From the Blogosphere
Managing Internal Threats
Remember that every employee has the ability to be an insider threat
By: Bob Gourley
Feb. 2, 2013 11:00 AM
The number of annual security incidents caused by insider threats continues to increase. In The CERT Guide to Insider Threats, Capelli et al writes, “Insider threats are an intriguing and complex problem. Some assert that they are the most significant threat faced by organizations today.” Disgruntled system administrators damage data and systems, skilled professionals steal intellectual property, and inferior employees use information to achieve political or financial objectives for their self-gain. Any of these can constitute a critical national defense breach or breach of public trust.
To defend against the damage or theft caused by insiders, an organization must hold every employee responsible for detecting and reporting both behavior and technical evidence indicating a possible employee defection from policy and compliance. In addition, technical controls can help monitor suspected offenders and the overall network for evidence of criminal behavior.
In general, any negative change in an employee’s behavior is concerning. Furthermore, actions taken by management can trigger a borderline defector to cross into criminal behavior. For example, an already disgruntled employee might feel justified in stealing and selling intellectual property after being passed over for promotion. Any potential-employees are candidates for additional monitoring.
Terminating an employee is one way to deal with a potential problem. However, we often value employees who are simply going through rough personal times. If terminating an employee is your preferred choice, keep in mind that you need to have attempted to resolve the issues with the employee or have clear evidence of a violation in policy; otherwise the termination can result in a lawsuit. It is often better to remediate than to terminate an employee.
First, we should ensure all employees understand organizational policies regarding the use of information resources and workplace behavior. Second, management should have a clear and fair process for a workplace infraction. The response should match the level of the offense. Furthermore, every employee, without exception, should understand the consequences of defection.
Finally, problem employees will usually not commit an infraction in front of management. This means we must train employees, as well as managers, to detect suspicious behavior and report it to someone higher-up. Since many employees would rather not become personally involved, an anonymous tip line is a possible solution. For example, a large organization for which I worked had a toll-free number any employee could call to report policy violations or any other concern or complaint. In addition, if you don’t want to set up a phone line, you could set up an anonymous website where you achieve the same result. Weekly, a compliance committee met to go over all reports, and there were many. Anything that appeared critical did not wait for the weekly meeting but was handled immediately.
The first two are closely related. Need-to-know restricts the information a user can access only to that required for daily task completion. Least privilege controls what a person can do with the information accessed. For example, need-to-know might allow me to see electronic information classified as top secret, but least privilege would prevent me from changing or deleting it unless my role in the organization requires it. Together, they strictly limit insider threat damage.
Separation of duties, when properly implemented, prevents any one person from performing all tasks associated with a critical process. To illustrate, separation of duties prevents a software developer from creating malware and placing it in a production environment. In other words, developers should not be able to place their work into production systems.
Next, organizations must control the movement of sensitive information. If not possible using direct means, such as data rights management, then you should use indirect means. One of the most effective indirect monitoring methods is NetFlow analysis. NetFlow, emerging as the IPFIX standard, collects network traffic flow information at various points across the network. Information gathered and aggregated to an analysis and management server provides insight into anomalous traffic flow. If, for example, an employee decides to copy a large number of documents to an Internet location, NetFlow statistics would alert security to unusual behavior at one or more points on the network. This near-real-time identification of technological infractions happening on the network enables the possibility for a quick and effective response: stopping the employee or mitigating their effects on the organization.
In addition to NetFlow, security information and event management (SIEM) provides additional information about anomalous server or network behavior. SIEM solutions gather logs from various devices and systems, aggregating them into a correlation server. An event correlation application then mines unusual patterns or patterns known to be related to malicious behavior. Questionable activity is reported to security via email, SMS, or a Web portal.
Finally, employment termination and job change processes must include immediate revocation of all rights and privileges to previously accessed information resources. During a job change, removing all access and then granting access for the new role is a good approach. Failure to adequately perform these tasks is a significant cause of many insider incidents, especially those caused by administrators.
