From the Blogosphere
Managing Internal Threats
Remember that every employee has the ability to be an insider threat
By: Bob Gourley
Feb. 2, 2013 11:00 AM
The number of annual security incidents caused by insider threats continues to increase. In The CERT Guide to Insider Threats, Capelli et al writes, “Insider threats are an intriguing and complex problem. Some assert that they are the most significant threat faced by organizations today.” Disgruntled system administrators damage data and systems, skilled professionals steal intellectual property, and inferior employees use information to achieve political or financial objectives for their self-gain. Any of these can constitute a critical national defense breach or breach of public trust.
To defend against the damage or theft caused by insiders, an organization must hold every employee responsible for detecting and reporting both behavior and technical evidence indicating a possible employee defection from policy and compliance. In addition, technical controls can help monitor suspected offenders and the overall network for evidence of criminal behavior.
In general, any negative change in an employee’s behavior is concerning. Furthermore, actions taken by management can trigger a borderline defector to cross into criminal behavior. For example, an already disgruntled employee might feel justified in stealing and selling intellectual property after being passed over for promotion. Any potential-employees are candidates for additional monitoring.
Terminating an employee is one way to deal with a potential problem. However, we often value employees who are simply going through rough personal times. If terminating an employee is your preferred choice, keep in mind that you need to have attempted to resolve the issues with the employee or have clear evidence of a violation in policy; otherwise the termination can result in a lawsuit. It is often better to remediate than to terminate an employee.
First, we should ensure all employees understand organizational policies regarding the use of information resources and workplace behavior. Second, management should have a clear and fair process for a workplace infraction. The response should match the level of the offense. Furthermore, every employee, without exception, should understand the consequences of defection.
Finally, problem employees will usually not commit an infraction in front of management. This means we must train employees, as well as managers, to detect suspicious behavior and report it to someone higher-up. Since many employees would rather not become personally involved, an anonymous tip line is a possible solution. For example, a large organization for which I worked had a toll-free number any employee could call to report policy violations or any other concern or complaint. In addition, if you don’t want to set up a phone line, you could set up an anonymous website where you achieve the same result. Weekly, a compliance committee met to go over all reports, and there were many. Anything that appeared critical did not wait for the weekly meeting but was handled immediately.
The first two are closely related. Need-to-know restricts the information a user can access only to that required for daily task completion. Least privilege controls what a person can do with the information accessed. For example, need-to-know might allow me to see electronic information classified as top secret, but least privilege would prevent me from changing or deleting it unless my role in the organization requires it. Together, they strictly limit insider threat damage.
Separation of duties, when properly implemented, prevents any one person from performing all tasks associated with a critical process. To illustrate, separation of duties prevents a software developer from creating malware and placing it in a production environment. In other words, developers should not be able to place their work into production systems.
Next, organizations must control the movement of sensitive information. If not possible using direct means, such as data rights management, then you should use indirect means. One of the most effective indirect monitoring methods is NetFlow analysis. NetFlow, emerging as the IPFIX standard, collects network traffic flow information at various points across the network. Information gathered and aggregated to an analysis and management server provides insight into anomalous traffic flow. If, for example, an employee decides to copy a large number of documents to an Internet location, NetFlow statistics would alert security to unusual behavior at one or more points on the network. This near-real-time identification of technological infractions happening on the network enables the possibility for a quick and effective response: stopping the employee or mitigating their effects on the organization.
In addition to NetFlow, security information and event management (SIEM) provides additional information about anomalous server or network behavior. SIEM solutions gather logs from various devices and systems, aggregating them into a correlation server. An event correlation application then mines unusual patterns or patterns known to be related to malicious behavior. Questionable activity is reported to security via email, SMS, or a Web portal.
Finally, employment termination and job change processes must include immediate revocation of all rights and privileges to previously accessed information resources. During a job change, removing all access and then granting access for the new role is a good approach. Failure to adequately perform these tasks is a significant cause of many insider incidents, especially those caused by administrators.
Administrator monitoring must extend to changes applied to special purpose files. One example includes log changes. Operating systems or other third-party solutions can track changes to logs, including who made the change and when. Security teams can identify unplanned changes and respond appropriately. This also applies to other files that might contain critical system management information and applications in the production environment.
In addition to file changes, any creation of a privileged account should raise a warning. For example, one security team ran a script every morning to determine if any accounts had been added to any Windows Active Directory administrator group. If so, the addition was reviewed against change management documentation to ensure it was approved. Any questionable account was removed and the offending employee was reported to his manager. A periodic audit of all privileged accounts, whether disabled or active, is another good way of identifying possible rogue IDs.
Sharing of administrator passwords also requires special attention. Each time a shared admin account is used, log it. Each time an administrator leaves the organization, change all shared passwords. If your budget allows it, consider implementing a privileged password management solution that logs who checks out shared account passwords and changes the passwords after use.
Finally, remember that every employee has the ability to be an insider threat. The most impactful threats are caused by those at the top – managers, administrators, programmers, and security experts. Insider threats are real, and they will eventually cause an incident in every organization. Proper preparation, training, and vigilance can prevent or alleviate related consequences.
Virtualization Articles & Feature Stories
Latest Virtualization Conference News
Best Recent Articles on Cloud Computing & Big Data Topics
As we enter a new year, it is time to look back over the past year and resolve to improve upon it. In 2014, we will see more service providers resolve to add more personalization in enterprise technology. Below are seven predictions about what will drive this trend toward personalization.
