Accident or Intent: Protecting against insider threat

Accident or Intent?

A team of four people with a devil among them

Protecting against insider threats

Presented as part of The Lost Summer Project

Presented by Donald Edwards, CISSP

linkedin.com/in/dmedwards

Discussing insider threat is tricky:

Bringing it up makes you look like a paranoid lunatic
Most people are inherently trusting
Everyone wants to be trusted
Nobody wants to be watched
Watching other people gets tiresome really, really quickly

Agenda

Intent:
What motivates malicious insiders?
When does it matter? Cartoon of a person with an angel on one shoulder and a devil on the other

How can we minimise the frequency and impact?

Bar graph showing reduction over time

How do we know someone is behaving badly?

It finally happened. Now what?

Non-specific process diagram

We will start by talking about some of the problems that lend themselves to being solved with technical security controls on the network.

Motivating factors for insider threats

Controllable

Uncontrollable

First, let's look at the factors outside of our control

Workforce culture

Most workers expect:

BYOD
Social media access
Unlimited access to free software
Mobile workplace
Unqualified trust
Privacy in the workplace even on company equipment and time

Global circumstances

Nation states and organised crime are primary actors
Cyber warfare is real and people with privileged access are targets
Black markets pay well for inside access
Attackers are happy to use coercion tactics (blackmail)

Competitive
circumstances

Global business is essential for economies of scale
Competition for skilled workers is fierce
Competition for customers is intense!
Companies WILL PAY for inside information

Local
circumstances

Many people experience money stress even in the best economy
Companies select office locations to compete for workers
Budget controls are tight, but demand for workers is high

Raises are hard to justify but expensive new hires come easily

Now let's look at the controllable factors

Company culture

Company culture reflects top management's attitudes towards:

Accountability
Fairness
Compensation
Work-life balance
Diversity
Professionalism
Overall worker wellbeing

When intent matters

Hint: It's not a technology problem

Bar graph showing that intent matters greatly during the Deter phase, very little during the Protect and Detect phases, and somewhat during the Respond and Recover phases

Few protective or detective controls are specific to insiders acting badly on purpose.

Deterrence is almost entirely focused on explaining to insiders why they should not do bad things.

Very few protective and detective controls work specifically against insider threat. Those that are focused on insider threat are very intrusive and seldom used in normal work settings.

Responding to an insider threat incident may require more or better documentation. HR and Legal departments will be engaged.

Recovery from insider incidents likely will result in process changes. In cases where data is held hostage, legal proceedings may be involved.

Effective deterrent, preventative, and detective controls

People

Culture that encourages "Trust but verify"
Education about detective controls
Education about consequences of malicious and negligent actions

Process

Separation of duties
Data segregation
Privileged access provisioning for specific actions
Duty rotation
ID and escort visitors
Direct privileged access done in pairs

Technology

Physical security zones
Access restricted to minimum required
Analyse access patterns to establish "normal" for privileged insiders
Tamper-evident audit trails

Principle of indirect access

Direct access is unmonitored and uncontrolled access

Control points between people and data are required to monitor and to control access. No control point => no visibility or control.

Two network nodes showing that direct access from one to another is blocked, but access is allowed through a control point.

Principle of least access

Establish controls to allow people to do their jobs and no more.

Administrative

Request process for time-limited administrative access

Physical

Badge-activated locks on doors monitored by cameras and security personnel

Technical

Special access methods for sensitive networks that require time-limited credentials

Loose network diagram showing some paths blocked and others opened

In an ideal world, you would know every network path and activity that should be allowed in detail for a person and the infrastructure itself would be configured only to allow those people and activities. In the real world, you need to make compromises. Often, a mix of the two strategies applied at different levels is prudent.

Principle of least access

Ability to implement degrades with scale

Access lists become unwieldy as the number of nodes and allowed paths grows

12 points in a circle with a full mesh of connections - relatively low complexity

72 points in a circle with a complicated mesh of connections

As the number of nodes grows, networking equipment usually reaches a limit of how much rule complexity it can handle, so we need another principle to help in those situations

Principle of segmentation

Network topology diagram with separate segments for websites, databases, normal users, and sensitive users. All segments are connected through a central hub which is also connected to the Internet.

Separate categories of data, the systems that process them, and the people that work on them
Require multi-factor authentication for access and entrust two organisationally independent people with just one of them
Rotate people through multiple roles periodically
Employ organisationally independent auditors to verify that access was done for legitimate reasons