Attacks/Breaches
3/12/2012
03:55 PM
Connect Directly
RSS
E-Mail
50%
50%

10 Best Ways To Stop Insider Attacks

Consider the smartest ways that companies can detect, block, and investigate insiders with malicious motives. The advice comes from CERT and the Secret Service, after a review of hundreds of attacks.

10 Massive Security Breaches
(click image for larger view)
Slideshow: 10 Massive Security Breaches

What's the best way to spot and block insider attacks? Start by putting an insider attack prevention program in place.

So said Dawn Cappelli, technical manager at Carnegie Mellon University's CERT Insider Threat Center, speaking last month at the RSA conference in San Francisco. Cappelli is the co-author, with Andrew Moore and Randall Trzeciak, of the just-released The Cert Guide To Insider Threats.

Working with the Secret Service, Cappelli and company have reviewed hundreds of hacking cases to deduce how businesses can better block a greater number of malicious insiders. Here are her top 10 recommendations for spotting and stopping insider attacks before they get out of hand:

[ Do you employ a hacker? See How To Spot Malicious Insiders Before Data Theft. ]

1. Protect crown jewels first. To put an effective insider-threat program in place, first ask: What's the single most important piece of information in your company? Think the equivalent of the secret recipe for Coke or Gore-Tex. "We've worked with a number of organizations, and they tell us everything is important," said Cappelli. "So we say, what's the one thing that if someone took it to a competitor, or out of the United States, would be worth millions--or billions--of dollars?" Then secure it, preferably not just with encryption, but also by restricting access, as well as logging and monitoring who touches that data.

2. Learn from past attacks. Don't let insider attacks--successful or otherwise--go to waste. "If you experience an attack, you're not alone, but learn from it," said Cappelli. For example, she cited a case of a financial firm that happened to catch an employee who was trying to steal its secret trading algorithms. Seeing a weak point, the security team put new controls in place to explicitly watch for similar types of attacks. Thanks to the improved security, they later caught another employee who was trying to copy the algorithms to his personal email account and an external hard drive.

3. Mitigate trusted business partner threats. Who has access to your business' sensitive information? Although that list will include employees, other "insiders" will be trusted business partners, who might enjoy equal levels of access with less accountability, and opt to take sensitive information with them when they switch to a new employer. "The good news is, if they take it to a competitor in the U.S., there's a good chance that they may report them to law enforcement and they'll get it back," Cappelli said, since most will want nothing to do with trade secrets. The bad news is that one-third of all intellectual property theft cases result in the information being taken outside of the United States, at which point recovering the data becomes unlikely, if not impossible.

4. Make suspect behavior cause for concern. Watch for human-behavior warning signs. Indeed, in reviewing numerous cases of insider theft, Cappelli said that concerning behaviors were the fourth most likely sign that there was an inside-theft issue. "We usually call these people as being 'on the HR radar,'" she said. Accordingly, watch for warning signs, and have a response plan in place for when such signs get spotted.

5. Train employees to resist recruiters. "Many employees who commit fraud are recruited from outside," said Cappelli, and insiders often say that they're not committing a crime, but rather just giving data to someone else, who then commits a crime. Alter such thinking by creating clear, related security policies, and broadcasting the fact that all data access is audited. Via Cappelli, here's sample boilerplate: "If you get caught, we log everything that everyone does here, and the evidence is going to point to you."

6. Beware resignations, terminations. Most insider attacks occur within a narrow window. "The good news about [insider] crime, theft of intellectual property, is that most people who steal it do [so] within 30 days of resignation," said Cappelli. (The exception is fraud, which--as long as the attacker is making money--can continue indefinitely.) In other words, malicious insiders are most likely to strike 30 days before or after they leave. Accordingly, keep a close eye on departing or departed employees, and what they viewed. "Know what your crown jewels are," she said. "If someone resigns who had access to your crown jewels, you need to go back and proactively investigate that."

7. Apply current technology How can businesses take their current technology and use it to spot suspected insider theft? "A lot of people spend a lot of money on tools, on technologies, and most of those tools are focused on keeping people outside of your network," said Cappelli. "What we've found is that you can use those same tools, but differently," to watch for information that may be exiting your network. For example, centralized logging tools can be used to spot signs of data exfiltration, for example if a "departing insider" has sent an email in the past 30 days to someone outside the corporate domain, and which exceeds a certain specified file size.

