Written by Phil Robins, Encode UK Ltd
In our experience 80-90 % of all successful “external” cyber-attacks are initiated through people being tricked or spoofed into opening a company to the attacker. The internal threat is different mainly because external defences are irrelevant and an internal reconnaissance is not required…the insider knows where the Crown Jewels are!
Furthermore, in this new era of the “extended enterprise”, insiders have limitless possibilities of abuse, through the use of cloud services and applications, as well as mobility and remote access.
We need to consider the following:
Who are the Insiders?
They are not necessarily employees! Whoever they are likely to have privileged access to the organisation’s IT infrastructure.
Why would anyone want to attack the organisation? The typical reasons are
- Money or financial reward.. perhaps leaving the organisation to join a competitor
- Compensated / covertly employed by a competitor
- Malicious intent driven by some personal issue with the organisation
- Malicious motivated by an ideological principal ie: environmental, humanitarian, political
- Fear where perhaps a criminal or terrorist organisation is threatening them in some way
Prevention (…or “Raising the Bar”)
There is one common risk which is the Human factor, all of the suggestions require a discipline that ensures the required tasks take place and with the best will in the world when pressure is up routine tasks get left. (ISO27001/2 provides an excellent structure to address all aspects of security).
There are three clear areas to address:
- Does the organisation have the appropriate software tools / sensors in place?
- Are all systems configured and patched to the latest levels?
- Are privileges regularly reviewed?
- Does the organisation have the appropriate software security sensors?
- Are all sensors monitored?
- Does the IT team have specialist IT security skills?
- Do you use an independent specialist to simulate internal and external attacks?
- Do you “vet” staff ahead of joining?
- Is a culture of security awareness cultivated?
- Do you run any activity reports on leavers?
- Are people audited as part of regular activity?
- Are critical areas physically protected?
- Are there different levels of permissions for accessing these critical areas ie: R&D?
What is of importance is that all these controls will take into account the “extended enterprise”.
Detection (…and deterrence)
However, as we all know prevention eventually fails (and nowadays more often than not). This is where detection comes to play, which if implemented correctly can be of great help in deterring insider data theft. This is a blend of technology, physical environment and procedures. Detection shouldn’t be through chance but as much as possible routine. In the words of Liam Neeson ‘I will find you and I will kill you!’… people should have no doubt!
All IT should be monitored by experts (either in-house or outsourced) looking for correlating events that suggest an insider misuse, among other threats. However, as in the case of advanced cyber threats, when it comes to be able to detect a malicious “authorised” access from a benign one, you need a way to model normal activity at the individual user level and be able to detect deviations (aka Security Analytics)
When you have been attacked or think you may have been attacked digital forensics can help identify the method of attack and what was taken; having said that the attackers are becoming really sophisticated and “clean up” when they leave making detection virtually impossible. For this reason the IT environment must be “forensics/monitoring-ready” and incident response plans should be in place and well thought through.
In summary people are the weakest link for an attacker to exploit and conversely people need to be disciplined and relentless in both prevention and detection. However this relaxes over time so regular independent scrutiny should form part of the overall IT security strategy.