ebook img

Insider Threat. Protecting the Enterprise from Sabotage, Spying, and Theft PDF

388 Pages·2005·21.183 MB·English
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Insider Threat. Protecting the Enterprise from Sabotage, Spying, and Theft

cknowledgments Syngress would like to acknowledge the following people for their kindness and support in making this book possible. Syngress books are now distributed in the United States and Canada by O'Reilly Media, Inc. The enthusiasm and work ethic at O'Reilly are incredible, and we would like to thank everyone there for their time and efforts to bring Syngress books to market: Tim O'Reilly, Laura Baldwin, Mark Brokering, Mike Leonard, Donna Selenko, Bonnie Sheehan, Cindy Davis, Grant Kikkert, Opol Matsutaro, Steve Hazelwood, Mark Wilson, Rick Brown, Tim Hinton, Kyle Hart, Sara Winge, Peter Pardo, Leslie Crandell, Regina Aggio Wilkinson, Pascal Honscher, Preston PauU, Susan Thompson, Bruce Stewart, Laura Schmier, Sue Willing, Mark Jacobsen, Betsy Waliszewski, Kathryn Barrett, John Chodacki, Rob BuUington, Kerry Beck, Karen Montgomery, and Patrick Dirden. The incredibly hardworking team at Elsevier Science, including Jonathan Bunkell, Ian Seager, Duncan Enright, David Burton, Rosanna Ramacciotti, Robert Fairbrother, Miguel Sanchez, Klaus Beran, Emma Wyatt, Krista Leppiko, Marcel Koppes, Judy Chappell, Radek Janousek, Rosie Moss, David Lockley, Nicola Haden, Bill Kennedy, Martina Morris, Kai Wuerfl-Davidek, Christiane Leipersberger,Yvonne Grueneklee, Nadia Balavoine, and Chris Reinders for making certain that our vision remains worldwide in scope. David Buckland, Marie Chieng, Lucy Chong, Leslie Lim, Audrey Gan, Pang Ai Hua, Joseph Chan, June Lim, and Siti Zuraidah Ahmad of Pausing Distributors for the enthusiasm with which they receive our books. David Scott, Tricia Wilden, Marilla Burgess, Annette Scott, Andrew Swaffer, Stephen O'Donoghue, Bee Lowe, Mark Langley, and Anyo Geddes of Woodslane for distributing our books throughout Australia, New Zealand, Papua New Guinea, Fiji,Tonga, Solomon Islands, and the Cook Islands. uthor Dr. Eric Cole is currently chief scientist for Lockheed Martin Information Technology (LMIT), specializing in advanced tech nology research. Eric is a highly sought-after network security con sultant and speaker. Eric has consulted for international banks and Fortune 500 companies. He also has advised Venture Capitalist Firms on what start-ups should be funded. He has in-depth knowl edge of network security and has come up with creative ways to secure his clients' assets. He is the author of several books, including Hackers Beware: Defending Your Network from the Wiley Hacker^ Hiding in Plain Sight, and the Network Security Bible. Eric holds several patents and has written numerous magazine and journal articles. Eric worked for the CIA for more than seven years and has created several successful network security practices. Eric is an invited keynote speaker at government and international conferences and has appeared in interviews on CBS News, "60 Minutes," and CNN. oauthor Sandra Ring is the founder of Pikewerks Corporation (www.pikewerks.com), an information security company that spe cializes in Insider Threat. Previously, Sandra was the deputy director of research for The Sytex Group, Inc. While working at Sytex, Sandra participated in original research of rootkit detection, volatile memory forensics, self-healing, and zero configuration networks. Sandra has worked for the Central Intelligence Agency, operated closely with the National Security Agency, and conducted research at the National Aeronautics and Space Administration's Langley Research Center. She is an author of Cyber Spying: Tracking Your Family^s (Sometimes) Secret Online Lives (Syngress Publishing, ISBN: 1-931836-41-8) and a contributing author to the Network Security Bible. VII Chapter 1 What Is There to Worry About? '' ttie'-li^kl^' Threat Has Bmn Igrii^ft^-' •'' ;.1}ie''ifii^.(rf;.Md^ Itireats cm a Cem^^mf m . Hofw^'idcl h It-^tatfetks «w Wliat Is •. ^ • )Hiiipp«riiii||i • 1iFg«ts'0f Attack • The threat Is f ^l m • rti^ireTi^cIs • ' Chapter 1 • What Is There to Worry About? Introduction I was sitting at my desk when my phone rang. I answered the phone and it was a large pharmaceutical company who was interested in consulting services. They started off the conversation stating that they had some problems and thought that my company might be able to help. They had noticed a trend with one of their for eign competitors. Every time they went to release a new product (in this case a new drug), one of their competitors would release a similar drug with a similar name sev eral weeks before them and would beat them to market. If you understand the drug industry, you'll know that this is a serious problem. The first company to get a product to market usually is able to obtain a higher market share and higher demand than its competitors. Therefore, this represented a huge monetary loss to the com pany and the executives were concerned. This initially sounded like a potential problem but I needed more details. My follow-up question was how often had this occurred and over what time period. The executive I was talking with said it had happened eight times over the prior 12 months. I was sitting there thinking:You think there is a problem? My next question was, "Why did you wait so long to call someone?" Their answer was, "We figured it was just a coincidence, because the only way this could have happened was if an insider was giving the information to a competitor and we trust all of the employees so this could not be the case." Over the next several months they were going to realize how wrong that previous statement was. I led an internal assessment team and over the course of several months found three different groups of people (each consisting of 2-4 people), working for two different competitors. Actually, one group was working for a foreign