Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10 Best Ways To Stop Insider Attacks

Consider the smartest ways that companies can detect, block, and investigate insiders with malicious motives. The advice comes from CERT and the Secret Service, after a review of hundreds of attacks.

10 Massive Security Breaches
(click image for larger view)
Slideshow: 10 Massive Security Breaches

What's the best way to spot and block insider attacks? Start by putting an insider attack prevention program in place.

So said Dawn Cappelli, technical manager at Carnegie Mellon University's CERT Insider Threat Center, speaking last month at the RSA conference in San Francisco. Cappelli is the co-author, with Andrew Moore and Randall Trzeciak, of the just-released The Cert Guide To Insider Threats.

Working with the Secret Service, Cappelli and company have reviewed hundreds of hacking cases to deduce how businesses can better block a greater number of malicious insiders. Here are her top 10 recommendations for spotting and stopping insider attacks before they get out of hand:

[ Do you employ a hacker? See How To Spot Malicious Insiders Before Data Theft. ]

1. Protect crown jewels first. To put an effective insider-threat program in place, first ask: What's the single most important piece of information in your company? Think the equivalent of the secret recipe for Coke or Gore-Tex. "We've worked with a number of organizations, and they tell us everything is important," said Cappelli. "So we say, what's the one thing that if someone took it to a competitor, or out of the United States, would be worth millions--or billions--of dollars?" Then secure it, preferably not just with encryption, but also by restricting access, as well as logging and monitoring who touches that data.

2. Learn from past attacks. Don't let insider attacks--successful or otherwise--go to waste. "If you experience an attack, you're not alone, but learn from it," said Cappelli. For example, she cited a case of a financial firm that happened to catch an employee who was trying to steal its secret trading algorithms. Seeing a weak point, the security team put new controls in place to explicitly watch for similar types of attacks. Thanks to the improved security, they later caught another employee who was trying to copy the algorithms to his personal email account and an external hard drive.

3. Mitigate trusted business partner threats. Who has access to your business' sensitive information? Although that list will include employees, other "insiders" will be trusted business partners, who might enjoy equal levels of access with less accountability, and opt to take sensitive information with them when they switch to a new employer. "The good news is, if they take it to a competitor in the U.S., there's a good chance that they may report them to law enforcement and they'll get it back," Cappelli said, since most will want nothing to do with trade secrets. The bad news is that one-third of all intellectual property theft cases result in the information being taken outside of the United States, at which point recovering the data becomes unlikely, if not impossible.

4. Make suspect behavior cause for concern. Watch for human-behavior warning signs. Indeed, in reviewing numerous cases of insider theft, Cappelli said that concerning behaviors were the fourth most likely sign that there was an inside-theft issue. "We usually call these people as being 'on the HR radar,'" she said. Accordingly, watch for warning signs, and have a response plan in place for when such signs get spotted.

5. Train employees to resist recruiters. "Many employees who commit fraud are recruited from outside," said Cappelli, and insiders often say that they're not committing a crime, but rather just giving data to someone else, who then commits a crime. Alter such thinking by creating clear, related security policies, and broadcasting the fact that all data access is audited. Via Cappelli, here's sample boilerplate: "If you get caught, we log everything that everyone does here, and the evidence is going to point to you."

6. Beware resignations, terminations. Most insider attacks occur within a narrow window. "The good news about [insider] crime, theft of intellectual property, is that most people who steal it do [so] within 30 days of resignation," said Cappelli. (The exception is fraud, which--as long as the attacker is making money--can continue indefinitely.) In other words, malicious insiders are most likely to strike 30 days before or after they leave. Accordingly, keep a close eye on departing or departed employees, and what they viewed. "Know what your crown jewels are," she said. "If someone resigns who had access to your crown jewels, you need to go back and proactively investigate that."

7. Apply current technology How can businesses take their current technology and use it to spot suspected insider theft? "A lot of people spend a lot of money on tools, on technologies, and most of those tools are focused on keeping people outside of your network," said Cappelli. "What we've found is that you can use those same tools, but differently," to watch for information that may be exiting your network. For example, centralized logging tools can be used to spot signs of data exfiltration, for example if a "departing insider" has sent an email in the past 30 days to someone outside the corporate domain, and which exceeds a certain specified file size.