Administrator monitoring must extend to changes applied to special purpose files. One example includes log changes. Operating systems or other third-party solutions can track changes to logs, including who made the change and when. Security teams can identify unplanned changes and respond appropriately. This also applies to other files that might contain critical system management information and applications in the production environment.
In addition to file changes, any creation of a privileged account should raise a warning. For example, one security team ran a script every morning to determine if any accounts had been added to any Windows Active Directory administrator group. If so, the addition was reviewed against change management documentation to ensure it was approved. Any questionable account was removed and the offending employee was reported to his manager. A periodic audit of all privileged accounts, whether disabled or active, is another good way of identifying possible rogue IDs.
Sharing of administrator passwords also requires special attention. Each time a shared admin account is used, log it. Each time an administrator leaves the organization, change all shared passwords. If your budget allows it, consider implementing a privileged password management solution that logs who checks out shared account passwords and changes the passwords after use.
Finally, remember that every employee has the ability to be an insider threat. The most impactful threats are caused by those at the top – managers, administrators, programmers, and security experts. Insider threats are real, and they will eventually cause an incident in every organization. Proper preparation, training, and vigilance can prevent or alleviate related consequences.
Virtualization Articles & Feature Stories
Latest Virtualization Conference News
Best Recent Articles on Cloud Computing & Big Data Topics
The Arlington, Virginia-based National Science Foundation has just released its "Report on Support for Cloud Computing" - in response to the America Competes Reauthorization Act of 2010, Section 524. It is an absolute must-read for all concerned with current and future research projects in Cloud Computing.
"The volume of data we're generating now from machines pales in comparison to the volume of data we'll soon generate from our own bodies," says data security expert Dave Asprey. Writing in a Trend Micro blog, Asprey - who is one of the leaders in the emerging Quantified Self movement - explains his vision of a world in which personal biometrical data is shared via the cloud.
Cloud computing has caught the attention of business leaders around the world in every industry because of its enormous transformative potential. Visionary companies know that the value of the cloud is far greater than the current focus solely on technology and operating costs: when combined with a collaborative approach to designing processes, cloud computing will change how we do business.
Want to make sense of the hottest new concept in Enterprise IT? Want to understand in just hours what experts have spent many hundreds of days deciphering? Cloud computing is a technology that has rapidly evolving peppered with a lot of hype along the way. Customers find it hard to navigate through this and make sense of what aspects of this technology will give them real business benefit. Cloud Computing Bootcamp, led by our 2013 Bootcamp Instructor Larry Carvalho, is a great way to get a practical understanding of this technology. We offer multiple days of actionable insight into what vendor offerings are currently available and help you comprehend their strategy. The ever-popular Bootcamp, which is now held regularly around the world, is being held in conjunction with the 12th Cloud Expo, June 10-13, 2013, at the Javits Center, New York, NY.
Did you know that ninety percent of the data in the world has been created in the last two years? Every day, we create 2.5 quintillion (or 2.518) bytes of data, according to IBM. As corporations across all industries globally are struggling with how to retain, aggregate and analyze this mounting volume of what the industry refers to as Big Data, it also provides a unique opportunity for innovative startups that recognize the business prospects Big Data presents. Big Data is not just unlocking new information but new sources of economic and business value. Interactivity is driving Big Data, with people and machines both consuming and creating it. Digital companies focused on becoming good at aggregating and analyzing the data created by the end users of their product, who then provide their customers with solid insights taken from that data are at a distinct competitive advantage over others in the marketplace.
Industry-specific clouds are those PaaS, IaaS, and PaaS services that are tailored for a specific vertical, such as transportation, retail, finance, and health care. IDC sees a $65 billion market in these industry solutions for 2013, rising to $100 billion in 2016. The value of industry-specific clouds is that businesses within a vertical can connect to applications, processes, and databases that are pre-defined for that vertical within a public or private cloud. They can extend processes and databases into the business domain, versus defining the data and processes within a generic cloud-based platform. So, are industry specific clouds right for your business? What options are out there? How do you figure out the ROI?
