Stopping Insider Attacks

Separation of duties. Any critical job function or access to critical information should involve two or more people. This prevents a single person from committing an inside attack.

Rotation of duties. All critical jobs should have multiple people who perform the roles, and those people should be rotated through periodically. If a person knows that someone else is going to be performing a given role in two months, then it will be much harder for them to commit fraud or other insider attacks because there is a good chance someone might catch it later.

Least privilege. Any additional access that someone has can be used against the company. Although access is needed for people to perform their jobs, this access should be carefully controlled. People should be given only the access they need to do their jobs -- and nothing else.

Controlled access. Access is what someone is going to use to compromise an organization. The more a company knows what access people have, the better they can control it.

Logging and auditing. Organizations must know what is happening on their networks, and this information must be reviewed on a regular basis. If someone's actions are not logged, then a company will have no idea who did what and will not be able to detect the insider. Even if this information is logged, if it is not reviewed on a regular basis, then an organization will not be able to catch an attacker in a timely manner.

Policies. A policy states what a company's stance is on security and what is expected of anyone with inside access. A policy is a mandatory document that is clear and concise and that everyone must follow. If a policy does not exist, then how do insiders know what is expected of them? I once knew an employee who bragged about making copies of software when he left a company. When I questioned his concern of legality and theft, he replied simply by saying, "I never signed anything." This information must be presented to them in a way they understand, and it must be made clear they have to follow it.

Defense-in-depth. When it comes to network security, there is no silver bullet. No single solution is going to make you sure. Organizations must deploy a layered security model, with checks and balances across each layer.

Look beyond technology. Many inside attacks are not technology-driven. Organizations must realize that nontechnology-based solutions need to be implemented across the company.

Archive critical data. Any critical information must be properly archived and protected. This way all the IP is not in one place should a system gets destroyed or compromised.

Complete solution. Any solution that is implemented must include all aspects of the company: people, data, technology, procedures, and policies.

Dr. Eric Cole, Ph.D., is a security expert with more than 15 years of hands-on experience. Cole has experience in information technology with a focus on perimeter defense, secure network design, vulnerability discovery, penetration testing, and intrusion detection systems. He is the author of several books, including Hackers Beware, Hiding in Plain Site, Network Security Bible, and Insider Threat. He is the inventor of more than 20 patents, and is a researcher, writer, and speaker. Cole is a member of the Commission on Cyber Security for the 44th President and several executive advisory boards, and is CTO of the Americas for McAfee. Cole is involved with the SANS Technology Institute (STI) and SANS working with students, teaching, and maintaining and developing courseware. He is a SANS fellow, instructor, and course author.