Slashdot Mirror
Insider Threat
Ben Rothke writes "Thousands of computer security books have been published that deal with every conceivable security issue and technology. But Insider Threat is one of the first to deal with one of the most significant threats to an organizations, namely that of the trusted insider. The problem is that within information technology, many users have far too much access and trust than they should truly have." Read the rest of Ben's review.
Insider Threat
author
Eric Cole and Sandra Ring
pages
397
publisher
Syngress
rating
9
reviewer
Ben Rothke
ISBN
1597490482
summary
Excellent overview of the insider threat to networks and information systems
The retail and gambling sectors have long understood the danger of the insider threat and have built their security frameworks to protect against both the insider and the outsider. Shoplifters are a huge bane to the retail industry, exceeded only by thefts from internal employees behind the registers. The cameras and guards in casinos are looking at both those in front of and behind the gambling tables. Casinos understand quite well that when an employee is spending 40 hours a week at their location dealing with hundreds of thousands of dollars; over time, they will learn where the vulnerabilities and weaknesses are. For a minority of these insiders, they will commit fraud, which is invariably much worse than any activity an outsider could alone carry out.
Insider Threat is mainly a book of real-life events that detail how the insider threat is a problem that affects every organization in every industry. In story after story, the book details how trusted employees will find weaknesses in systems in order to carry out financial or political attacks against their employers. It is the responsibility to the organization to ensure that their infrastructure is designed to detect these insiders and their systems resilient enough to defend against them. This is clearly not a trivial task.
The authors note that the crux of the problem is that many organizations tend to think that once they hire an employee or contractor, that the person is now part of a trusted group of dedicated and loyal employees. Given that many organizations don't perform background checks on their prospective employees, they are placing a significant level of trust in people they barely know. While the vast majority of employees can be trusted and are honest, the danger of the insider threat is that it is the proverbial bad apple that can take down the entire tree. The book details numerous stories of how a single bad employee has caused a company to go out of business.
Part of the problem with the insider threat is that since companies are oblivious to it, they do not have a framework in place to determine when it is happening, and to deal with it when it occurs. With that, when the insider attack does occur, which it invariably will, companies have to scramble to recover. Many times, they are simply unable to recover, as the book details in the cases of Omega Engineering and Barings Bank.
The premise of Insider Threat is that companies that don't have a proactive plan to deal with insider threats will ultimately be a victim of insider threats. The 10 chapters in the book expand on this and provide analysis to each scenario described.
Chapter 1 defines what exactly insider threats are and provides a number of ways to prevent insider threats. The authors note that there is no silver bullet solution or single thing that can be done to prevent and insider threat. The only way to do this is via a comprehensive program that must be developed within the framework of the information security group. Fortunately, all of these things are part of a basic information security program including fundamental topics like security awareness, separation and rotation of duties, least privilege to systems, logging and auditing, and more.
The irony of all of the solutions suggested in chapter one is that not a single one of them is rocket science. All of them are security 101 and don't require any sort of expensive software or hardware. Part of this bitter irony is that companies are oblivious to these insider threats and will spend huge amounts of money to protect against the proverbial evil hacker, being oblivious to the nefarious accounts receivable clerk in the back office that is draining the coffers.
One example the book provides is that many companies feel they are safe because they encrypt data. An excellent idea detailed in chapter two is to set up a sniffer and examine the traffic on the internal network to ensure that the data is indeed encrypted. The reliance on encryption will not work if it is not setup or configured correctly. The only way to know with certainty is to test it and see how it is transmitted over the wire. Many companies will be surprised that data that should be unreadable is being transmitted in the clear.
Some of the suggestions that authors propose will likely ruffle some feathers. Ideas such as restricting Internet, email, IM and web access to a limited number of users may sound absurd to some. But unless there is a compelling business need for a user to have these technologies, they should be prohibited. Not only will the insider threat threshold be lowered, productivity will likely increase also.
The author's also suggest prohibiting iPods or similar devices in a corporate environment. The same device that can store gigabytes of music can also be used to illicitly transfer gigabytes of corporate data.
Insider Threat provides verifiable stories from every industry and sector, be it commercial or government. The challenge of dealing with the insider threat is that it requires most organizations to completely rethink the way they relate to security. It is a challenge that many organizations would prefer to remain obvious to, given the uncomfortable nature of the insider threat. But given that the threats are only getting worse, ignoring them is inviting peril.
