Recent events at Société Générale have highlighted the havoc that can be caused by people on the inside, writes Jason Creasey, head of research at the Information Security Forum.
While insider threats are not new, cultural changes, new business models, increased access to IT systems and networks and greater IT knowledge have all increased the risks associated with employees. These range from accidental damage to malicious attacks, fraud, embezzlement and theft, and have four causes: people, motive, opportunity and means.
Insider threats can and do materialise in very different shapes and forms, but nearly always result in a compromise of the confidentiality, integrity and availability of information. While the definition of an insider has become blurred, the motives generally remain the same - greed, malice or fear.
But there have been significant changes in both opportunity and means. Greater opportunity comes from increased vulnerabilities and control weaknesses such as poor segregation of duties and access control, along with more outsourcing, remote working and uncontrolled access to the internet.
And the increase in means is largely due to factors such as greater technical knowledge - as was the case with Jérôme Kerviel at Société Générale - along with easy access to attack kits, powerful storage devices and the use of social engineering.
Today's organisational model tends to be a flatter, less hierarchical and more network-oriented, collaborative approach. Insiders are also within the traditional defensive perimeter and not subject to the same level of controls as outsiders.
Technology can help to reduce opportunity and means but with people at the heart of the problem, other controls - technical or otherwise - need to be embedded into a security-positive culture to reduce motive, opportunity and means.
Like it or not, a holistic approach is what is needed to fully address the causes behind insider threats. Specific actions to help address individual causes should be part of a wider cultural approach concentrating on security-aware behaviour across the whole organisation, as follows:
- Screen employees and their references
- Regularly re-screen staff working in sensitive areas
- Deploy an employee assistance programme to address personal issues
- Protect staff against intimidation (concentrate on vulnerable staff and those working in sensitive areas)
- Enhance physical security (enforce a clear desk policy, for example)
- Segregate duties
- Invoke the principle of least privilege for users
- Design systems to require dual control/sign-off
- Deploy an incident and access management solution
- Restrict the ability to copy, alter or delete information
- Regularly review the activities of staff
- Audit transactions on a regular basis, to include random sampling
- Review code and systems for non-authorised functionality (backdoors, Trojans, remote access)
- Design processes to quickly remove all access for employees who have been fired
- Deploy a "white list" to restrict internet access