The insider threat issue is undoubtedly creating a stir in the
technology world, but do organisations actually take it seriously,
and what are they doing to minimise the security risk from
employees? The
Computer Security Institute (CSI) has found that insider
security incidents have now overtaken virus incidents in regards to
how much they cost organisations, making it the IT security
priority.
Unfortunately, there is no single "miracle solution" to solve
this problem. As many recent
high-profile data leaks have been caused by employee error
rather than malicious behaviour or criminal intent, staff training
on company IT policies and practices is a good starting point. The
other approach is technology, yet security spending is
predominantly focused on perimeter solutions, which will
regrettably be of little use in protecting your organisation from
internal data loss.
Most traditional defences use a negative security model with
costs that scale with each new and different threat. They depend on
signatures and complex block list (black list) rules that are
developed in response to known "attacks". New or previously unseen
attacks cannot be effectively addressed in this way. To keep up,
system owners must constantly update their signature definitions,
and be reliant on external suppliers for the quality of the
signatures deployed. In addition, block lists are focused on
external malicious behaviour. Internal misuse does not look at all
like the signatures of an external attacker - it will appear nearly
normal.
Authentication-based access control is a well-known positive
security approach, but its risk mitigation value has been eroded by
fundamental weaknesses. Firstly, if you are dealing with an
outsider attack, Trojans can "sniff" passwords, whilst
"man-in-the-middle" and "man-in-the-browser" attacks can even
sidestep stronger authentication. Secondly, people are susceptible
to
social engineering attacks, such as spear-phishing (a highly
targeted fishing attack), which can enable outsiders to compromise
and then exploit inside resources.
Sadly, it is not just the faceless stranger who now poses a
threat to your business, it is often the people you know who have
IT access rights and high privileges, which unfortunately mean
access controls alone are insufficient to protect your data. You
can control their access, but you can do little proactively to
control their behaviour and ensure they do not abuse their
privileges, or that they are not compromised users or
applications.
You need to keep your data secure where it is accessed - in the
database. Almost all of an organisation's critical data is stored
in a database - confidential customer details, supply chain
information, payroll and shareholder details - which is the
organisation's life-blood.
Sure, organisations can control access to their databases, but
there is still scope for human error. This happens with both
standard as well as highly privileged users, such as senior
personnel and members of the IT team. According to the Software
Engineering Institute, 86% of those who cause an insider breach
have technical positions. So, in addition to restricting access to
authorised personnel, organisations have to make sure privileged
users - for example database administrators - have controlled
access only to approved data groups. This was a lesson that Société
Générale learnt the hard way after the bank's internal control
systems had weaknesses that enabled an insider to enter the system
and eliminate credit and trade-size controls, stopping the bank's
risk managers from spotting his giant trades on the direction of
indices.
Preventative security controls are much more effective than
monitoring or auditing alone, since they can spot and prevent the
breach before it has happened, thereby completely mitigating the
risk. However, the manual effort of constructing and maintaining
positive security behavioural controls can be a big, if not
impossible task. High degrees of automation and intelligence are
needed to make the challenge soluble practically.
It is, therefore, important to detect and understand how all
applications and users (privileged and otherwise) interact with the
database in order that appropriate - and effective - monitoring and
blocking policies can be introduced and enforced.