competitor and the other two groups were working for a foreign government. The fact that this story is true is scary, but what makes it even more troubling is that this happened more than 18 months ago and I have worked on and am aware of at least 15 other similar cases. The average monetary loss of the case I worked on was estimated at $350 million annually. The Devil Inside "I trust everyone, it is the devil inside that I do not trust," is a great line from the movie The Italian Job. Everyone has the potential do to harm, including your employees. If you look at the minimal background checks that most companies per form on their employees, you have to wonder what that trust is based on. Why is it that once a total stranger is hired at your company, you now completely trust that person? Just because they are now called an employee does not mean they have loy- www.syngress.com What Is There to Worry About? • Chapter 1 ally to your organization and would do nothing to hurt the company. We do not want you to be so paranoid that your company cannot function, but a healthy dose of paranoia is good. Aldrich Ames, Robert Hanssen, and other spies had one thing in common: they passed the polygraph (lie detector test) with almost a perfect score. How could a machine that tests whether people are lying not catch the biggest liars that cost so many people their lives? The reason is a polygraph does not detect lies, it detects guilt. In these cases, either the people felt justified by their actions and did not feel guilty about them or they were trained to be able to bypass and deceive people. Only by closely watching people over time will you start to understand that there are certain people who cannot be trusted. Insider threat and corporate espionage rely on the fact that it is sometimes better to live in denial and be happy than to know the truth and have to deal with it. One of my associates recently found out his wife was cheating on him and was very annoyed with the person who told him. The person who told him said, "Why are you mad at me? Didn't you want to know?" And the persons response was,"No." It was easier to live with a lie than deal with the truth. While most executives might not be bold enough to admit this, it is very true in corporations and governments around the world. It is easier to trust your employees and keep life simple, than to suspect everyone and deal with the complexities it creates. However, if it will put your company out of business, cause hundreds of millions of dollars' worth of loss, or cause people to die, you might think differently about the answer. Nobody wants to believe the truth, but corporate espionage via the insider threat is causing huge problems. Many companies either do not have the proper monitoring to realize or do not want to admit that it is happening to them. For some reason, with many crimes, including insider threat, victims feel embarrassed and ashamed. They are the victims, they did nothing wrong, but for some reason these criminals turn the tables on who is at fault. I have heard rape victims say that it was their own fault they were raped. I have also heard numerous times that it is a company's fault if they are stupid enough to be a victim to insider threat. With that mentality, who is going to admit that this happened to their company? The only person at fault is the attacker—not the victim. The Importance of Insider Threat Organizations tend to think that once they hire an employee or a contractor that that person is now part of a trusted group of people. Although an organization might give an employee additional access that an ordinary person would not have, why should they trust that person? Many organizations perform no background www.syngress.com Chapter 1 • What Is There to Worry About? checks and no reference checks and as long as the hiring manager likes them, they will hire them. Many people might not be who you think they are and not properly validating them can be an expensive, if not a fatal, mistake. Because many organiza tions, in essence, hire complete strangers who are really unknown entities and give them access to sensitive data, the insider threat is something that all organizations must worry about. If a competitor or similar entity wants to cause damage to your organization, steal critical secrets, or put you out of business, they just have to find a job opening, prep someone to ace the interview, have that person get hired, and they are in. The fact that it is that easy should scare you. Many companies have jobs open for several weeks and it could take a couple of weeks to set up an interview. That gives a com petitor focused on your company a four-week period to prep someone to ace an interview. This is what foreign governments do when they plant a spy against the U.S. They know that a key criterion for that person is passing the polygraph, so they will put that person through intensive training so that he or she can pass the poly graph with no problem. This points out a key disadvantage that organizations have. The attacker knows what process you are going to follow to hire someone and all they have to do is prep someone so they ace that part of the process. In terms of the importance, I often hear people say that it is only hype and that it cannot happen to us. This is synonymous to thinking that bad things only happen to others, they never happen to you; until they happen to you and then you have a dif ferent view of the world. I remember several years ago when my father got diagnosed with having a cancerous brain tumor. It shocked me, devastated me, and changed my views forever. Prior to that I knew that people had brain cancer but it was something that I could not relate to or understand because I never thought it could really happen to me or someone I love. Bad things happened to others, not to me. This is the denial that many of us live in, but the unfortunate truth is bad things do happen and