The only lacking of the book is that even though it provides a number of countermeasures and suggestions, they are someone scattered and written in an unstructured way. It is hoped that the authors will write a follow-up book that details a thorough methodology and framework for dealing with the insider threat.
Overall, Insider Threat is an important work that should be required reading for every information security professional and technology manager. The issue of the insider threat is real and only getter worse. Those that choose to ignore it are only inviting disaster. Those companies that will put office supplies and coffee under double-lock and key, while doing nothing to contain the insider threat are simply misguided and putting their organization at risk.
Insider Threat is a wake-up call that should revive anyone who doubts the insider threat.
Ben Rothke, CISSP is a New York City based security consultant and the author of Computer Security 20 Things Every Employee Should Know (McGraw-Hill 2006) and can be reached at ben@rothke.com"
You can purchase Insider Threat from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.
The retail and gambling sectors have long understood the danger of the insider threat and have built their security frameworks to protect against both the insider and the outsider. Shoplifters are a huge bane to the retail industry, exceeded only by thefts from internal employees behind the registers. The cameras and guards in casinos are looking at both those in front of and behind the gambling tables. Casinos understand quite well that when an employee is spending 40 hours a week at their location dealing with hundreds of thousands of dollars; over time, they will learn where the vulnerabilities and weaknesses are. For a minority of these insiders, they will commit fraud, which is invariably much worse than any activity an outsider could alone carry out.
Insider Threat is mainly a book of real-life events that detail how the insider threat is a problem that affects every organization in every industry. In story after story, the book details how trusted employees will find weaknesses in systems in order to carry out financial or political attacks against their employers. It is the responsibility to the organization to ensure that their infrastructure is designed to detect these insiders and their systems resilient enough to defend against them. This is clearly not a trivial task.
The authors note that the crux of the problem is that many organizations tend to think that once they hire an employee or contractor, that the person is now part of a trusted group of dedicated and loyal employees. Given that many organizations don't perform background checks on their prospective employees, they are placing a significant level of trust in people they barely know. While the vast majority of employees can be trusted and are honest, the danger of the insider threat is that it is the proverbial bad apple that can take down the entire tree. The book details numerous stories of how a single bad employee has caused a company to go out of business.
Part of the problem with the insider threat is that since companies are oblivious to it, they do not have a framework in place to determine when it is happening, and to deal with it when it occurs. With that, when the insider attack does occur, which it invariably will, companies have to scramble to recover. Many times, they are simply unable to recover, as the book details in the cases of Omega Engineering and Barings Bank.
The premise of Insider Threat is that companies that don't have a proactive plan to deal with insider threats will ultimately be a victim of insider threats. The 10 chapters in the book expand on this and provide analysis to each scenario described.
Chapter 1 defines what exactly insider threats are and provides a number of ways to prevent insider threats. The authors note that there is no silver bullet solution or single thing that can be done to prevent and insider threat. The only way to do this is via a comprehensive program that must be developed within the framework of the information security group. Fortunately, all of these things are part of a basic information security program including fundamental topics like security awareness, separation and rotation of duties, least privilege to systems, logging and auditing, and more.
The irony of all of the solutions suggested in chapter one is that not a single one of them is rocket science. All of them are security 101 and don't require any sort of expensive software or hardware. Part of this bitter irony is that companies are oblivious to these insider threats and will spend huge amounts of money to protect against the proverbial evil hacker, being oblivious to the nefarious accounts receivable clerk in the back office that is draining the coffers.
One example the book provides is that many companies feel they are safe because they encrypt data. An excellent idea detailed in chapter two is to set up a sniffer and examine the traffic on the internal network to ensure that the data is indeed encrypted. The reliance on encryption will not work if it is not setup or configured correctly. The only way to know with certainty is to test it and see how it is transmitted over the wire. Many companies will be surprised that data that should be unreadable is being transmitted in the clear.
Some of the suggestions that authors propose will likely ruffle some feathers. Ideas such as restricting Internet, email, IM and web access to a limited number of users may sound absurd to some. But unless there is a compelling business need for a user to have these technologies, they should be prohibited. Not only will the insider threat threshold be lowered, productivity will likely increase also.