8. Beware employee privacy issues. When creating an insider-theft-prevention program, always work with your company's general counsel, because privacy laws vary by state and country. "There are a number of issues regarding employee privacy, I know they can be overcome, but it has to be done very carefully," said Cappelli.

9. Marshall forces. As with many aspects of security--including data breaches--businesses that prepare for attacks in advance tend to better manage the aftermath. When it comes to combating cases of suspected insider threat, include "HR, management, upper management, security, legal, software engineering--you need to involve all of those organizations--and of course IT and information security," Cappelli said.

10. Get started. Perhaps the most important insider-threat tip is simply to get a program in place, as soon as possible. "I'm not saying the sky is falling," said Cappelli. But creating such a program takes time. Perhaps the best place to start, she said, is to get buy-in from all senior managers. For example, she recently worked with a business that gathered all 23 of its c-level managers in a room for two days, during which time they created--and agreed on--an insider-threat program from the ground up.

One of the biggest insider-theft-prevention lessons to learn, said Cappelli, is that technology alone often won't block such attacks. A corollary to that, meanwhile, is that by combining proper policies and procedures with awareness and having an insider-theft reaction plan already in place, businesses can more quickly combat suspected attacks. Because whether it's a question of preventing intellectual property from leaving the building or spotting fraudulent activity, "our goal is to stop an insider as soon as possible," she said.

InformationWeek is conducting a survey to determine the types of measures and policies IT is taking to ensure the security of the full range of mobile assets on cellular, Wi-Fi, and other wireless technologies. Upon completion of our survey, you will be eligible to enter a drawing to receive an 32-GB Apple iPod Touch. Take our Mobile Security Survey now. Survey ends March 16.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
3/15/2012 | 9:20:01 PM
re: 10 Best Ways To Stop Insider Attacks
Data masking or obfuscation is an excellent idea, especially for keeping "real" data out of test environments. That's another great technique for helping to prevent data from going missing, or keeping it out of the hands of malicious insiders.
A number of developers I've spoken to said they're much happier to work with "real enough but fake" data when they're coding, testing, or conducting QA, as it keeps them from being suspected if said data should go missing and turn up on Pastebin or BitTorrent.
User Rank: Apprentice
3/15/2012 | 8:30:26 PM
re: 10 Best Ways To Stop Insider Attacks
Insider attacks are often overlooked as a potential source of breaches. As you do additional research for Insider Attacks, you may want to consider the user of Data Masking (aka de-identification) as a part of the overall solution. Once data is masked or de-identified, it is no longer a threat. Case in point is that HIPAA 164.502(d)(2) provides for the uses and disclosures of de-identified information (aka Masked, Obfuscated, Redacted). Health information that meets the requirements for de-identification is considered not to be individually identifiable health information.
A Startup With NSA Roots Wants Silently Disarming Cyberattacks on the Wire to Become the Norm
Kelly Jackson Higgins, Executive Editor at Dark Reading,  5/11/2021
Cybersecurity: What Is Truly Essential?
Joshua Goldfarb, Director of Product Management at F5,  5/12/2021
3 Cybersecurity Myths to Bust
Etay Maor, Sr. Director Security Strategy at Cato Networks,  5/11/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Google Maps is taking "interactive" to a whole new level!
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-18
An Improper Access Control vulnerability in the logging component of Bitdefender Endpoint Security Tools for Windows versions prior to allows a regular user to learn the scanning exclusion paths. This issue was discovered during external security research.
PUBLISHED: 2021-05-18
Uncontrolled Search Path Element vulnerability in the openssl component as used in Bitdefender GravityZone Business Security allows an attacker to load a third party DLL to elevate privileges. This issue affects Bitdefender GravityZone Business S...
PUBLISHED: 2021-05-17
Cross Site Scripting (XSS) in emlog v6.0.0 allows remote attackers to execute arbitrary code by adding a crafted script as a link to a new blog post.
PUBLISHED: 2021-05-17
Cross Site Request Forgery (CSRF) in Pluck CMS v4.7.9 allows remote attackers to execute arbitrary code and delete a specific article via the component " /admin.php?action=page."
PUBLISHED: 2021-05-17
Cross Site Request Forgery (CSRF) in Pluck CMS v4.7.9 allows remote attackers to execute arbitrary code and delete specific images via the component " /admin.php?action=images."