Security Experts Raise Alarm Over Insider Threats

Security researchers and other experts are turning up the heat on insider threats, warning enterprises that the problem is growing and could prove devastating for many enterprises.

In preparation for its meeting in Japan next month, the Forum of Incident Response and Security Teams (FIRST) issued a press release in which its senior officers urge organizations to step up their efforts to protect themselves from insider attacks, saying that many are "ill-prepared for an onslaught which could prove calamitous."

"One of the greatest security threats of our times is from insiders, as organizations lay off tens of thousands of workers," said Scott McIntyre, a FIRST steering committee member and representative of the Netherlands-based KPN Computer Emergency Response Team (CERT). "People know the axe is coming, and the longer employers prolong the swing of that axe, the more danger they expose themselves to, either from sabotage or data theft. An employee who thinks he or she is [going to be laid off] can start fouling up systems which are critical to the organization, or decide to take an unauthorized pay-off by stealing a mass of data."

Yurie Ito, another FIRST steering committee member and director of Japan's JPCERT/CC, agreed. "Don't think you're safer once the employee is laid off and outside the wall," Ito warned. "A lot of these people know how the systems work -- they have the keys to the castle and they know where the secret doors are. Even when companies think they have taken the necessary steps by removing ID and changing passwords, these people have the knowledge and skill that means they still pose a threat. They are extremely dangerous."

Researchers and vendors outside of FIRST also say they are becoming concerned about the threats posed by those with knowledge of corporate systems, such as IT people and privileged users. "The most common insider threats are posed by everyday workers who might walk out with sensitive data on a USB drive," observes Eric Yoshizuru, evangelist at security vendor Symark. "But it's the privileged users who can do the most serious crimes against the organization."

A few years ago, most organizations "trusted their IT organizations to do the right thing," Yoshizuru says. But following a series of very public attacks involving IT people during the past few years, many organizations are beginning to implement tools and processes to protect themselves against threats posed both by employees and the IT people who support them, he notes.

"A lot of companies have been through the wringer with layoffs, and in many cases, the 'survivors' feel overworked, underpaid, and unappreciated," Yoshizuru says. "In some cases, these are people who understand the technical vulnerabilities of the company, but they are nervous -- if they see another layoff coming, they may be tempted to retaliate."

Tom Mullen, security chief for telco giant BT, says organizations must now regard some precautionary measures as a matter of urgency. Exit procedures should be scrutinized and rescrutinized, especially for employees whose severance was involuntary. "You simply must have thorough exit and monitoring plans in place, and these need to be very specific when you're dealing with employees who had any kind of access to critical systems or data," Mullen says. "You have to make sure that under no circumstances can a departing member of staff take any sensitive information out of the organization." Many organizations are approaching the insider threat in much the same way that they approach the external threat: "How is somebody going to get in, what might they steal, and in the worst circumstances, how to restore from backups if outsiders do break in and crash something," notes Derrick Scholl, chair of the FIRST steering committee.

But these methods don't address the real damage that a determined insider might do, Scholl says. "Sure, an insider is capable of stealing corporate secrets, or customer lists, or destroying computers, but their potential for harm is far worse," he states. "Imagine a software company where an insider has the ability to change code in the product without being detected. What if the insider altered design documents or tampered with customer orders? Or ripped out hard drives and corrupted systems just as a big corporation was about to issue its quarterly bills to hundreds of thousands of customers? It's a totally different order of threat, and it requires a different way of thinking."

Organizations today must begin the process of separating duties and building checks and balances into their IT and administrative access schemes, Yoshizuru says. "That extends to systems like Salesforce.com, where the administrator may be outside the IT organization," he notes.

Yoshizuru says steps to prevent insider attack may also extend beyond the employee base. "With tough economic times, a lot of companies are bringing in contractors and temporary employees, but they aren't extending the tools and training to those employees that they do to their full-time workers," he observes. "That's a set of issues that companies should be looking at as well."

The 21st Annual FIRST conference will take place June 28 to July 3, 2009, at the Hotel Granvia in Kyoto, Japan.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.