The challenge for computer security professionals when it comes to insider threats is not just the leaker, like Edward Snowden. Insider threats range from active sabotage to data manipulation, and from theft of data to allowing outsider access. Sadly, despite all efforts, a significant risk remains from laziness and carelessness.
In a recent report, titled Combating Insider Threats, govloop.com looked at the types of threats and what can be done to prepare for them or prevent them. A survey they conducted found national security was the most vulnerable area in their agencies, according to employees. Among agencies who have experienced an insider threat, loss of documentation or information that compromised security occurred for 38 percent of those surveyed.
But the disruptions caused by insider threats aren’t just national security related. Technical disruptions affect work flow and processes. The organization and its personnel suffered a loss of reputation. That reputation loss affects agencies trying to recruit new personnel. Those surveyed noted that budget constraints were preventing significant improvements despite the very public losses of data in the recent past.
The report includes an interview with Patricia Larsen of the National Insider Threat Task Force. She notes several steps which are key to protection and prevention:
- Defending against insider threats must be individualized for the organization or agency. This requires the ability to detect behavior outside the norms for a job title or from an individual. Every agency will be a little different and it must know itself as a first step.
- User privileges are a huge issue. The goal is to give each user just the privileges he or she needs to perform their normal duties. It means that there will be times when a user will have to involve someone with a higher level of privileges in order to perform a task. Too many groups over assign privileges in order to avoid the occasional “inconvenience”.
- Larsen also suggests that a two-level approach to privileges. No one admin should ever be able to perform every function. High level or network admin privileges should be granted as little as possible and secured with the two level approach to authorizing actions that may render data or computer systems insecure.
- It is most important for the agency to review individual privileges regularly. In particular, she notes that any change in job, promotion, demotion, transfer or exit, should result in a review and changes in privileges.
The biggest risk to your network: a stupid user
Insider threats, however, include accidents and stupidity. Wired reported in 2011 that a Nevada Air Force base operating drones overseas had become infected with a virus. It took months to remedy. The computers were not connected to the Internet. But – the same removable drives used to carry maps to the drone controllers were being used by personnel at home, where they became infected.
USB flash drives and thumb drives are everywhere. A 512 GB USB drive advertised on Amazon weighs in at 0.3 ounces and is 3.1 x 1 x 0.4 inches. Small, powerful, and without any security protections.
Insider threat detection includes knowing what is connected to the computer network and by whom. It includes knowing what was uploaded and what was downloaded. On top of this threat, PC World noted in March that a USB drive has been designed to “fry” the computer it is connected to. Does every user need a USB port on their desktop? Does every user need a desktop?
The insider security threat comes from both personnel and from hardware. Money for prevention and protection may be tight but how much will a loss cost, in time, funding and reputation?