The Insider Threat – Identifying your Insiders

© 2008 MindTree Consulting© 2008 MindTree LimitedCONFIDENTIAL: For limited circulation only © 2009 MindTree LimitedCONFIDENTIAL: For limited circulation only

The Insider Threat – Identifying your Insiders

SiliconIndia Security Conference 2010, Bangalore, 2nd OctBy Thiru A, Principal Consultant, Risk & Compliance,

Security Services, MindTree Ltd

© 2010 MindTree LimitedCONFIDENTIAL: For limited circulation only

Agenda : Insider Threat – Identifying your Insider

The Insider Problem – An Inconvenient TruthInsider Threat LandscapeInsider Impact & ChallengesThe Probable CausesMitigation Strategies

Slide 2


Potential Insider Threat Situations

An employee caught carrying a USB drive against the policy

A Laptop with all kinds of “extra” software

Corporate mails forwarded to personal email folders, drives, etc

Time spent of Social Media Networking sites

A remote user using a public wireless hot spot

A senior executive without an ID badge

Other White-collar threats

Slide 3


Some Facts & Figures from the Internet

2009 CSI Computer Crime SurveyInsiders responsible for 43% of malicious attacks & 25% of respondents said

that over 60% of losses due to non-malicious actions by insiders

2009 IDC Whitepaper on Insider Risk Management sponsored by RSA

The growing number of incidents in which employees inadvertently violate corporate policy has become the most serious insider threat

The average annual financial loss from insider risk was nearly $800,000 in the IT Outsourcing industry

2010 CyberSecurity Watch Survey by CSO,US Secret Service, CERT & Deloitte

“It is alarming that although most of the top 15 security policies and procedures from the survey are aimed at preventing insider attacks, 51% of respondents who experienced a cyber security event were still victims of an insider attack.

While outsiders (those without authorized access to network systems and data) are the main culprits of cybercrime in general, the most costly or damaging attacks are more often caused by insiders (employees or contractors with authorized access).

Slide 4


Who are Insiders

Any threat/incident where the human is the actor whether accidental & malicious

Anybody who has / had access physically or logically

Slide 5

Insider

Threat

Employees

Business partners

Outsourcing Partners

Vendors/Utility

Personnel

Consultants &

Contractors

Employees are the greatest asset


Insider Threat

Slide 6

Natural threats Man made

Insider threats

External threats

Fraud/MisusePhysical & Environmental

Information & Systems related

Unauthorized disclosure & Modification,

Disruption or damage

An insider threat need not always result in a compromise of information(systems)


Insider Threat Landscape

Slide 7

Insider Threat

Accidental/Non-Malicious

Errors & Omissions, improper configurations, Compromise of systems & information, untrained, awareness &

training

Malware, spam, Mobile computing/storage/communication

devices, staff turn-over

Intentional/Malicious Fraud, Espionage, Sabotage, Compromise of systems & information,

email forward, collusion, etc.,

Theft of Intellectual Properties, confidential & sensitive information, Taking photos and sharing it online

Negligence(often excused as lack of

awareness)

Social Engineering

Policy violations, Incidents not reported, Time spent on Social Media

& Phone, use of official email ids

Coerced by external malicious forces


The Probable Causes & Challenges

Lack of articulate policiesPolicies based on “book”Lack of periodic user education,

communication, awareness, etcLack of reviews, audits &

monitoringSecurity in applications, an

afterthoughtPoor development practicesOWASP Top 10 hasn’t changed

much since 2007

Slide 8

Unauthorized software & hardware

Negligence to policies and consequences

Business/Delivery team ownership

Business bats for freedom, new technologies, etc.

IT/Security seen as adversariesBusiness pressures – a perfect

vehicle to get around policiesHigh staff turn-over, low morale,

etc

Do you have a count of incidents related to unlocked systems or password sharing incidents ?


Insider Threat Impacts

Loss of productivity, hence of loss of business/revenueMisuse of resources – Leads to a slow-down in the

availability of resources to othersLoss of sensitive, proprietary data and Intellectual PropertyReputational damage, Media & Public attention, etcRegulatory & Contractual non-complianceFinancial losses thr’ fraud, litigation, penalties and so onSends wrong signals to other staffWorkplace conflicts, leading to indecision, inaction, etc.,

Slide 9

Excuses and untreated Incidents can fuel insider threats to continue unabated


Financial Impact

From 2009 IDC Insider Risk Management FrameworkThe United States views internal fraud for financial gain as

having the greatest financial impactIn France, unintentional data loss through employee negligence

has the greatest financial impactIn Germany and the United Kingdom, out-of-date and/or

excessive privilege and access control rights for users have the greatest financial impact

“We Have Seen the Enemy and He Is Us”The average annual financial loss from insider risk was nearly

$800,000 per organization in the IT Outsourcing industry

Slide 10


Mitigating Insider Threats – Demands a multi-pronged approach

Deterrent proceduresThe tone at the top - Visible, Consistent &

Continuously demonstrated support Policies – Terms & Conditions, NDA, Security

policies, whistleblowerValue System – Ethical and Cultural(risk &

security conscious)In letter and spirit

Preventive - Access controls, Physical perimeter, Guards, escorting, encryption, secure applications, etc.,

Detective - Surveillance, Audit trails, Background screening, time-offs, vulnerability assessments, etc.,

Corrective – Awareness, Incident Mgmt, remediation, etc.

Slide 11


Architecture, Network & Applications

Knowledge of the “Big Picture”Irrespective of roles

Security, as a mandatory ingredient throughout SDLCRBAC, SoD, Input, output, processing,

audit trails, secure storage & transmission, disposal, etc.,

During IS acquisition, maintenance & disposal

Testing and VASecurity, as part of enterprise

architecture, application and networkDiligence Vs. Ignorance (Negligence)

Slide 12


Probable areas of improvement

Tone at the top, Risk Assessment, Understanding of business

Access rights and authorizationApplications, Segregation of Duties,

Review and revocationTraining & awareness on Risk,

security & compliance Security Incident Management &

Change managementNature & type of audits and

monitoring against complianceEscalation & remediation

Metrics - Incidents, Vulnerabilities, Time taken for patching

Slide 13

With best people, processes, controls & technologies we canmanage external threats muchbetter. Can we say that with the same level of confidence about internal threats ?


Some thoughts to leave you with

We are in a industry that employs highly educated professionalsWorking on or developing cutting

edge technologies andIn an environment that has an

impact globallyHave a huge responsibility to

lead from the front in many aspects

Slide 14

Technology is adopted firstFormal risk mitigation & policies

comes next, if happensImplementation of controls occurs

over a period of timeProbably without policies and risk

assessmentCompliance takes even longer

With freedom, comes responsibilityThe more the responsibility, the higher the freedomHas the potential to bring down security, audit & compliance overhead

Works as a morale booster, Instills confidence in customers

Documents

The Insider Threat – Identifying your Insiders