
Published: 2015-07-04
The D2DownloadService.getDownloadUrls service method in EMC Documentum D2 4.1 and 4.2 before 4.2 P16 and 4.5 before P03 allows remote authenticated users to conduct Documentum Query Language (DQL) injection attacks and bypass intended read-access restrictions via unspecified vectors.

CVE-2015-0551
Published: 2015-07-04
Multiple cross-site scripting (XSS) vulnerabilities in EMC Documentum WebTop 6.7SP1 before P31, 6.7SP2 before P23, and 6.8 before P01; Documentum Administrator 6.7SP1 before P31, 6.7SP2 before P23, 7.0 before P18, 7.1 before P15, and 7.2 before P01; Documentum Digital Assets Manager 6.5SP6 before P2...

CVE-2015-1966
Published: 2015-07-04
Multiple cross-site scripting (XSS) vulnerabilities in IBM Tivoli Federated Identity Manager (TFIM) 6.2.0 before FP17, 6.2.1 before FP9, and 6.2.2 before FP15, as used in Security Access Manager for Mobile and other products, allow remote attackers to inject arbitrary web script or HTML via a crafte...

CVE-2015-4196
Published: 2015-07-04
Platform Software before 4.4.5 in Cisco Unified Communications Domain Manager (CDM) 8.x has a hardcoded password for a privileged account, which allows remote attackers to obtain root access by leveraging knowledge of this password and entering it in an SSH session, aka Bug ID CSCuq45546.

Dark Reading Radio
Archived Dark Reading Radio
Marc Spitler, co-author of the Verizon DBIR will share some of the lesser-known but most intriguing tidbits from the massive report