The insider threat issue is undoubtedly creating a stir in the technology world, but do organisations actually take it seriously, and what are they doing to minimise the security risk from employees? The Computer Security Institute (CSI) has found that insider security incidents have now overtaken virus incidents in regards to how much they cost organisations, making it the IT security priority.
Unfortunately, there is no single "miracle solution" to solve this problem. As many recent high-profile data leaks have been caused by employee error rather than malicious behaviour or criminal intent, staff training on company IT policies and practices is a good starting point. The other approach is technology, yet security spending is predominantly focused on perimeter solutions, which will regrettably be of little use in protecting your organisation from internal data loss.
Most traditional defences use a negative security model with costs that scale with each new and different threat. They depend on signatures and complex block list (black list) rules that are developed in response to known "attacks". New or previously unseen attacks cannot be effectively addressed in this way. To keep up, system owners must constantly update their signature definitions, and be reliant on external suppliers for the quality of the signatures deployed. In addition, block lists are focused on external malicious behaviour. Internal misuse does not look at all like the signatures of an external attacker - it will appear nearly normal.
Authentication-based access control is a well-known positive security approach, but its risk mitigation value has been eroded by fundamental weaknesses. Firstly, if you are dealing with an outsider attack, Trojans can "sniff" passwords, whilst "man-in-the-middle" and "man-in-the-browser" attacks can even sidestep stronger authentication. Secondly, people are susceptible to social engineering attacks, such as spear-phishing (a highly targeted fishing attack), which can enable outsiders to compromise and then exploit inside resources.
Sadly, it is not just the faceless stranger who now poses a threat to your business, it is often the people you know who have IT access rights and high privileges, which unfortunately mean access controls alone are insufficient to protect your data. You can control their access, but you can do little proactively to control their behaviour and ensure they do not abuse their privileges, or that they are not compromised users or applications.
You need to keep your data secure where it is accessed - in the database. Almost all of an organisation's critical data is stored in a database - confidential customer details, supply chain information, payroll and shareholder details - which is the organisation's life-blood.
Sure, organisations can control access to their databases, but there is still scope for human error. This happens with both standard as well as highly privileged users, such as senior personnel and members of the IT team. According to the Software Engineering Institute, 86% of those who cause an insider breach have technical positions. So, in addition to restricting access to authorised personnel, organisations have to make sure privileged users - for example database administrators - have controlled access only to approved data groups. This was a lesson that Société Générale learnt the hard way after the bank's internal control systems had weaknesses that enabled an insider to enter the system and eliminate credit and trade-size controls, stopping the bank's risk managers from spotting his giant trades on the direction of indices.
Preventative security controls are much more effective than monitoring or auditing alone, since they can spot and prevent the breach before it has happened, thereby completely mitigating the risk. However, the manual effort of constructing and maintaining positive security behavioural controls can be a big, if not impossible task. High degrees of automation and intelligence are needed to make the challenge soluble practically.
It is, therefore, important to detect and understand how all applications and users (privileged and otherwise) interact with the database in order that appropriate - and effective - monitoring and blocking policies can be introduced and enforced.