The Business of Security with Stephen R. Katz, CISSP

Tackling the Insider Threat

As one who's dealt with the insider threat, I have some questions of my own:

What do you really mean by an insider? In our borderless world, the terms "insider" and "outsider" overlap. "Insiders" are not just employees and staff, but also service providers, business partners, consultants, contractors -- any number of parties who may work for companies we deal with.

If you work with a company long enough, eventually you will have access to everything, and no one will know it. 

What do we really mean by an authorized versus an unauthorized insider? If you take a look at the Societe Generale situation, allegedly a fraud was committed by an authorized user with privileges he was not supposed to have. How? Well, the horribly overused cliché is that if you work with a company long enough, eventually you will have access to everything, and no one will know it.

Bottom line: As people change jobs within a company, we are not good at updating their roles and responsibilities. If you look at all the efforts that have been spent on identity and access management products, the biggest challenge is trying to understand:

What are the roles and responsibilities you are trying to apply to people?
How do you develop these roles and responsibilities and how do group them?
How do you really deal with people who have to change roles and responsibilities?
How do you add and delete roles and responsibilities as people change jobs?

How do you track what is authorized and unauthorized behavior by any end user? Unauthorized insider behavior comes in three flavors: 1) Accidental, when somebody hits the wrong key/making a benign error, and you don't even know about it; 2) The person trying to do something that is within the scope of their job, but not being provided with the privileges to do it; 3) Malicious behavior - they are trying to get access to information they are not authorized to have, either to commit fraud or to cause other harm. In most cases, we don't know there is a problem until something has happened.

Our challenge: We often don't know what normal behavior is. We don't know whether a person within a group is doing something not typical for that group. We also don't know if they are doing something that is not consistent with their normal behavior patterns. (e.g., are they accessing information that they normally access in the system or information from 8 a.m. to 6 p.m. on Monday through Friday, and then suddenly they are starting to access this information at various other times and days of the week?)

So, how do we deal with the insider threat? There's the whole category of products called data loss protection (DLP), which help close up the borders by preventing data from leaking out of a corporation -- either automatically stopping it or at least warning folks that they are doing something that is against policy.

Another new product line is anomalous behavior pattern detection tools. These types of products are designed to help identify normal behavior patterns for groups and individuals and then identify behavior that differs from these patterns.

The third category of tools we can look at as something called format preserving and encryption technologies, which actually will encrypt key fields of data such as SS#, Credit Card numbers, etc. The encrypted data will appear to be normal, but is actually in encrypted form so that even if there is unauthorized access to that data, it will provide useless information.

Some basic advice for tackling the insider threat:

Look for Changes in attitude or behaviors on the job. Employees need to pay attention to what their fellow "insiders" are doing and then sound an alarm when they see something that is atypical.

Use the Available Tools. Where you are concerned about insiders with privilege access to sensitive data potentially doing something wrong, you may want to take a look at increasing your efforts at segregation of duty and or looking at the feasibility of dual controls. Also make sure that you are using access violation reports and that they go both to a security officer as well as to an audit department.

Monitor Activity and Reports. This is going to sound awfully bureaucratic, but the audit teams have to increase their vigilance in terms of staying on top of auditing processes and procedures in the information security area. And I think they also have to increase efforts in terms of ensuring that business areas really examine who has access to the data. Reviewing Access Reports has to be seen as something more than a perfunctory scanning exercise. An effort needs to be made on a regular basis to make sure that people actually examine these reports and verify that people with access to information are supposed to have it.

It really all comes down to the basic controls that should be in place -- making sure they're in place, and then making sure you actively monitor and respond to the reports these controls generate.

You can't necessarily eliminate the insider threat - not in these challenging times. But you sure can put up some effective barriers to help prevent it.



About the Author

Stephen R. Katz, CISSP

Stephen R. Katz, CISSP

Former CISO, Merrill Lynch and Citi

Steve Katz is the founder and President of Security Risk Solutions, LLC an information security company providing consulting, mentoring, coaching and advisory services to major, mid-size, startup and venture capital companies. He is an Executive Advisor to Deloitte, and is on the Advisory Boards for, Agari. Veriphyr, Glasswall, Vaultive, and TrustMapp He has also served as a member of the (ISC)² Americas Advisory Board for Information Systems Security as well as Advisor to the Executive Committee of the Financial Services Sector Coordinating Council (FSSCC). In 1995, Katz joined Citicorp/Citigroup after the Russian hacking incident. At Citi, he was named as the industry's first Chief Information Security Officer. He spent the next six years directing Citigroup's global Corporate Information Security Office. Katz then joined Merrill Lynch as their Chief Information Security and Privacy Officer, where he organized and instituted the company-wide privacy and security program. He also served as the interim CISO and Advisor to the Head of Technology Risk at Kaiser Permanente. In addition to testifying before Congress on numerous information security issues and mentoring many Fortune 50 CISOs, he was appointed as the first Financial Services Sector Coordinator for Critical Infrastructure Protection by the Secretary of the Treasury. Katz was also named as the first Chairman of the Financial Services Information Sharing and Analysis Center (FS/ISAC) and is an Advisor to the National Health Sharing and Analysis Center (NH/ISAC) Board of Directors.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.eu, you agree to our use of cookies.