Insider Risk Management Guide
By Gideon T. Rasmussen, CISSP, CISA, CISM, IAM

The threat posed by authorized personnel is well documented by research and court cases. According to ACFE, U.S. organizations lose an estimated $652 billion to fraud annually. Unfortunately, insider threat is not limited to fraud. There is also sabotage, negligence, human error and exploitation by outsiders to consider. If you have not taken a hard look at insider threat controls in your organization, now is the time.

I. Classification and Impact Analysis

Start by classifying critical information by confidentiality, integrity and availability with associated impact ratings. NIST SP 800-60 provides sample information categories and impact definitions.

 Data Type  Confidentiality  Integrity  Availability
 Trade Secrets  High  High  Medium
 Human Resources  High  Medium  Low
 Financial  High  High  Medium

Now that your data has been defined and classified by CIA rating, identify system boundaries. Boundaries should include systems, data flow, networks, people and hard copy printouts.

II. Identification of Baseline Controls

Next, establish baseline control standards that map to impact categories. NIST SP 800-53 provides baselines broken into high, medium and low control appendixes. The Australian NSW Baseline Controls and PCI Data Security Standards are also well-written. In some cases, baseline controls will be procedural versus technological (e.g. storing sensitive documents under lock and key and using a cross-cut shredder to dispose of them). Insiders are familiar with internal controls and may find a way around a single or poorly implemented control. Pay particular attention to the control categories that follow.

Human Resources
Human resources personnel should follow well-defined in-processing and out-processing procedures. Conduct criminal background investigations, credit checks and employment verification for all personnel, including contractors, temporary staffing and cleaning crews. Periodically repeat background checks for people in highly-sensitive positions. Require all personnel to sign a document stating they have read and understand the information security policies. Ensure third party contractors and service providers comply with your security requirements (e.g. employment and background checks of new personnel). Establish an anonymous fraud, waste and abuse reporting mechanism. Many crimes committed by insiders were suspected by employees. Alert information security personnel when an employee is identified as troubled or disgruntled.

Security Awareness Program
All personnel must become familiar with security policies and procedures. Establish a comprehensive awareness program to include annual security training with a testing component, e-mail tips, posters, a letter of support from senior management, self-assessment surveys, awareness luncheons, and a security web site. Better yet, supplement training with awareness briefings. Briefings give personnel the opportunity to ask questions and put the information security team in the position of advocating security initiatives.

Access Control
Accesses should be issued based upon a person's need-to-know in routine performance of their duties. When possible, issue accesses based upon role. Take into consideration IT roles such as developers, system and application administrators, etc. Define roles within accounting and payroll. All access requests should be formally documented and approved by a direct supervisor. For access to sensitive systems, require approval of a data owner as well. Two-person integrity controls should be implemented to secure extremely sensitive information (e.g. trade secrets). Configure building access cards to restrict personnel to the areas and time periods required in performance of their duties. Each quarter ask managers to formally sign-off on the privileges of their direct reports. As employees transition to new positions, they may retain accesses from their previous role.

Separation of duties should be used as an additional control. Here are a few examples: Separate roles should be required to create an account and write a check. Developers should not have access to production systems. Code reviews should be performed by someone other than the author of the code. Administrators should not be the only group reviewing logs. For more information, see the ISACA separation of duties matrix.

Establish applications that provide a view into sensitive data versus the ability to download the entire database. Use terminal servers to provide remote access to data and systems while preventing file downloads (e.g. when developing software).

Administrators
Administrators have complete control over systems and applications. Prohibit use of default administrative accounts to facilitate accountability. Ensure Windows domain administrators use unique accounts tied to their name and the default administrator account is deleted from servers during the installation process. Configure UNIX and Linux systems to force administrators to login as themselves, then use the switch users (su) command to access root-level administrative privileges. Application administrators and operations personnel may need access to a few root-level commands in performance of their duties. Use software to delegate specific root privileges to them (e.g. sudo, RBAC, RSBAC or Power Broker). Encrypt databases to prevent system administrators and anyone with access to a backup tape from viewing sensitive information.

Workstations
Laptops can store large amounts of sensitive information and are frequent targets of thieves. Issue laptops based upon business need and with consideration of the type of information typically processed. The U.S. government has recently mandated laptop encryption and two-factor authentication. It makes sense to follow their lead. Configure bios passwords as an additional control.

Restrict workstation administrative access to the desktop team. This privilege can be used to install unlicensed software or circumvent security controls (e.g. disable anti-virus software or reverse system hardening configurations). Exceptions should be limited to personnel with a well-defined need for administrative privileges in performance of their duties, including formal sign-off by their manager.

Finally, restrict who has access to use UBS storage devices. They can be used to download sensitive data and may also act as an avenue to introduce viruses into the network.