SYS-CON Events announced today that Rackspace Hosting, the open cloud company, has been named "Platinum Plus Sponsor" of SYS-CON's 12th International Cloud Expo, which will take place on June 10-13, 2013, at the Javits Center in New York City, New York. Rackspace® Hosting (NYSE: RAX) is the open cloud company, delivering open technologies and powering more than 205,000 customers worldwide. Rackspace provides its renowned Fanatical Support® across a broad portfolio of IT products, including Public Cloud, Private Cloud, Hybrid Hosting and Dedicated Hosting. Rackspace has been recognized by Bloomberg BusinessWeek as a Top 100 Performing Technology Company, is featured on Fortune's list of 100 Best Companies to Work For and is included on the Dow Jones Sustainability Index. Rackspace was positioned in the Leaders Quadrant by Gartner Inc. in the "2011 Magic Quadrant for Managed Hosting." Rackspace is headquartered in San Antonio with offices and data centers around the world.
10th International Cloud Expo, held on June 11-14, 2012 at the Javits Center in New York City, featured four content-packed days with a rich array of sessions about the business and technical value of cloud computing led by exceptional speakers from every sector of the cloud computing ecosystem. The Cloud Expo series is the fastest-growing Enterprise IT event in the past 10 years, devoted to every aspect of delivering massively scalable enterprise IT as a service. We invite you to enjoy our photo album of the show - we'll be adding new images all week.
Ulitzer.com announced "the World's 30 most influential Cloud bloggers," who collectively generated more than 24 million Ulitzer page views. Ulitzer's annual "most influential Cloud bloggers" list was announced at Cloud Expo, which drew more delegates than all other Cloud-related events put together worldwide. "The world's 50 most influential Cloud bloggers 2010" list will be announced at the Cloud Expo 2010 East, which will take place April 19-21, 2010, at the Jacob Javitz Convention Center, in New York City, with more than 5,000 expected to attend.
Cloud computing is becoming one of the next industry buzz words. It joins the ranks of terms including: grid computing, utility computing, virtualization, clustering, etc. Cloud computing overlaps some of the concepts of distributed, grid and utility computing, however it does have its own meaning if contextually used correctly. The conceptual overlap is partly due to technology changes, usages and implementations over the years. Trends in usage of the terms from Google searches shows Cloud Computing is a relatively new term introduced in the past year. There has also been a decline in general interest of Grid, Utility and Distributed computing. Likely they will be around in usage for quit a while to come. But Cloud computing has become the new buzz word driven largely by marketing and service offerings from big corporate players like Google, IBM and Amazon.
SYS-CON Events announced today that Dell Inc. has been named "Silver Sponsor" of SYS-CON's 12th International Cloud Expo, which will take place on June 10-13, 2013, at the Javits Center in New York City, New York. For more than 28 years, Dell has empowered countries, communities, customers and people everywhere to use technology to realize their dreams. Customers trust Dell to deliver technology solutions that help them do and achieve more, whether they're at home, work, school or anywhere in their world. Learn more about Dell's story, purpose and people behind its customer-centric approach.
One of the most compelling promises of the cloud is that you can pull out a credit card and be working in minutes. No purchase orders to fill out, no equipment to wait for on the loading dock. Just instant access to the resources you need, when you need them. But accessibility comes at a price, and an unintentional consequence may be that you create yet another orphaned identity silo. Enterprise IT has spent years consolidating its mishmash of directories, only to discover that cloud now threatens to turn back their hard-won victories. In his session at the 12th International Cloud Expo, Scott Morrison, CTO and Chief Architect at Layer 7 Technologies, will look at strategies to incorporate identity into cloud applications. Enterprise identity or social login can both be a part of your go-to-cloud strategy, but you must plan for this upfront, rather than try to retrofit identity and access control at a later date.
Cloud Expo, Cloud Expo East, Cloud Expo West, Cloud Expo Silicon Valley, Cloud Expo Europe, Cloud Expo Tokyo, Cloud Expo Prague, Cloud Expo Hong Kong, Cloud Expo Sao Paolo are trademarks and /or registered trademarks (USPTO serial number 85009040) of Cloud Expo, Inc.
Virtualization Blogs Live