150 likes | 413 Views
The Insider Threat – Identifying your Insiders. SiliconIndia Security Conference 2010, Bangalore, 2 nd Oct By Thiru A, Principal Consultant, Risk & Compliance, Security Services, MindTree Ltd. Agenda : Insider Threat – Identifying your Insider. The Insider Problem – An Inconvenient Truth
E N D
The Insider Threat – Identifying your Insiders SiliconIndia Security Conference 2010, Bangalore, 2nd Oct By Thiru A, Principal Consultant, Risk & Compliance, Security Services, MindTree Ltd
Agenda : Insider Threat – Identifying your Insider The Insider Problem – An Inconvenient Truth Insider Threat Landscape Insider Impact & Challenges The Probable Causes Mitigation Strategies
Potential Insider Threat Situations An employee caught carrying a USB drive against the policy A Laptop with all kinds of “extra” software Corporate mails forwarded to personal email folders, drives, etc Time spent of Social Media Networking sites A remote user using a public wireless hot spot A senior executive without an ID badge Other White-collar threats
Some Facts & Figures from the Internet • 2009 CSI Computer Crime Survey • Insiders responsible for 43% of malicious attacks & 25% of respondents said that over 60% of losses due to non-malicious actions by insiders • 2009 IDC Whitepaper on Insider Risk Management sponsored by RSA • The growing number of incidents in which employees inadvertently violate corporate policy has become the most serious insider threat • The average annual financial loss from insider risk was nearly $800,000 in the IT Outsourcing industry • 2010 CyberSecurity Watch Survey by CSO,US Secret Service, CERT & Deloitte • “It is alarming that although most of the top 15 security policies and procedures from the survey are aimed at preventing insider attacks, 51% of respondents who experienced a cyber security event were still victims of an insider attack. • While outsiders (those without authorized access to network systems and data) are the main culprits of cybercrime in general, the most costly or damaging attacks are more often caused by insiders (employees or contractors with authorized access).
Who are Insiders Employees are the greatest asset Any threat/incident where the human is the actor whether accidental & malicious Anybody who has / had access physically or logically
Insider Threat Natural threats Man made Insider threats External threats Information & Systems related Physical & Environmental Fraud/Misuse • Unauthorized disclosure & Modification, Disruption or damage An insider threat need not always result in a compromise of information(systems)
Insider Threat Landscape Policy violations, Incidents not reported, Time spent on Social Media & Phone, use of official email ids Coerced by external malicious forces
The Probable Causes & Challenges • Unauthorized software & hardware • Negligence to policies and consequences • Business/Delivery team ownership • Business bats for freedom, new technologies, etc. • IT/Security seen as adversaries • Business pressures – a perfect vehicle to get around policies • High staff turn-over, low morale, etc • Do you have a count of incidents related to • unlocked systems or password sharing incidents? Lack of articulate policies Policies based on “book” Lack of periodic user education, communication, awareness, etc Lack of reviews, audits & monitoring Security in applications, an afterthought Poor development practices OWASP Top 10 hasn’t changed much since 2007
Insider Threat Impacts Excuses and untreated Incidents can fuel insider threats to continue unabated • Loss of productivity, hence of loss of business/revenue • Misuse of resources – Leads to a slow-down in the availability of resources to others • Loss of sensitive, proprietary data and Intellectual Property • Reputational damage, Media & Public attention, etc • Regulatory & Contractual non-compliance • Financial losses thr’ fraud, litigation, penalties and so on • Sends wrong signals to other staff • Workplace conflicts, leading to indecision, inaction, etc.,
Financial Impact • From 2009 IDC Insider Risk Management Framework • The United States views internal fraud for financial gain as having the greatest financial impact • In France, unintentional data loss through employee negligence has the greatest financial impact • In Germany and the United Kingdom, out-of-date and/or excessive privilege and access control rights for users have the greatest financial impact • “We Have Seen the Enemy and He Is Us” • The average annual financial loss from insider risk was nearly $800,000 per organization in the IT Outsourcing industry
Mitigating Insider Threats – Demands a multi-pronged approach • Deterrent procedures • The tone at the top - Visible, Consistent & Continuously demonstrated support • Policies – Terms & Conditions, NDA, Security policies, whistleblower • Value System – Ethical and Cultural(risk & security conscious) • In letter and spirit • Preventive - Access controls, Physical perimeter, Guards, escorting, encryption, secure applications, etc., • Detective - Surveillance, Audit trails, Background screening, time-offs, vulnerability assessments, etc., • Corrective – Awareness, Incident Mgmt, remediation, etc.
Architecture, Network & Applications • Knowledge of the “Big Picture” • Irrespective of roles • Security, as a mandatory ingredient throughout SDLC • RBAC, SoD, Input, output, processing, audit trails, secure storage & transmission, disposal, etc., • During IS acquisition, maintenance & disposal • Testing and VA • Security, as part of enterprise architecture, application and network • Diligence Vs. Ignorance (Negligence)
Probable areas of improvement With best people, processes, controls & technologies we can manage external threats much better. Can we say that with the same level of confidence about internal threats ? • Tone at the top, Risk Assessment, Understanding of business • Access rights and authorization • Applications, Segregation of Duties, Review and revocation • Training & awareness on Risk, security & compliance • Security Incident Management & Change management • Nature & type of audits and monitoring against compliance • Escalation & remediation • Metrics - Incidents, Vulnerabilities, Time taken for patching
Some thoughts to leave you with • Technology is adopted first • Formal risk mitigation & policies comes next, if happens • Implementation of controls occurs over a period of time • Probably without policies and risk assessment • Compliance takes even longer • With freedom, comes responsibility • The more the responsibility, the higher the freedom • Has the potential to bring down security, audit & compliance overhead • Works as a morale booster, Instills confidence in customers • We are in a industry that employs highly educated professionals • Working on or developing cutting edge technologies and • In an environment that has an impact globally • Have a huge responsibility to lead from the front in many aspects