Stopping Insider Attacks
There is no single thing you can do to prevent an attack from the inside. The concept of defense-in-depth applies here as it does to all areas of security. No single solution is going to make you secure. Only by putting many defense measures together will you be secure, and those measures must encompass both preventive and detective measures.
There is no single thing you can do to prevent an attack from the inside. The concept of defense-in-depth applies here as it does to all areas of security. No single solution is going to make you secure. Only by putting many defense measures together will you be secure, and those measures must encompass both preventive and detective measures.Some of the key things that can be done to prevent or minimize the damage of the insider threat are the following:
Security awareness. Employees, contractors, and any other insiders need to be educated on how to protect corporate assets. They need to understand the dangers and methods of social engineering and be careful what information they give out. They also have to be cognizant that insiders could exist at their companies and not only do their part to protect corporate assets (for example, locking their workstations), but they also have to look for indications of insider threats and report them to the correct parties.
Separation of duties. Any critical job function or access to critical information should involve two or more people. This prevents a single person from committing an inside attack.
Rotation of duties. All critical jobs should have multiple people who perform the roles, and those people should be rotated through periodically. If a person knows that someone else is going to be performing a given role in two months, then it will be much harder for them to commit fraud or other insider attacks because there is a good chance someone might catch it later.
Least privilege. Any additional access that someone has can be used against the company. Although access is needed for people to perform their jobs, this access should be carefully controlled. People should be given only the access they need to do their jobs -- and nothing else.
Controlled access. Access is what someone is going to use to compromise an organization. The more a company knows what access people have, the better they can control it.
Logging and auditing. Organizations must know what is happening on their networks, and this information must be reviewed on a regular basis. If someone's actions are not logged, then a company will have no idea who did what and will not be able to detect the insider. Even if this information is logged, if it is not reviewed on a regular basis, then an organization will not be able to catch an attacker in a timely manner.
Policies. A policy states what a company's stance is on security and what is expected of anyone with inside access. A policy is a mandatory document that is clear and concise and that everyone must follow. If a policy does not exist, then how do insiders know what is expected of them? I once knew an employee who bragged about making copies of software when he left a company. When I questioned his concern of legality and theft, he replied simply by saying, "I never signed anything." This information must be presented to them in a way they understand, and it must be made clear they have to follow it.
Defense-in-depth. When it comes to network security, there is no silver bullet. No single solution is going to make you sure. Organizations must deploy a layered security model, with checks and balances across each layer.
Look beyond technology. Many inside attacks are not technology-driven. Organizations must realize that nontechnology-based solutions need to be implemented across the company.
Archive critical data. Any critical information must be properly archived and protected. This way all the IP is not in one place should a system gets destroyed or compromised.
Complete solution. Any solution that is implemented must include all aspects of the company: people, data, technology, procedures, and policies.
Dr. Eric Cole, Ph.D., is a security expert with more than 15 years of hands-on experience. Cole has experience in information technology with a focus on perimeter defense, secure network design, vulnerability discovery, penetration testing, and intrusion detection systems. He is the author of several books, including Hackers Beware, Hiding in Plain Site, Network Security Bible, and Insider Threat. He is the inventor of more than 20 patents, and is a researcher, writer, and speaker. Cole is a member of the Commission on Cyber Security for the 44th President and several executive advisory boards, and is CTO of the Americas for McAfee. Cole is involved with the SANS Technology Institute (STI) and SANS working with students, teaching, and maintaining and developing courseware. He is a SANS fellow, instructor, and course author.
About the Author
You May Also Like