Are we starting to see more and more evidence of the tide turning on security issues. No longer is the solution solely network based and focused on external threats. The trend is to look inward and identify poor behavior that contributes to network issues, and at the insider threats who are actively working against your company.
We are going to cover a couple different topics in this post, but it all starts with some data. Some stats to mull over from Dell SecureWorks and an article published in Forbes:
- 70% of IT breaches can be attributed to human elements.
- 90% of all malware requires human interaction before it can infect its target.
- 63% of employees admit to using a work computer for personal use every day; and 83% admit to doing it at least sometimes. (PSG Comment: And this doesn’t seem to hit the devices affected within companies with BYOD policies. Or better yet, those employees who BYOD and the companies don’t have a policy.)
- 78% of employees accessed personal email from business computers.
- 91% of targeted attacks involve spear phishing emails.
- 76% less is spent on security events when employees are trained, yet… 54% do not provide security training for new hires. (PSG Comment: The lack of security training for new hires is perplexing; at a minimum, new hires need a baseline of security training to get with in line with your company’s established processes and procedures. There should be a study to find out how many incidents occur from new hires and how many of those incidents occurred before they were indoctrinated into the security processes and procedures of the company.
So the Insider Threat gets more and more attention, but the question now is how do you address it. The article from Forbes explains how the security awareness and training field is growing exponentially. It will be interesting if the solutions by these firms are solely network centric and computer based training models. These are important and can be very effective but only when used in conjunction with real-time exercises and human interactions.
Policies, Training and Exercises. There is a clear need for education and awareness training. The numbers support it.
- Start with your policies. This helps set your security culture and climate. What is acceptable and what will result in administrative actions against an employee. Use policy to set your training schedule.
- Training. There is no reason why security training can’t be planned a year in advance. Do you want monthly/quarterly/semi-annual training? Or a mix of the above? Is it web-based or class-room based. And how do you assess training standards – through tests or real world exercises?
- Exercises. Schedule a training exercise that is designed to check your security policy. When did you have someone try to pentest your network or website? What about your physical security solutions? Have you had a social engineer try to access your restricted areas? Or bypass your receptionist? What about phishing emails sent to your employees to reinforce training? Everything should be on the table. And then test your incident response.
Fusion Solution. A solution to detecting insider threats is a mix of network and human solutions. The two are mutually supporting. Certainly, an element of detecting insider threats need to be network based. You need to see and recognize the anomalies on your networks and the point of origin. You need to know that Jim is downloading a lot of information and have security personnel interview him and see what the cause could be. It’s possible it’s very benign, but there could be more to it. You need to find out.
Security Climate. Reinforcing policies and training above, you need to have a climate and security culture where people recognize that Jim, who was actually passed over for promotion from the company that he worked tirelessly for the past 15 years, is speaking out about the company and very disgusted with what he perceives as favoritism. He’s also mumbled out loud that he would love nothing more to see the company fall on its face and is actively looking for other jobs. A way to do that is training your employees and teaching them about the Insider Threat and methodologies. You don’t want a rat squad, but you do want alert and aware employees who understand the negative impacts this has on your business – big or small.
Reporting Process. Finally, you need a trusted system for employees to report and for you as a business to investigate allegations of potential threats. Using an example from the military or law enforcement, these elements employ various programs which could investigate allegations of misconduct, espionage and/or terrorism. But the first part, and ties back to the above, is that was a comprehensive security education and awareness training program that informed employees about the ways groups seek to steal critical information/secrets, and how to report those instances.
A critical component with this program, and with any program that you employ is to ensure that the reported case remains an allegation and no negative impact will be placed on the employee while an investigation into the allegation is ongoing. Counter-intelligence or investigative elements/internal affairs get a bad reputation due to the outcome of their actions. This is where establishing a security culture comes into play. It’s important that any security program or investigative program is transparent and above-board. Consider the following:
- What is your reporting policy? What do you define as a reportable incident? Who should employees report to? Is this publicized?
- What are you legally able to do? What types of investigative activity is done internally and what is done externally? How have you integrated your legal team.
- How have you integrated your HR team? What actions are you allowed to take on an employee?
- Who is the approval authority for investigative action? You want to ensure that a disinterested party can review the allegation and ensure it meets the defined threshold for reportable incidents.
- Do you have established timelines for completion of investigative activity?
- Are investigative personnel full-time or is it an additional duty? If you are a big business you can afford a bigger security team, but what about SOHOs or small businesses? Should you outsource? Is it worth it?
And the list can go on and on, but it’s important to stress that this is a critical component for detecting insider threat. Data produced by network systems cannot decipher the reason behind human actions. It can help identify an issue, but the onion needs to be peeled back to understand the action. That’s why a reporting process is critical to minimizing or neutralizing threats. And then perhaps, the numbers start to go down.
Something to think about.