they could be occurring right now and you just do not know about it. Insider threat is occurring all the time, but since it is happening within a com pany, it is a private attack. Public attacks like defacing a Web site are hard for a com pany to deny. Private attacks are much easier to conceal. Because these attacks are being perpetrated by trusted insiders, you need to understand the damage they can cause; how to build proper measures to prevent the attack; how to minimize the damage; and, at a minimum, how to detect the attacks in a timely manner. Many of the measures companies deploy today are ineffective against the insider. When companies talk about security and securing their enter prise, they are concerned with the external attack, forgetting about the damage that an insider can cause. Many people debate about what percent of attacks come from www.syngress.com What Is There to Worry About? • Chapter 1 insiders and what percent of attacks come from outsiders. The short answer is who cares? The real answer is this: • Can attacks come from external sources? • Can an external attack cause damage to your company? • Can an external attack put you out of business? • Can attacks come from internal sources? • Can an internal attack cause damage to your company? • Can an internal attack put you out of business? Since the answer to all of these questions is YES, who cares what the percent is? Both have to be addressed and both have to be dealt with. I would argue that since the insider has access already, the amount of damage they can cause is much greater than an external attacker and the chances of getting caught are much lower. If an attacker comes in from the outside, he has access only to systems that are publicly accessible and he has to break through security devices. If an attacker comes from the inside, she has full access and minimal if any security devices to deal with. As our digital economy continues to grow and the stakes increase, anyone who wants serious access to an organization is not even going to waste his time with an external attack, he is going to go right for the trusted insider. Finally, to highlight the importance of insider threat, everyone is getting on the bandwagon. The Unites States Secret Service is conducting a series of studies on the insider; conferences are popping up on the subject. Why? Because billions of dollars are being lost and something has to be done to stop the bleeding. You will never be able to completely remove the insider threat because companies need to be able to function. If you fire all your employees, you might have prevented the insider attack, but you will also go out of business. The key is to strike a balance between what access people need and what access people have. Insider Threat Defined Since everyone uses different terminology, it is important to define what we mean by insider threat. The easiest way to get a base definition is to break the two words apart. According to www.dictionary.com, insider is defined as "one who has special knowledge or access to confidential information" and threat is defined as "an expres sion of an intention to inflict pain, injury, evil, or punishment; an indication of impending danger or harm; or one that is regarded as a possible danger." Putting this together, an insider threat is anyone who has special access or knowledge with the intent to cause harm or danger. www.syngress.com 8 Chapter 1 • What Is There to Worry About? There is a reason that the insider threat is so powerful and most companies are not aware of it; it is because all the standard security devices that organizations deploy do little if anything to prevent the insider threat. However, as much as we do not want to admit it, this is no longer true (if it ever was).The problem with insider threat is that it takes only one person who is dis gruntled and looking for a quick payoff or revenge and your company is compro mised. Unfortunately, it is really that easy and one of the many reasons that the problem has gotten so out of hand. The world is also a different place than it once was. Most people today, by the time they are at the age of 30, have had more jobs than both their parents combined across their entire careers. In the past, people worked for one company for 30 years and retired. Having worked for one company for an entire career builds loyalty. However, today people switch companies fairly often and while most people are not intentionally out to perform corporate espionage, there is a high chance they can inadvertently perform it. When you switch companies, you most likely are going to stay within the same industry, unless you are making a complete career change, which is unlikely. Therefore, the chance that you are going to work for a competitor is very high. This means some of your knowledge from your previous employer, despite your best efforts, will leak over into this new company. People do not like to hear it and employers do not like to admit it, but the biggest threat to a company is their internal employees.Your employees or anyone with special access (like a contractor) have more access than an outsider and therefore can cause a lot more damage. However, most organizations and media still focus on the external threat and pay little attention to the insider threat. Why? The short answer is the external threat is easier to see and easier to defend against. If an external attacker defaces your Web site, it is easy to detect and defend against. It is also difficult to deny because everyone can tell that it happened. However, if an employee makes copies of all of the customer credit cards and walks out with it on a USB drive that fits in his or her wallet, it is very difficult to detect and defend against. Authorized versus Unauthorized Insider An insider is anyone with special or additional access and an insider attack is someone using that access against the company in some way. The key question to ask is