In-Depth

Best Practices: Defending Against Insider Attacks

A new report from CERT and the U.S. Secret Service shows how to begin preventing insider attacks.

• By Mathew Schwartz
• 05/25/2005

Want to prevent the majority of insider attacks?

Start by disabling former employees’ access to enterprise systems. Also don’t underestimate “the power of a terminated employee with system administrator access,” notes Dawn Cappelli, a senior member of the technical staff with the Carnegie Mellon Software Engineering Institute’s CERT.

Many organizations “completely neglect disabling access upon termination,” Capelli notes. “Others go through the steps to disable access, but the insider is able to find that one access-control gap that was overlooked.” Just that single gap can be exploited to attack a company.

Of course, eliminating a former employee’s accounts and access isn’t as easy as it sounds, reveals a recent report on insider threats from the United States Secret Service and CERT. For the report, researchers studied 49 attacks conducted between 1996 and 2002 in critical infrastructure sectors. The study was limited to cases “in which an insider’s primary goal was to sabotage some aspect of the organization or direct specific harm toward an individual.”

One significant finding: “the majority of insiders who committed the attacks were former employees, motivated at least in part by a desire to seek revenge, and who were granted system administrator or privileged access when hired.”

Most often, an insider attack is triggered by a work-related event, and in 62 percent of cases, it’s planned in advance. Sometimes that planning shows: 80 percent of inside attackers reportedly displayed “unusual behavior in the workplace prior to carrying out their activities,” notes the report.

Most attacks are also conducted remotely. Of the attacks studied, however, only 43 percent of insiders had authorized access to IT systems, so whatever post-employment lock-outs the attacked companies made, for the majority of them it wasn’t enough. Sixty percent of attackers compromised other computer accounts, either creating backdoors or utilizing shared accounts to launch attacks. As that suggests, most attackers have technical acumen, and 39 percent actually used sophisticated attack tools. Furthermore, in 57 percent of cases, attackers were able to exploit known vulnerabilities in applications or procedures.

Because insider attackers are so targeted, the damage can be severe. In 80 percent of attacks, there’s a financial loss, and in 75 percent also some negative impact to business operations. Furthermore over a quarter of attacks damage an organization’s reputation.

Best Practices in Prevention

What can organizations do to better protect against insider attacks? After an employee leaves the company, an obvious first step is to disable their account access, especially any at the administrator level or with special privileges. Before that, however, organizations must better document which systems employees have access to, so access can be revoked quickly when needed.

On the technology front, the report recommends organizations employ configuration-management tools to detect changes to sensitive databases, insertion of malicious code in applications, or when logic bombs are placed. System logging and monitoring tools are also essential, as well as full-fledged backup and recovery procedures to allow a company to keep functioning in the event of an attack.

Many security best practices, if employed, further defend against insider attacks. One in particular is to require regular password changes and the use of complex passwords. Managing remote access also helps.

Don’t neglect the cultural steps needed to help prevent insider attacks. For example, managers often need to stay more attuned to the mood of the workplace and deal more proactively with negative events. Furthermore, the report recommends creating formal procedures for grievances or complaints, to give insiders an outlet. It also advises creating a process so employees can report any suspicious behavior.

Finally, security personnel need to think like attackers, looking for weaknesses a malicious employee or other attacker could exploit. “It is important that technical staff are attentive to the obscure methods used in the insider attacks in this study,” says Cappelli.

Related Articles:

Inside Attackers Often Unremarkable, Warns CERT
http://www.esj.com/security/article.aspx?EditorialsID=1120

Quantifying the Threat from Insiders
http://www.esj.com/security/article.aspx?EditorialsID=983