The Attack from Within: Stopping Malicious Insiders
While many IT managers obsess about hackers and external attackers purloining sensitive company information, studies point to a worse problem: the insider threat.
While many IT managers obsess about the threat from external attackers, several studies point to a far worse problem: the malicious insider. According to research firm The InfoPro Inc., for example, 72 percent of enterprises report internal security threats are an equal or greater problem than external risks.
Historically, insider attacks have been linked to disgruntled employees intent on damaging corporate resources. Now, however, such perceptions are changing. As a recent report from Boston-based research firm Aberdeen Group notes, “Organizations are beginning to recognize that they are also at risk of having company employees, consultants, partners, or suppliers seek illicit economic gain or commit vengeful acts.”
According to the latest IBM Global Business Security Index report, throughout 2006, the number of insider attacks will likely only increase, especially as a means for attackers to socially engineer their way past security controls. “Criminals will focus their efforts on convincing end users to execute the attack instead of wasting time in lengthy software vulnerability discovery,” notes the report.
One growing target is an individual's personal information, no matter whether it belongs to employees or consumers in general. Social Security numbers, bank account and credit card numbers, and passwords are especially at risk, given their resale value. No wonder then that “insider attack still remains a major source of personal information theft,” notes Forrester analyst Jonathan Penn.
How to Defend Against Inside Attackers
Education helps employees stay aware of current security practices, and thus thwart social engineering attacks designed to capture sensitive information. Yet as the IBM report notes, many organizations face resource shortages, including a lack of educational resources, not to mention the turmoil of employee layoffs, mergers, and acquisitions.
Stopping insider attacks takes more than just education. Overall, Computer Associates (CA) recommends these security practices:
- Automatically enforce security policies and procedures
- Disable and delete old accounts promptly
- Review users’ access privileges quarterly, and perhaps set them to expire (to automatically disable access for contractors)
- Train employees on security policies
- Implement least-privilege access, meaning access to sensitive information is only granted to specific people, and on a need-to-know basis
- Enforce strong passwords and consider use of two-factor authentication
- For IT systems, segregate duties and especially segregate sign-offs from actual operations work
- Audit all sensitive systems and capture rich data to logs
- For better auditing, disallow shared administrator passwords
- Enable a centralized view of security environment efficacy, to better discern seemingly unrelated events
As CA’s list suggests, guarding against malicious insiders requires many specific defenses. Yet at many companies, such defenses lag. For example, in a January 2006 survey of 88 companies’ insider-threat defenses, Aberdeen Group found “the majority of respondents have yet to implement technology to address insider threats—only 41 percent have done so.”
Where should lagging organizations start? Organizations with what Aberdeen Group characterizes as “Best in Class” insider-threat defenses consistently do a number of things: “Best in Class companies are more likely to use strong passwords, access control lists, and single sign-on. Additionally, these leading organizations are more likely to create a business case prior to deployment and roll out a solution incrementally, slowly expanding it to user populations.”
Such defenses are useful beyond simply thwarting malicious insiders. For example, according to the latest IDC Security Survey, the second-highest security challenge for companies is simply getting employees to follow corporate security policies. Still, don’t try selling management on the threat of “clueless insiders.”