Network Security
Configure firewalls by security best practices. Restrict outbound traffic to common services such as HTTP and HTTPS. Use application proxies to limit traffic to designated protocols. Establish separate rules to limit outbound file transfers to an authorized set of users and systems. Restrict accesses between offices to specific systems, ports and protocols. Use network segregation to restrict access to systems hosting sensitive data based (e.g. DMZs, extranets and VLANs). Block peer-to-peer file sharing services, instant messenger and services that allow unauthorized external access to the corporate network (e.g. GoToMyPC, pcAnywhere and Citrix Online). Block external e-mail web sites as well. All e-mail should be conducted using company systems. If an employee needs access to one of the above services, confirm the business requirement and create a specific rule to meet their needs. Finally, scan outgoing e-mail for sensitive information such as project codenames.. An SSL scanner should also be used to scan encrypted traffic streams.

Social Engineering
Con artists may attempt to extract information from authorized personnel or get them to take actions on their behalf. There are three basic methods to address this threat: (1) raise awareness of the techniques used by social engineers, (2) establish well-defined processes to protect sensitive data and valuable assets, and (3) provide an escalation path.

Backups
Conduct restore tests of critical systems at least annually. Disgruntled employees have been known to sabotage or blackmail companies by corrupting critical data and waiting for the change to spread through off-site backup rotation. Take backups of workstations to provide a record of employee activity. Encrypt backup tapes and e-vaulting data to keep sensitive information confidential while off-site.

Audit Trails and Monitoring
So far we have primarily addressed preventive controls. Detective controls are necessary because authorized personnel need privileges to get their jobs done. That brings us to audit trails and monitoring. Configure audit trails for each system component (e.g. network devices, operating systems, commercial software and custom applications). Learn the logging capabilities of each component and configure it to record significant events. Log actions taken by any individual with administrative privileges (e.g. execution of commands and access to audit trails). Audit trails must be protected by file permissions and synchronized in real-time to a central log server to prevent modification. Once centralized, logs should be reviewed by automated processes with notification sent to the appropriate personnel. Database administrators have access to sensitive information, so they must be monitored as well. Use intrusion detection software to identify suspicious activity. Implement file integrity software to monitor configuration files and sensitive data.

III. Implementation

Layer on baseline controls in accordance with CIA information ratings. This step ties the organization's business risks into information security controls. Many organizations are challenged with regulatory compliance and implementation of security best practices. Do not loose track of the big picture, controls are meant to insulate the business from unacceptable risk. The simple process of applying controls based upon data sensitivity and impact ratings will address most compliance concerns. Any deviation from baseline controls should require a formal exception approved by information security management and the business.

IV. Audit

An audit function is required to ensure sensitive data and valuable assets are appropriately safeguarded. Take a hard look at who has access to sensitive data and whether those accesses are appropriate. The audit function should also monitor systems and insiders to detect illicit activity. Review audit trails searching for security events and abuse of privileges. Verify directory permissions, payroll controls and accounting system configurations. Confirm backup software is appropriately configured and backups complete without error. Review network shares for sensitive information stored with wide-open permissions. Conduct office space reviews to determine if security policies and procedures are followed in practice (e.g. sensitive material is not left unattended, workstation screens are locked and laptops are secured).

Ensure accesses are systematically rescinded when personnel leave the organization or their role changes. Obtain a list of current personnel from human resources and compare it to active accounts (e.g. network accounts, remote access and local accounts on servers). Stand-alone applications must be checked as well (e.g. voicemail and company directories).

Review physical security access logs. Pay particular attention to employee visits after-hours and on the weekends. If suspicious activity is detected, cross reference video surveillance feed and system audit trials.

Conduct the assessments identified above at least quarterly. Automate auditing as much as possible to conserve resources and detect security violations as they occur. For more information, see the IIA GTAG Continuous Auditing Guide.

This article scratches the surface of insider threat mitigation. For more information, see the US-CERT Common Sense Guide to Prevention and Detection of Insider Threats. The ACM Occupational Fraud & Abuse Report provides examples of how fraud is committed and guidance for preventing and detecting it. The Yahoo insider-threat group is a good resource to keep up with current events and new developments.

As you can see the threat from within is very real. Trust is necessary but it must be controlled and monitored.

_____________________________________________________________________________________________________________

Gideon T. Rasmussen is a Charlotte-based certified information security professional with a background in fortune 50 and military organizations. His website is http://www.gideonrasmussen.com.

References:

1. ACFE Occupational Fraud & Abuse Report
2. NSA INFOSEC Assessment Methodology (IAM)
3. Dawn Cappelli: Preventing Insider Sabotage
4. Kelly Martin: U.S. Gov't Mandates Laptop Security
5. Sharon Gaudin: Case Study of Insider Sabotage











Copyright © 2006 TechTarget (SearchSecurity.com) All Rights Reserved.
Reprinted with Permission