why does that person have the access they have and how did they get that access? One of the best ways to defend against the insider threat is to institute a principle of least privilege. Principle of least privilege states that you give an entity the least amount of access they need to do their job. There are two key pieces to this. First, you are giving your employees additional access. For employees to be able to per- www.syngress.com What Is There to Worry About? • Chapter 1 form their job at a company, it is obvious that they will need to be given special access that a normal person does not have. This means that every employee, con tractor, or anyone else performing v^ork at your organization has the potential to cause harm. The second key piece is needed to do their job. This focuses in on how critical access is to an organization. You know that every employee is going to be given special access; you just want to limit and control that access to the minimum possible subset. The problem with most organizations is that employees are given a lot more access than what they actually need to do their jobs. Although the risk of insider threat is present with every employee, giving them additional access just increases the damage and increases the number of people that could cause harm. If only five people out of 3000 have access to a sensitive database within your organization, one of those five people would have to be motivated for an insider threat problem to arise. However, if 300 out of 3000 people have access to that information, the odds of finding or motivating someone is much higher. Therefore, the more people that have access to a piece of information, the greater the chance it could cause harm to your organization. In addition, the more access that a single person has, the greater the damage that person can cause. If 10 different managers each have access to only 10 different pieces of sensitive data, for aU 10 pieces of data to be compromised, 10 people would have to be involved. However, if one person had access to all 10 pieces of data, then it would take only one person to cause a grave amount of damage to the organization. Based on this analysis, two criteria are critical for analyzing the potential for insider threat: number of people with access to a piece of information and number of pieces of data a single individual has. Carefully tracking and controlling critical data and people with critical access can minimize the potential for insider threat. We have clearly shown that access is the avenue in which insider threat is mani fested. The question is how did they get that access? If they were given the access then they are authorized to access the information. If they were not given the access, but stole, borrowed, or acquired it without permission, then it is unauthorized access. The reason the distinction is important is that it helps determine the counter- measures that could be put in place. Security devices like firewalls, passwords, and encryption protect against unauthorized access. If an unprotected wireless access point is set up, people who are unauthorized to connect to the corporate network can still connect and access sensitive data. Someone who is unauthorized to access the file server can walk up to an unlocked computer and access sensitive data. However, if proper security is put in place with firewalls, encryption, and passwords, an unauthorized person should no longer be able to connect to an unprotected www.syngress.com 10 Chapter 1 • What Is There to Worry About? wireless access point or to sit down in front of an unlocked system. So the security measures that are present today can prevent unauthorized insider threat. However, all the current security measures today will not prevent the authorized insider. You can set up all the security you want on a network, but that will not stop someone with proper authorization. An authorized insider is someone with a valid reason for accessing the data but who uses that access in a way that was not intended by the company. The NOC manager is given access to customer passwords, because he needs that access to do his job. However, it is very hard to stop him from giving that information to an attacker or a competitor. When talking about authorized insider threat, intent plays a key role. People need access to do their jobs, but what are their intentions once they get access? Luckily, as the case studies in the later chapters will demonstrate, negative intentions rarely go without warning. Categories of Insider Threat Depending on the levels of access someone has, there are different categories of insider: • Pure insider • Insider associate • Insider affiliate • Outside affiliate Each type has different levels of access and different motives. Pure Insider A pure insider is an employee with all the rights and access associated with being employed by the company. Typically, they have keys or a badge to get access to the facility, a logon to get access to the network, and can walk around the building unescorted. They can cause the most damage because they already have most of the access they need. Elevated pure insider is an insider who has additional privileged access. This usu ally includes system administrators who have root or administrator access on the net work. These people were given the additional access to do their jobs; however, in many cases, they are given more access than what they need. Very often when com panies try to mitigate the risk of an insider threat, the best area to focus on is lim iting the access of the elevated pure insider. This is also called the "principle of least privilege," or giving someone the least amount of access they need to do their job. Notice the key factors in this definition: you are not stopping people from doing their job, you are just taking away the extra access that they do not need. www.syngress.com

See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.