Adeptus-Mechanicus

Main
Codex
Librarium Whitehat
Advisories
Blog Pics
"Inveniam viam aut faciam" : I will either find a way, or I shall make one


INTERNAL THREATS

“If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself and not your enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.”
            -Sun Tzu: The Art of War

Define “Internal Threats”
Damage done to an organization by a trusted person who has/had access to a trusted area of the organizations infrastructure.

Examining the Definition
Internal attackers are a risk, and normal risk management procedures say that the severity of a certain risk is made up of a company’s exposure to a certain type of attack. This can be expressed
(Vulnerability (as a %) x Threat (expressed as annual % of occurrence) = Risk)

Threats
Any internal threat aims to do, or will end up doing, certain common things to an organizations infrastructure/assets:
 Or lets look at that a different way. Any organizations digital assets must be guaranteed in three areas:
Thus any threat to these three key properties of the organizations data is what must be protected against. These threats are embodied in:
Exposure
The best way to gauge exposure to a certain threat is to look at the absence of those measures that are used to safeguard against that threat, the measures, which are taken against insider threats, can be broadly broken down into:
Lets look at each section to see where the lack of cover in each creates exposure: -

Policies
Policies are important because in all organizations there is a point at which staff must be trusted and logical or physical countermeasures cannot be used. This is where policies and their enforcement come into play. A lapse in any of the above points means that you are seriously hampering the usage of the policy and therefore have less legal recourse in using them.

Logical
Logical controls exist to not just prevent unauthorised access to your information assets, but also to create accountability for the actions authorised people undertake on the information assets they have access to. Without proper audit trails or logical measures then the organization can never really say who did what to what. This once again severely limits not only the detection of insider threat but the recovery and prosecution thereof.

Physical
One of the main advantages a malicious insider has is that in order to do work, the organization has already granted some level of access. This means that logical controls may not be able to stop a person getting their hands on data. This is where physical controls come into play, the organizations need to be able to monitor what data is leaving/entering their infrastructure on a physical level. This way even if a person does misuse their access, it will not help them. A failure here means, quite literally, that your data can walk out the door.
 
Threats
Lets also take a closer look at the embodiment of the threats as we mentioned them earlier:
Why Worry?
The simple answer here is: Do you trust every member of staff 100%, 100% of the time? No one in a modern medium-to-large organization will say yes, there are just too many variables and possibilities.  Am I being harsh? Ask yourself this: Why do you trust your staff? What have they done to earn that trust? You would not trust a person walking past the organization’s building on the street, so why when you hire that person do you now suddenly trust them? Upon what does the organization base that trust? Now add into the mix that even trustworthy people can do something wrong when they are under stress or are being pressurised, and suddenly the problem is a lot larger. Then we need to add in the damage that someone could unintentionally cause due to a lack of controls, and suddenly the need to worry is apparent.

So What?
Even if there is a chance of damage, why should I worry about it? Look at it this way, firewalls, intrusion-detection systems, encryption and other technical measures have made it very difficult (or it should anyway) for an attacker to gain access to your trusted network. This therefore limits the number of people who could commit these attacks. But your trusted network is generally setup ..well.. more trustingly. This is because it makes it easier for your staff to work on it and accomplish their jobs. Therefore, if an attacker had access directly to your trusted network, bypassing most logical defences, then the knowledge and skill required to commit an attack is drastically reduced. This is an important point to remember, insider threats are easy and extremely damaging. Plus, most staff are given some level of network resource access in order to do their job, making any potential attackers job easier. An insider will also be able to become familiar with the processes and procedures and their weak points, with what data is valuable and where it is stored, and other contextual information which make committing an attack easier. These are just some of the reasons why organizations need to worry.

What Can I Do?
The first thing to realise here is a simple fact: Prevention is ideal but detection is a must. Full insider threat prevention is impossible, it will happen, but the organization must be able to assess the damage, mitigate it, and recover quickly and efficiently. Next you must know what is being attacked. Does the organizations know which are its critical resources? And why? Once you know this you can begin to work out an acceptable level of loss, remembering that the lower that level is set, the more resources and measures have to be put in place. Once you know what is critical you can then look at the next most important fact; access. Who has access? Why do they have access? What access do they have? How did they get the access? Remember that access to the organizations resources is what makes insider attacks such a threat, so understanding those questions can begin to point you in directions to start making changes.

Once you know all of the above you can start reasonably putting measures in place, but as a starting point here are some general prevention mechanisms to put in place:
Final Words
The idea of insider threat is one that companies do not like to face, because it is difficult and very often requires a change in mindset and how things work. But ignoring it will not make it go away, it will just make it the chances of it happening greater and the damage it causes when it does a lot more. Better to take some short-term pain for a longer-term benefit. I also do not advocate seeing the insider threat as the answer to why everything goes wrong, but it should at least be a consideration. So start looking into this stuff and as always, have fun and learn.