10 Best Ways To Stop Insider Attacks

Consider the smartest ways that companies can detect, block, and investigate insiders with malicious motives. The advice comes from CERT and the Secret Service, after a review of hundreds of attacks.

Mathew J. Schwartz, Contributor

March 12, 2012

6 Min Read

10 Massive Security Breaches

10 Massive Security Breaches

(click image for larger view)
Slideshow: 10 Massive Security Breaches

What's the best way to spot and block insider attacks? Start by putting an insider attack prevention program in place.

So said Dawn Cappelli, technical manager at Carnegie Mellon University's CERT Insider Threat Center, speaking last month at the RSA conference in San Francisco. Cappelli is the co-author, with Andrew Moore and Randall Trzeciak, of the just-released The Cert Guide To Insider Threats.

Working with the Secret Service, Cappelli and company have reviewed hundreds of hacking cases to deduce how businesses can better block a greater number of malicious insiders. Here are her top 10 recommendations for spotting and stopping insider attacks before they get out of hand:

[ Do you employ a hacker? See How To Spot Malicious Insiders Before Data Theft. ]

1. Protect crown jewels first. To put an effective insider-threat program in place, first ask: What's the single most important piece of information in your company? Think the equivalent of the secret recipe for Coke or Gore-Tex. "We've worked with a number of organizations, and they tell us everything is important," said Cappelli. "So we say, what's the one thing that if someone took it to a competitor, or out of the United States, would be worth millions--or billions--of dollars?" Then secure it, preferably not just with encryption, but also by restricting access, as well as logging and monitoring who touches that data.

2. Learn from past attacks. Don't let insider attacks--successful or otherwise--go to waste. "If you experience an attack, you're not alone, but learn from it," said Cappelli. For example, she cited a case of a financial firm that happened to catch an employee who was trying to steal its secret trading algorithms. Seeing a weak point, the security team put new controls in place to explicitly watch for similar types of attacks. Thanks to the improved security, they later caught another employee who was trying to copy the algorithms to his personal email account and an external hard drive.

3. Mitigate trusted business partner threats. Who has access to your business' sensitive information? Although that list will include employees, other "insiders" will be trusted business partners, who might enjoy equal levels of access with less accountability, and opt to take sensitive information with them when they switch to a new employer. "The good news is, if they take it to a competitor in the U.S., there's a good chance that they may report them to law enforcement and they'll get it back," Cappelli said, since most will want nothing to do with trade secrets. The bad news is that one-third of all intellectual property theft cases result in the information being taken outside of the United States, at which point recovering the data becomes unlikely, if not impossible.

4. Make suspect behavior cause for concern. Watch for human-behavior warning signs. Indeed, in reviewing numerous cases of insider theft, Cappelli said that concerning behaviors were the fourth most likely sign that there was an inside-theft issue. "We usually call these people as being 'on the HR radar,'" she said. Accordingly, watch for warning signs, and have a response plan in place for when such signs get spotted.

5. Train employees to resist recruiters. "Many employees who commit fraud are recruited from outside," said Cappelli, and insiders often say that they're not committing a crime, but rather just giving data to someone else, who then commits a crime. Alter such thinking by creating clear, related security policies, and broadcasting the fact that all data access is audited. Via Cappelli, here's sample boilerplate: "If you get caught, we log everything that everyone does here, and the evidence is going to point to you."

6. Beware resignations, terminations. Most insider attacks occur within a narrow window. "The good news about [insider] crime, theft of intellectual property, is that most people who steal it do [so] within 30 days of resignation," said Cappelli. (The exception is fraud, which--as long as the attacker is making money--can continue indefinitely.) In other words, malicious insiders are most likely to strike 30 days before or after they leave. Accordingly, keep a close eye on departing or departed employees, and what they viewed. "Know what your crown jewels are," she said. "If someone resigns who had access to your crown jewels, you need to go back and proactively investigate that."

7. Apply current technology How can businesses take their current technology and use it to spot suspected insider theft? "A lot of people spend a lot of money on tools, on technologies, and most of those tools are focused on keeping people outside of your network," said Cappelli. "What we've found is that you can use those same tools, but differently," to watch for information that may be exiting your network. For example, centralized logging tools can be used to spot signs of data exfiltration, for example if a "departing insider" has sent an email in the past 30 days to someone outside the corporate domain, and which exceeds a certain specified file size.

8. Beware employee privacy issues. When creating an insider-theft-prevention program, always work with your company's general counsel, because privacy laws vary by state and country. "There are a number of issues regarding employee privacy, I know they can be overcome, but it has to be done very carefully," said Cappelli.

9. Marshall forces. As with many aspects of security--including data breaches--businesses that prepare for attacks in advance tend to better manage the aftermath. When it comes to combating cases of suspected insider threat, include "HR, management, upper management, security, legal, software engineering--you need to involve all of those organizations--and of course IT and information security," Cappelli said.

10. Get started. Perhaps the most important insider-threat tip is simply to get a program in place, as soon as possible. "I'm not saying the sky is falling," said Cappelli. But creating such a program takes time. Perhaps the best place to start, she said, is to get buy-in from all senior managers. For example, she recently worked with a business that gathered all 23 of its c-level managers in a room for two days, during which time they created--and agreed on--an insider-threat program from the ground up.

One of the biggest insider-theft-prevention lessons to learn, said Cappelli, is that technology alone often won't block such attacks. A corollary to that, meanwhile, is that by combining proper policies and procedures with awareness and having an insider-theft reaction plan already in place, businesses can more quickly combat suspected attacks. Because whether it's a question of preventing intellectual property from leaving the building or spotting fraudulent activity, "our goal is to stop an insider as soon as possible," she said.

InformationWeek is conducting a survey to determine the types of measures and policies IT is taking to ensure the security of the full range of mobile assets on cellular, Wi-Fi, and other wireless technologies. Upon completion of our survey, you will be eligible to enter a drawing to receive an 32-GB Apple iPod Touch. Take our Mobile Security Survey now. Survey ends March 16.

About the Author(s)

Mathew J. Schwartz


Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights