According to a recent report from MSNBC.com, the 2011 CyberSecurity Watch Survey conducted by CSO Magazine uncovered that more attacks (58%) are caused by outsiders than insiders (21%); however 33% view the insider attacks to be more costly, compared to 25% in 2010. Perhaps the most interesting tidbit was that insider attacks are becoming more sophisticated, with a growing number of insiders (22%) using rootkits or hacker tools compared to 9% in 2010, as these tools are increasingly automated and readily available. In this article, we'll look at how you can protect your network from these increasingly sophisticated insider attacks.
Why insider attacks are more dangerous
Insider attacks are, by definition, conducted by people who have legitimate access to your network and systems. They may be disgruntled employees with a grudge against the company, money-motivated workers who use the system to steal from the company, contractors doing work for you on a temporary basis who are there to engage in corporate espionage, or anyone else who abuses his/her privileges on your network to use it in an unauthorized way. Some attackers are infiltrators who get a job at the company for the express purpose of penetrating its security. Some insiders may be threatened, coerced or bribed by outsiders to steal company information or plant a virus or malware that will bring down or disrupt the network.
Some scenarios include:
- Deliberately infecting the company computers and network with malware or viruses that disrupt work and result in lost productivity
- Introducing spyware, key loggers and similar software to get information about what co-workers or others within the company are doing
- Stealing passwords to log on to the company network under the guise of someone else, in effect stealing the co-worker's identity
- Copying confidential company information to take or send outside the company without authorization
Why most company security strategies focus on outsiders
If insider attacks are costing companies more, why is it that most security policies and strategies seem to focus on protecting the network from outside threats? There are a number of reasons. Traditionally, network security has been "all about the edge." The foundation of network security has been the network firewall - a "guard at the gate" positioned between the computers (and users) on the internal network and the potentially malicious "unknowns" outside. The problem with this model is that it makes a big and sometimes invalid assumption, which is that all of the users inside can be trusted. It's not surprising that companies have made that assumption. It's natural human nature to not want to consider the possibility that "your" people might betray you. However, this can be a fatal mistake.
Perhaps the primary reason is because it's simply more difficult to defend against insiders. Company employees often need access to sensitive information to do their jobs, rendering it vulnerable to theft. They have legitimate credentials to log onto the network, making it easier for them to exploit any security holes to disrupt network services. Some folks argue that it can't be done at all. They make a good point: If you give someone the keys to the kingdom, it's going to be extremely difficult to prevent him from misusing them if he really wants to. Nonetheless, there are steps that you can take to make it more difficult for insiders to do extensive damage.
Developing a security strategy to protect against insider attacks
Just as retail establishments have in place loss prevention programs to keep employees from stealing merchandise or cash, businesses that deal with important electronic data (which includes the vast majority of them these days) need to think in terms of data loss prevention (DLP) programs. There are a number of DLP technologies available from various vendors, but a comprehensive strategy goes further than just buying a DLP appliance and plugging it in.
You might never be able to completely eliminate the risk of insider attacks, but here are some of the things you can do to reduce the incidence and the impact:
- Implement a dedicated DLP appliance or software. DLP appliances or software allow you to track the travel of your company's data, either in real time or by collecting information and summarizing it in daily or weekly reports. You'll want a DLP system that can intercept and read SSL or other encrypted messages, or users will be able to defeat its purpose simply by encrypting the data they send outside the network. Note that a drawback of DLP is that it may negatively impact network performance.
- Configure your firewall to address traffic going both ways. Most modern firewalls are capable of filtering both inbound and outbound traffic, but many are configured to only control the former. Set up outbound rules on your firewall to explicitly block or explicitly allow the network traffic that matches the criteria you set. For example, you could block outbound traffic that uses a specific port number.
- Use packet inspection within the network. DLP appliances and firewalls focus on traffic being sent outside the network. You can use packet inspection tools such as Network Analysis and Visibility (NAV) products to inspect the contents of packets moving within the internal network, for example when a user downloads a file from the server to his computer that he shouldn't have access to or doesn't need to do his work. NAV tools can examine the contents in great depth and look for particular words or types of data (such as social security numbers or account numbers) within a document or file. NAV has the same problem as DLP in that it can slow down network performance.
- Use mail security products with content filtering. You can use the content filtering feature on your email security products to, for example, block outbound messages that contain certain keywords, or block users from sending attachments, to prevent insiders from sending confidential information outside the network.
- Data encryption. Encrypting sensitive data will make it more difficult for those inside the network (as well as outsiders) to be able to access and read the information even if they do manage to intercept it and take it outside.
- Least privilege policy. For best security and protection against insider threats, always follow a policy of giving users the most restrictive set of privileges that will still allow them to do the work they need to do. Apply this same policy when configuring your DLP product or your firewall's outbound rules, by starting off by blocking everything and then allowing those things that are needed, rather than the opposite method of starting off by allowing everything and then restricting things selectively. Likewise, the keys to access encrypted data should be available only to those whose jobs require that they access that data, and not to all employees or all employees who happen to work in a specific department or hold a particular position.
- File access auditing. Implementing auditing of access to file system objects will help you detect when insiders are accessing information for which they don't have a need in order to do their jobs.
- Area of responsibility or segregation of duties. This is a policy that ensures that no one person can process an important transaction (such as transfer of monetary funds) alone. One person may be able to initiate the process but it can't be completed without the authorization of one or more other individuals. This provides a set of checks and balances to protect against a lone rogue employee or infiltrator.
- Control USB devices. DLP, firewalls, and mail content filtering will help prevent insiders from sending sensitive company information outside the network via the Internet. However, removable USB drives, especially easily concealed "thumb drives" (flash memory drives), are often used by insiders to copy sensitive company information and manually carry it outside the company. To prevent this, you can disable USB ports on systems of those who don't absolutely need them. You can use Windows Group Policy or third party software to restrict or block the installation of USB devices. Software such as GFI Endpoint Security can be used to manage user access and log the activities of USB drives, flash memory cards, CDs, floppy disks, iPods and other MP3 players, smart phones and PDAs and anything else that connects to computers via USB.
- Rights management services. Rights management allows you to give users access to data, but helps prevent them from sharing that data with others who aren't authorized to have it. Windows Rights Management Services (RMS) allows you to block copying or printing of documents, block forwarding or copying of email messages, and so forth. Windows also blocks taking a screenshot of protected documents or messages. While there are always ways around this for a determined person (for example, the user could take a photo of the screen with a cell phone camera), it makes it more difficult for insiders to misappropriate the protected information.
- Change management. Configuration and Change Management tools help you to identify when changes are made to the configurations of systems that may be done by employees to gain access to information they shouldn't have. There are many products on the market that can be used to track changes on the network.
- Identity management. Because access privileges are granted based on the identity of the user, it is imperative that you have in place a good identity management system. This becomes even more important in today's network environment, where company mergers and the moving of some or all data into the cloud complicates things even more.
These are just some of the basic steps that you should take to protect against insider threats.