The author's also suggest prohibiting iPods or similar devices in a corporate environment. The same device that can store gigabytes of music can also be used to illicitly transfer gigabytes of corporate data.
Insider Threat provides verifiable stories from every industry and sector, be it commercial or government. The challenge of dealing with the insider threat is that it requires most organizations to completely rethink the way they relate to security. It is a challenge that many organizations would prefer to remain obvious to, given the uncomfortable nature of the insider threat. But given that the threats are only getting worse, ignoring them is inviting peril.
The only lacking of the book is that even though it provides a number of countermeasures and suggestions, they are someone scattered and written in an unstructured way. It is hoped that the authors will write a follow-up book that details a thorough methodology and framework for dealing with the insider threat.
Overall, Insider Threat is an important work that should be required reading for every information security professional and technology manager. The issue of the insider threat is real and only getter worse. Those that choose to ignore it are only inviting disaster. Those companies that will put office supplies and coffee under double-lock and key, while doing nothing to contain the insider threat are simply misguided and putting their organization at risk.
Insider Threat is a wake-up call that should revive anyone who doubts the insider threat.
Ben Rothke, CISSP is a New York City based security consultant and the author of Computer Security 20 Things Every Employee Should Know (McGraw-Hill 2006) and can be reached at ben@rothke.com"
You can purchase Insider Threat from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.
I've experienced working at a place where an employee walked out with information (and was subsequently sued into oblivion). Afterwards, all computers were locked down to the point where it made it nearly impossible to get any work done. Ever try to troubleshoot a data issue when you have to get your supervisor to log you into the database server every time? It can be hard to find a happy medium.
There can often be a trickle down effect of that as well... resulting in nearly the entire company having too much access.
The company I work for for instance... EVERYONE has administrator rights to their desktop. Everyone from us lowly engineers in the back who bend our machines to their limits... up to the sales people who just use our proprietary apps (which do not require admin access) and Outlook.
Long ago, IT tried to restrict most users... unfortunately enough complained about not being able to do what they wanted (not always what they needed to do), and the policy was reversed.
This has of course enabled HR persons to install spyware that was suggested by a secretary.
I am still waiting for the day we have someone run a piece of malware who didn't know any better that brings the entire network, and most of it's users to their knees.
Help Brendan pay off his student loans
Very true, some of the most knowledgeable people at a company are its administrative assistants. They sit in on meetings and soak up the knowledge, and they need access to many different files (or servers as the case often is) so they can update files, or post notes. They are not often the highest paid either, so if someone offers them a lot of money to get some information, they just may crack.
This book reminded me of another good read, "Art of Deception" by Kevin D. Mitnick. You would be surprised how easy it is to get information from people.
/whisper/ Thanks for the candy!
Think about AOL. There were and are tons of external threats and intrusions in their systems. But who makes headlines? The contractor who had access to the big database o' screennames.
Security 101 indeed.
Ive worked as a tech for 3 different companies since i moved over here to the states 2 years ago and in ev ery single company the CEO has his logon password on a post it note or equivalent and stuck to his monitor.. now thats secure! not saying its an american thing so please dont flame me :P im sure it happens worldwide.. maybe Gates does the same thing.. haha
*Gratuitous Sig/Plug* Heres my website - firesuite
The main issue is that most people can look at any patient. This is considered a "necessary evil" as sometimes unexpected clinicians might be looking at a patient's information and we don't want to block access in a life threatening situation. Instead, we review access after the fact, in addition to putting certain blocks in place:
- Unusual access is audited. This includes people looking at patients who happen to be employees, specific audits of local celebrities, and so on.
- Random audits. Periodically, someone will check to see what a random person is doing.
- Probation. New users are audited at certain points, to make sure they're not abusing their new power.
- Hiding patients Certain patients are hidden from most users - this might include celebrities, legal issues, or patients who have requested it.
I see trust as a necessary part of functioning within an organization, though trust must be tempered with watchfulness. I'm a big fan of letting people do what they want, and then "break their kneecaps" if they abuse that trust. In real terms, this means prosecution and the like. Of course, I don't decide such things - that gets passed on to our legal department and I try not to follow up after that.The problem is that within information technology, many users have far too much access and trust than they should truly have.
