Recent events at Société Généralehave
highlighted the havoc that can be caused by people on the inside,
writes Jason Creasey, head of research at the
Information Security
Forum.
While
insider threats are not new, cultural changes, new business
models, increased access to IT systems and networks and greater IT
knowledge have all increased the risks associated with employees.
These range from accidental damage to malicious attacks, fraud,
embezzlement and theft, and have four causes: people, motive,
opportunity and means.
Insider threats can and do materialise in very different shapes
and forms, but nearly always result in a compromise of the
confidentiality, integrity and availability of information. While
the
definition of an insider has become blurred, the motives
generally remain the same - greed, malice or fear.
But there have been significant changes in both opportunity and
means. Greater opportunity comes from increased vulnerabilities and
control weaknesses such as poor segregation of duties and access
control, along with more outsourcing, remote working and
uncontrolled access to the internet.
And the increase in means is largely due to factors such as
greater technical knowledge -
as was the case with Jérôme Kerviel at Société Générale - along
with easy access to
attack kits,
powerful
storage devices and the use of
social engineering.
Organisational model
Today's organisational model tends to be a flatter, less
hierarchical and more network-oriented, collaborative approach.
Insiders are also within the traditional defensive perimeter and
not subject to the same level of controls as outsiders.
Technology can help to reduce opportunity and means but with
people at the heart of the problem, other controls - technical or
otherwise - need to be embedded into a security-positive culture to
reduce motive, opportunity and means.
Like it or not, a holistic approach is what is needed to fully
address the causes behind insider threats. Specific actions to help
address individual causes should be part of a wider cultural
approach concentrating on security-aware behaviour across the whole
organisation, as follows:
People
- Screen employees and their references
- Regularly re-screen staff working in sensitive areas
- Deploy an employee assistance programme to address personal
issues
Motive
- Protect staff against intimidation (concentrate on vulnerable
staff and those working in sensitive areas)
- Enhance physical security (enforce a clear desk policy, for
example)
Opportunity
- Segregate duties
- Invoke the principle of least privilege for users
- Design systems to require dual control/sign-off
- Deploy an incident and access management solution
- Restrict the ability to copy, alter or delete information
- Regularly review the activities of staff
- Audit transactions on a regular basis, to include random
sampling
- Review code and systems for non-authorised functionality
(backdoors, Trojans, remote access)
Means
- Design processes to quickly remove all access for employees who
have been fired
- Deploy a "white list" to restrict internet access
Holistic security
>>
Banks fail
to take holistic approach >>
Read more expert advice from the Computer Weekly Security Think
Tank >>