Insider Threats Demand Focused Security Reviews

Over the last several years, growing cyber threats coupled with the ongoing discovery of new vulnerabilities has demanded a lot of attention within the manufacturing community.

The results have been positive, and many are comfortable that they know what needs to be done. However, according to a recent ARC survey, end-users are now quite concerned about internal threats.

In general, insider threats come from trusted people such as employees, contract help, partners, service providers, visitors and others who have legitimate access to systems within a facility. They may be developers, technicians, operators, managers, engineers or any other role.

Why would trusted people want to cause their employer harm? Carnegie Mellon University, in conjunction with the U.S. Secret Service, studied several successful insider attacks, and the results provide considerable insight into the issue (“Insider Threat Study: Computer System Sabotage in Critical Infrastructure Sectors,” May 2005, the full report is available at www.cert.org/insider_threat/insidercross.html) .

Insider threats are unique in several important respects. The most significant is that we know and manage the potential attackers, making it feasible to address the root cause of the problem. Another difference is that software installation and execution privileges are not absolutely needed; for example, attackers can simply delete files or entire directories, possibly including back-ups. However, inside attackers frequently have administrative rights and may even be involved in the development of systems, making the staging of an attack difficult to detect.

Warning signs

The CERT study found that typically, a “negative work-related event triggered most insiders’ actions.” Furthermore, there were usually behavioral danger signals prior to the event. This indicates that many insider attacks are preventable by better people-management practices, including readily available methods to escalate and resolve grievances and issues.

It is imperative that we balance the benefits of access to business information and operations against the potential risks of misuse; “information for anyone, anywhere, anytime” represents a high business risk. As a minimum, password and access rights management must limit access to what is needed to perform a task when the task is performed, and who is authorized to perform a task. When the risk is high, two-factor authentications may be justified, or real-time confirmation by a second person advisable.

Some insider attacks are preceded by abnormal operations such as configuration changes, creation of secondary accounts or other less obvious access paths. Monitoring of system logs and some intrusion detection software that looks for anomalies above a baseline of activities, among other techniques, may help anticipate an attack or catch it sooner to limit damage and make recovery easier.

Secure archives and back-ups are necessary for recovering from successful insider attacks as well as from cyber attacks. However, it is also important to assure that insiders cannot also destroy back-ups and archives.

Unfortunately, CERT found that frequently, attackers had considerable technical expertise and used it during the attack. This requires that the broad access rights of developers, engineers, technicians and others must be dynamic and quickly revoked when not needed. It also suggests that their work be reviewed, approved and possibly tested independently.

Insider threats have a relatively low frequency but high consequences. Every security strategy should include an insider threat review process that is based on a simple model of insider attacks such as prevention, containment, detection and recovery phases. Protection against insider threats cannot be done by security professionals alone. Management, human relations (HR) and security teams must work closely together to create comprehensive insider threat security reviews and practices.

Prevention
• Management methods to sense behavioral
danger signals and take responsible action

• Effective security training programs

• Comprehensive and reliable processes to handle
changes in authorizations

Containment
• Limit authorization to only those needed

• Effective authentication management

Detection
• System Log monitoring

• Intrusion detection software

Recovery
• Effective back-up and archiving procedures

• Develop an Insider Protection Review Process

Robert Mick, bmick@arcweb.com, is Vice President of Enterprise Services at ARC Advisory Group Inc., in Dedham, Mass.
More in Control