God I'd hate to live in the world you would create.
Why stick up for big business?
Here we go again. Yet another book claiming that companies can't trust their employees, as if we're all crooked and evil (and not merely underpaid and mistreated, but that's another story). ANOTHER book justifying management treating us like shit. ANOTHER book telling the bosses what they want to hear. Hooray. And it's in a book so It Must Be True.
Meanwhile, over here IN REAL LIFE, people like me are running a company's entire business, with full access to everything, and yet, we don't break the law! We don't even BEND the law. How can we explain this bizarre paradox? Because if our collective bosses were to admit that their IT staff possesses PROFESSIONAL PRIDE, and MORALS, and A DESIRE TO DO THE RIGHT THING ALL THE TIME, NOT JUST WHEN IT'S GOOD FOR BUSINESS, well, that'd just be chaos! I mean, our whole society would fall apart if we admitted something like that!
What to do, what to do... The book says we're evil, common sense says we're not... What's a manager to do?
Oh! I know! Follow the book! That was easy...
Farewell! It's been a fine buncha years!
I can't tell you how many times I have sat there doing nothing but billing a client because I didn't have security to a system. There is always just one guy who can give you access and he is on vacation. I can't tell you how many times I wasn't able to fix a production system because we needed some DBA to run some SQL script I wrote to fix the system. It's not like the DBA even looks at the scripts. I could've stuck in a statement to delete all the tables and he wouldn't have known. My last client had to give you MAC address to Server name security access. My motherboard fried so my MAC address changed. Of course server guy is on vacation. Eight hours X $150\hr = where is the savings? I know the majority of /. is UNIX/NT admin guys and not programmers so I probably won't get anybody to understand. It's safer for the admin guy's job to lock your system down then worry about development costs. If management really knew the additional software costs, developers wouldn't be locked down. Often it seems the admin guys have some kind of power trip with access. Am I really more of a security threat than the admin guy with lots of Lord of the Rings crap all over his cube?
This book reminded me of another good read, "Art of Deception" by Kevin D. Mitnick. You would be surprised how easy it is to get information from people.
I was working for a large retailer about five years ago when I accidentally sent the wrong pricing file for a sign-making program to all 105 stores in our marketing area. So I needed to get into each store's computer via PC Anywhere and manually change the file. It went something like this:
Mgr or Asst. Mgr.: This is Mr./Mrs./Ms. Manager, how can I help you?
Me: Hi, I know that you don't know me but this is Joe from Advertising. I make up the signs and there's an error with next week's file that I need to fix.
Mgr or Asst. Mgr.: Oh, well we certainly don't need wrong information on our signs. What do you need me to do?
Me: Right click on Network Neighborhood, double-click the connection and read me your IP address.
Mgr or Asst. Mgr.: Okay, it's xxx.xxx.x.xxx
Me: Super. I will be in your computer changing some stuff for a few minutes so don't be alarmed if stuff starts happening on your screen.
Mgr or Asst. Mgr.: Okay, thanks.
The crazy thing about it is *not one person* in the 105 stores ever questioned whether I should have that information even though none of them knew me or could ascertain where I was calling from. Not even close--they all cheerfully did what I asked without hesitation. Scary!!
I'd have to say that this is actually blown a tad out of proportion.
I used to work as a HelpDesk Technician for a school. This job was a tad different than ordinary HelpDesk positions at other places. I didn't handle problems over the phone. I'd walk to the office and fix it there. Now to do my job I was told the password for the built-in admin account on every machine. I was just a volunteer too.
However, I often needed to get into someones office when that person was absent. So I had to call security and and have them let me in. The reason was because they would not let a student have a key. So I can have the admin password to every computer and for some reason, no key. I've spent countless hours waiting for security. Though to be fair, only the admins had control of the servers. These particular admins aren't stupid.
Now, the one thing I did the most was clean spyware off of computers. I have found 200 and more peices of spyware (and by spyware I mean adware + spyware, etc.) on administrative computers and in security. The administrative department uses passwords and enters student information. This means that the school was broadcasting private, personal, and sensitive information to some joe nobody knows.
Oh wait, leaking personal student information poses no cost whatsoever to the school. Nevermind.