8. Beware employee privacy issues. When creating an insider-theft-prevention program, always work with your company's general counsel, because privacy laws vary by state and country. "There are a number of issues regarding employee privacy, I know they can be overcome, but it has to be done very carefully," said Cappelli.

9. Marshall forces. As with many aspects of security--including data breaches--businesses that prepare for attacks in advance tend to better manage the aftermath. When it comes to combating cases of suspected insider threat, include "HR, management, upper management, security, legal, software engineering--you need to involve all of those organizations--and of course IT and information security," Cappelli said.

10. Get started. Perhaps the most important insider-threat tip is simply to get a program in place, as soon as possible. "I'm not saying the sky is falling," said Cappelli. But creating such a program takes time. Perhaps the best place to start, she said, is to get buy-in from all senior managers. For example, she recently worked with a business that gathered all 23 of its c-level managers in a room for two days, during which time they created--and agreed on--an insider-threat program from the ground up.

One of the biggest insider-theft-prevention lessons to learn, said Cappelli, is that technology alone often won't block such attacks. A corollary to that, meanwhile, is that by combining proper policies and procedures with awareness and having an insider-theft reaction plan already in place, businesses can more quickly combat suspected attacks. Because whether it's a question of preventing intellectual property from leaving the building or spotting fraudulent activity, "our goal is to stop an insider as soon as possible," she said.

InformationWeek is conducting a survey to determine the types of measures and policies IT is taking to ensure the security of the full range of mobile assets on cellular, Wi-Fi, and other wireless technologies. Upon completion of our survey, you will be eligible to enter a drawing to receive an 32-GB Apple iPod Touch. Take our Mobile Security Survey now. Survey ends March 16.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Mathew
50%
50%
Mathew,
User Rank: Apprentice
3/15/2012 | 9:20:01 PM
re: 10 Best Ways To Stop Insider Attacks
Data masking or obfuscation is an excellent idea, especially for keeping "real" data out of test environments. That's another great technique for helping to prevent data from going missing, or keeping it out of the hands of malicious insiders.
A number of developers I've spoken to said they're much happier to work with "real enough but fake" data when they're coding, testing, or conducting QA, as it keeps them from being suspected if said data should go missing and turn up on Pastebin or BitTorrent.
jsantangelo101
50%
50%
jsantangelo101,
User Rank: Apprentice
3/15/2012 | 8:30:26 PM
re: 10 Best Ways To Stop Insider Attacks
Matthew,
Insider attacks are often overlooked as a potential source of breaches. As you do additional research for Insider Attacks, you may want to consider the user of Data Masking (aka de-identification) as a part of the overall solution. Once data is masked or de-identified, it is no longer a threat. Case in point is that HIPAA 164.502(d)(2) provides for the uses and disclosures of de-identified information (aka Masked, Obfuscated, Redacted). Health information that meets the requirements for de-identification is considered not to be individually identifiable health information.
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2009-5142
Published: 2014-08-21
Cross-site scripting (XSS) vulnerability in timthumb.php in TimThumb 1.09 and earlier, as used in Mimbo Pro 2.3.1 and other products, allows remote attackers to inject arbitrary web script or HTML via the src parameter.

CVE-2010-5302
Published: 2014-08-21
Cross-site scripting (XSS) vulnerability in timthumb.php in TimThumb before 1.15 as of 20100908 (r88), as used in multiple products, allows remote attackers to inject arbitrary web script or HTML via the QUERY_STRING.

CVE-2010-5303
Published: 2014-08-21
Cross-site scripting (XSS) vulnerability in the displayError function in timthumb.php in TimThumb before 1.15 (r85), as used in multiple products, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to $errorString.

CVE-2014-3562
Published: 2014-08-21
Red Hat Directory Server 8 and 389 Directory Server, when debugging is enabled, allows remote attackers to obtain sensitive replicated metadata by searching the directory.

CVE-2014-3577
Published: 2014-08-21
org.apache.http.conn.ssl.AbstractVerifier in Apache HttpComponents HttpClient before 4.3.5 and HttpAsyncClient before 4.0.2 does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Three interviews on critical embedded systems and security, recorded at Black Hat 2014 in Las Vegas.