The Inside Threat

It only takes a single mouse click from a disgruntled or incompetent member of your staff to destroy your business. Or maybe a diligent employee takes work home to put some extra effort in and finds his laptop stolen.

Key intellectual property, customer lists, financial data, credit card details. The list of sensitive data held by organisations goes on and on.

Whilst you may have secured the external access to your IT systems using passwords and firewalls those inside the organisation will often have full and unfettered access to your most sensitive data, irrespective of their job role or entitlement.

USB drives and handheld devices now pose a huge threat to the integrity of organisational data.

This is the first of a two part report. The second paper in our Incoming Thought Special Report series will examine what can be done to address the inside threat.

What is the Inside Threat?

Most businesses and organisations have in place basic security arrangements that enable them to conduct their day to day work.

For many this will entail the provision of a relatively safe and protected building for employees to come to work secure in the knowledge that they will be able to leave the premises at the end of the day without either harming themselves or the business.

IT security is dealt with in more or less the same way.

The business will put together sufficient technologies so that it can undertake its day to day work, with security bolted on appropriately. The level of security protection can range from nothing through to complex intrusion prevention and detection systems combined with state of the art firewalls.

Unfortunately most of this effort is targeted at keeping the bad people out. For many who are not IT security experts their visualisation of the topic comprises just this - lots of barriers and obstacles to prevent unauthorised people from getting in.

No one would disagree with this approach, but keeping the bad people out is only half the problem. What about if the bad people are already inside your organisation? What about those upset about poor bonuses looking for a quick exit?

This type of insider threat is a real and present danger. It is probably not as significant as one may imagine, but it does exist. That is unless your staff are uniquely dysfunctional and have no interest in the work they do and are all looking for an exit.

An aspect of the inside threat that appears to be growing is the targeting of key staff by criminal gangs. Seen as the weak link in the security continuum a key user can be targeted by bribery or threats to reveal confidential data or keys.

For example there have been a number of cases reported where bank call centre staff have been targeted by gangs looking for an easy entry to a system.

The number of employees that use MP3 players and USB memory sticks is frightening. Everyday your staff potentially come to work equipped to steal with your data using devices dangling around their necks. Using company facilities to download the latest song may be seen as legitimate lunchtime sport but what happens when confidential company data is copied to the memory stick at the same time?

Nearly as troubling is the threat of data leakage following mistakes or user incompetence. If a member of staff loses a laptop computer they will have to report it to their IT department.

Not many would bother to report a USB memory drive being lost as the apparent value of the device is minimal. But what about the value of the data on that drive that has been lost?

Email is an amazing business tool, but every time we use it we sit on a cliff edge when we push the send button.

Why?

It is incredibly easy to enter the wrong user name by mistake. You type the name “Paul” into your To: box and you may have a number of “Paul” email addresses appear. Feeling tired? You may accidentally send files or data to the wrong Paul.

Inside Threat vs. Insider Threat

The contraction of “Insider” to “Inside” represents a significant change in attitude to the problem. In the past the internal threat has been articulated as a problem generated from malicious employees or staff.

The use of the word inside presents the problem as both a competent and incompetent threat.

• The incompetent and non-malicious. Often evolving from poor staff training or an overworked and stressed team, starting to make mistakes. Maybe the incompetence originates in the IT department who failed to put in place encryption technologies or other security systems to mitigate any loses.

• The competent and malicious. The premeditated act of stealing or damaging data or systems by someone inside the organisation with access to data, legitimate or otherwise.

Inside Threat – Is there a problem?

Every security breach results in one certainty – inappropriate exposure of data. Be that thousands of customer details or one account number, data has been viewed, copied, deleted or updated outside of organisational controls. Even if the data that was leaked is not used for malicious purposes, the possibility was always there.

• Incompetent and Non-Malicious

In the summer of 2006 a laptop computer belonging to an employee of Nationwide Bank was stolen during a burglary at their home address.

The laptop contained customer names and addresses for use in a marketing campaign. In early 2007 the bank was fined £980,000 by the Financial Services Authority for “failing to have effective systems and controls to manage its information security risks.”

• Competent and Malicious

In late 2006 an ex-systems administrator from UBS PaineWebber was sentenced to 8 years in jail following an inside attack on UBS systems in 2002.

The individual was found guilty of writing and planting a logic bomb that took 2000 servers off line preventing the company from trading – its core business.

The ex-systems administrator undertook the attack as he was unhappy with the bonus he received from the company. The cost of the attack has been estimated at more than $3 million.

Anatomy of an Inside Data Loss Incident

Most, if not all incidents can be mapped against a reasonably straightforward list of attributes;

Who – who lost the data from the organisation?

What – what actually went missing?

Why – why did the data go missing?

When – when did the data go missing?

How – how did the data go missing

• Who actually lost the data? can have a huge impact on the seriousness of the incident. If data is taken by a junior employee then one would hope that the incident would be fairly minor, certainly on the basis that a junior employee should not be accessing critical or extremely sensitive data.

An incident involving a senior member of staff or board member can be indicative of a significant threat to the business – from maybe the setting up of a rival organisation or industrial espionage.

• What has been stolen? will impact the type of response required. Meaningless data that may be old or irrelevant can essentially be ignored. Key intellectual property or customer data can be extremely difficult to replace and can be a significant threat to the business, both commercially and from a reputational view point.

It is sometimes impossible to determine if data has actually been stolen per se, or whether a laptop has simply been removed that coincidently had confidential data on it. Many opportunist thefts outside of the organisation are likely to be directed at the hardware alone, rather than the data that may or may not be loaded.

• Why was the data taken? At some point this difficult question will need to be asked, the answer could be quite uncomfortable to face in light of data being taken by senior staff

• When did the data get taken? If key information has gone, time will be of the essence to ensure collateral damage is minimised. This will also enable you to get messaging organised for PR teams to help manage reputational risk when the news is announced.

If data was taken a long while ago it could mean the data is now out of date and irrelevant or alternatively there has been ongoing damage occurring below your "corporate radar”

• How was the data taken? Immediate action will need to be taken to seal any security holes identified by the data theft. If the theft was a systemic failure then a full and thorough review should be undertaken to prevent the same thing occurring again.

Now it’s Personal: Inside Threat, Risk and Governance

Being identified as having an inside threat problem can have an effect not only on the immediate business in hand but the reputation of the organisation moving forward. This reputation is a vital currency when dealing with customers, suppliers, partners and competitors.

Any risk exposure is bound to be leveraged by those that wish to be in an organisation’s space and many would rejoice in the corporate reputational damage of a competitor.

Governance issues raise the prospect of inquires and investigation into corporate behaviour prior to the incident. Yes, washing will often be conducted in public and the media will pounce on any opportunity to report a well know organisation’s travails.

The stress of an investigation is not to be underestimated as executives and managers are distracted from the core business to satisfy the needs of the investigating agency.

Any director faced with personal liabilities will channel their energies into resolving that rather than further building the business, no matter how good their compartmentalisation.

Prevention, in this instance, is much more cost effective than the cure.

About Incoming Thought Ltd

Incoming Thought is focused on IT security consultancy, education and content creation. We take a creative approach to solving the problem of enhancing an organisation’s security from the ground up by working with both vendors and end users, assisting both in the deployment of successful IT security systems.

For a copy of the second report on how to mitigate the inside threat email admin@incomingthought.com