Insider Security Threats Q&A

We conducted a brief Q&A session with David Lynch, CMO at Apani Networks, a global network security software provider focused on securing inside the network perimeter.

All media outlets recently reported a recent security breach in the White House, which once again stressed out the threat of insider attacks.

According to ABC News Leandro Aragoncillo, a U.S. Marine most recently assigned to the staff of Vice President Dick Cheney, stole classified material from the vice president’s office, included damaging dossiers on the president of the Philippines, and then passed them on to opposition politicians planning a coup in the Pacific nation. Sources said a former Philippine president has admitted that he received some information from the alleged spy.

We have no information on the methods used to obtain the documents. We do not know for instance, if the individual involved had legitimate access to the documents he allegedly stole or if he accessed them through “illegitimate” means. But irrespective of this, the breach does highlight the issue of insider attacks and the need for any organization to secure inside the perimeter.

How common are internal security attacks happening inside organizations worldwide?

Insider attacks have been with us almost as long as networks have been with us. It is a phenomena that has been extensively studied over the years, and depending on which study you believe, anywhere from 40% to 70% of ALL attacks come from the inside – and this ratio has held ever since the first time I ever saw a Cyber crimes report, well over 10 years ago. This means that a typical organization will see at least as many internal attacks in a given year as they will external ones. And for the most part these attacks have tended to be swept under the table, and in a lot of cases never got out of the IT department. Maybe some folks were disciplined and security holes were plugged but that was all.

But the rules of the game have changed in the last couple of years.

It started with the success and ubiquity of e-commerce. Today you can buy almost anything electronically. Which means that individuals now have two very separate identities – whether they want them or not;

  • A physical identity, which is usually validated against a government issued ID, i.e. drivers license. And
  • An electron identity, which is usually validated against “issued” data elements i.e. Social security number, account number, credit card number, personal ID number, etc.
The success of e-commerce has added real value to an individuals electronic identity, which has made identity theft the number one growth crime world wide.

Data elements that businesses have collected for years and were regarded a simple tools to help get the job done, now have very specific value attached to them. In fact data records sell today on the black market for anywhere from $5 to $100 a record depending on their contents.

This is such a significant problem, that Governments all over the world have responded with Data protection regulations – all aimed at forcing businesses who are the custodians of the data that form electronic identities to adequately protect them.

What should be done to minimize the threats from internal attackers?

The first thing organizations have to do it to realize that this threat is no longer one than can be “swept under the carpet”. The increase in the intrinsic value of data records can only ensure that the insider attack ratio will climb. Data needs to be locked away in the same way that most organizations will lock away office supplies.

The consequences of a data breach have also changed dramatically over the past couple of years.

Many current regulations now call for public notification of a data breach. And the stock market has reacted strongly to such notifications, which moves the risk of a data breach from a “local IT cleanup project”, to something that will affect the overall value of the company.

This is no longer an IT issue, it’s a business survival issue, as evidenced by the experience of CardSystems Solutions Inc who declared a data breach back in May of this year. After losing a number of its customers as a result of their lack of security, they are now in the process of being acquired by their rival CyberSource Corporation. For CardSystems Solutions Inc, this was literally a life and death issue.

All of which means a significant change in the traditional IT security strategies.

Up until now most IT security has been based on a “Moat and Castle” security strategy, or put simply; “Create a strong perimeter to separate the “trusted” environment (folks who belong to the organization), from the untrusted environment, (every one else), and secure against the untrusted environment.”

The problem with this is that by definition insider attacks come from the inside… And so the security focus has to shift from the perimeter and beyond, to include securing inside the perimeter as well.

To do this, organizations start by identifying and establishing security policies specifically for inside the perimeter, including effective network segmentation that creates closed user groups, limiting what individuals are exposed or have access to.

Then you need to enhancing data security by protecting data-at-rest using authentication, and access control, as well as protecting data-in-motion with encryption – especially sensitive items like user names, passwords, and personal identity data.

All of which should be complemented by effective monitoring and reporting that covers the entire environment – especially those connection attempts that happen where they shouldn’t.

This is not simple.

Most traditional security technologies were developed for the “Moat and Castle” strategy and as such, do not work very will inside the perimeter.
Help is on the way however. There is a new class of technology emerging that was designed specifically for this purpose, including those produced by Apani Networks, that can help simplify this onerous but necessary task.