IT organizations face a growing demand for faster innovation and new applications to support emerging opportunities in social, mobile, growth markets, Big Data analytics, mergers and acquisitions, strategic partnerships, and more. This is great news because it shows that IT continues to be a key stakeholder in delivering business service innovation. However, it also means that IT must deliver new innovation despite flat budgets, while maintaining existing services that grow more complex every day.
Cloud computing is transforming the way businesses think about and leverage technology. As a result, the general understanding of cloud computing has come a long way in a short time. However, there are still many misconceptions about what cloud computing is and what it can do for businesses that adopt this game-changing computing model. In this exclusive Q&A with Cloud Expo Conference Chair Jeremy Geelan, Rex Wang, Vice President of Product Marketing at Oracle, discusses and dispels some of the common myths about cloud computing that still exist today.
Despite the economy, cloud computing is doing well. Gartner estimates the cloud market will double by 2016 to $206 billion. The time for dabbling in the cloud is over! The 14th International Cloud Expo, co-located with 5th International Big Data Expo and 3rd International SDN Expo, to be held June 10-12, 2014, at the Javits Center in New York City, N.Y. announces that its Call for Papers is now open. Topics include all aspects of providing or using massively scalable IT-related capabilities as a service using Internet technologies (see suggested topics below). Cloud computing helps IT cut infrastructure costs while adding new features and services to grow core businesses. Clouds can help grow margins as costs are cut back but service offerings are expanded. Help plant your flag in the fast-expanding business opportunity that is The Cloud, Big Data and Software-Defined Networking: submit your speaking proposal today!
What do you get when you combine Big Data technologies….like Pig and Hive? A flying pig? No, you get a “Logical Data Warehouse.” In 2012, Infochimps (now CSC) leveraged its early use of stream processing, NoSQLs, and Hadoop to create a design pattern which combined real-time, ad-hoc, and batch analytics. This concept of combining the best-in-breed Big Data technologies will continue to advance across the industry until the entire legacy (and proprietary) data infrastructure stack will be replaced with a new (and open) one.
While unprecedented technological advances have been made in healthcare in areas such as genomics, digital imaging and Health Information Systems, access to this information has been not been easy for both the healthcare provider and the patient themselves. Regulatory compliance and controls, information lock-in in proprietary Electronic Health Record systems and security concerns have made it difficult to share data across health care providers.
Cloud Expo, Inc. has announced today that Vanessa Alvarez has been named conference chair of Cloud Expo® 2014. 14th International Cloud Expo will take place on June 10-12, 2014, at the Javits Center in New York City, New York, and 15th International Cloud Expo® will take place on November 4-6, 2014, at the Santa Clara Convention Center in Santa Clara, CA.
12th International Cloud Expo, held on June 10–13, 2013 at the Javits Center in New York City, featured four content-packed days with a rich array of sessions about the business and technical value of cloud computing led by exceptional speakers from every sector of the cloud computing ecosystem. The Cloud Expo series is the fastest-growing Enterprise IT event in the past 10 years, devoted to every aspect of delivering massively scalable enterprise IT as a service.
Ulitzer.com announced "the World's 30 most influential Cloud bloggers," who collectively generated more than 24 million Ulitzer page views. Ulitzer's annual "most influential Cloud bloggers" list was announced at Cloud Expo, which drew more delegates than all other Cloud-related events put together worldwide. "The world's 50 most influential Cloud bloggers 2010" list will be announced at the Cloud Expo 2010 East, which will take place April 19-21, 2010, at the Jacob Javitz Convention Center, in New York City, with more than 5,000 expected to attend.
It's a simple fact that the better sales reps understand their prospects' intentions, preferences and pain points during calls, the more business they'll close. Each day, as your prospects interact with websites and social media platforms, their behavioral data profile is expanding. It's now possible to gain unprecedented insight into prospects' content preferences, product needs and budget. We hear a lot about how valuable Big Data is to sales and marketing teams. But data itself is only valuable when it's part of a bigger story, made visible in the right context.
Cloud Expo, Inc. has announced today that Larry Carvalho has been named Tech Chair of Cloud Expo® 2014. 14th International Cloud Expo will take place on June 10-12, 2014, at the Javits Center in New York City, New York, and 15th International Cloud Expo® will take place on November 4-6, 2014, at the Santa Clara Convention Center in Santa Clara, CA.
Everyone talks about a cloud-first or mobile-first strategy. It's the trend du jour, and for good reason as these innovative technologies have revolutionized an industry and made savvy companies a lot of money. But consider for a minute what's emerging with the Age of Context and the Internet of Things. Devices, interfaces, everyday objects are becoming endowed with computing smarts. This is creating an unprecedented focus on the Application Programming Interface (API) as developers seek to connect these devices and interfaces to create new supporting services and hybrids. I call this trend the move toward an API-first business model and strategy.
We live in a world that requires us to compete on our differential use of time and information, yet only a fraction of information workers today have access to the analytical capabilities they need to make better decisions. Now, with the advent of a new generation of embedded business intelligence (BI) platforms, cloud developers are disrupting the world of analytics. They are using these new BI platforms to inject more intelligence into the applications business people use every day. As a result, data-driven decision-making is finally on track to become the rule, not the exception.
Virtualization Blogs Live