Insider THreats - Priviledged
Insider THreats - Priviledged
Insider THreats - Priviledged
Users
This white paper is divided into two sections. First, Dr. Eric Cole discusses the
business issues around insiders, especially IT administrators. Second, NetIQ
discusses how to reduce or eliminate many of the issues that Dr. Cole
describes.
This document could include technical inaccuracies or typographical errors. Changes are periodically
made to the information herein. These changes may be incorporated in new editions of this document.
NetIQ Corporation may make improvements in or changes to the software described in this document at
any time.
ActiveAudit, ActiveView, Aegis, AppManager, Change Administrator, Change Guardian, Compliance Suite, the cube logo design,
Directory and Resource Administrator, Directory Security Administrator, Domain Migration Administrator, Exchange Administrator,
File Security Administrator, Group Policy Administrator, Group Policy Guardian, Group Policy Suite, IntelliPolicy, Knowledge Scripts,
NetConnect, NetIQ, the NetIQ logo, PSAudit, PSDetect, PSPasswordManager, PSSecure, Secure Configuration Manager, Security
Administration Suite, Security Manager, Server Consolidator, VigilEnt, and Vivinet are trademarks or registered trademarks of NetIQ
Corporation or its subsidiaries in the USA. All other company and product names mentioned are used only for identification
purposes and may be trademarks or registered trademarks of their respective companies.
Introduction
Worms! Viruses! Spyware! Mass media coverage (hysterics?) about external security threats has caused
many of us to temporarily forget the most important rule-of-thumb about security – that 80 percent of the
threat to any organization comes from inside. Trusted employees, IT staff, contractors, and outsourcers
all have access to critical systems and are inside the primary lines of organizational defense. Whether the
primary security concern is data integrity, financial compliance, or privacy protection, administrators must
ensure that the insider threat is comprehended and contained.
Most organizations deal with insider threats by defining application roles, restricting access to data, and
identifying strict audit rules. Often forgotten are their computer administrators. IT administrators are
granted eminent powers over servers, Active Directory, and applications as part of their jobs. Until
recently, a solution did not exist to limit this power, outside of partial solutions like logs, but administrators
by definition have been able to evade those solutions.
If a competitor or similar entity wants to cause damage to your organization – steal critical secrets or put
you out of business – here is a good example of how they could succeed, if granted access. They would
locate a job opening, prep someone to ace the interview, have that person get hired, and they are inside
your organization. The fact that it is that easy should alarm you.
Many companies have jobs open for several weeks and it could take a couple of weeks to set up an
interview. That gives a competitor focused on your company a four-week period to prep someone to ace
an interview. This is a current practice of foreign governments. They know that a key requirement for that
1
Pages one through six are excerpts from the book Insider Threat by Dr. Eric Cole.
Insider threat is occurring all the time, but since it is happening within an organization, it is a private
attack. Public attacks like defacing a Web site are hard for a company to deny. Private attacks are much
easier to conceal.
Because these attacks are being perpetrated by trusted insiders, you need to understand the damage
they can cause, how to build proper measures to prevent the attack, how to minimize the damage, and, at
a minimum, how to detect the attacks in a timely manner. Many of the measures companies deploy today
are ineffective against an insider threat. When companies discuss securing their enterprise, they are
concerned with the external attack, forgetting about the damage that an insider can cause.
The United States Secret Service is conducting a series of studies on the insider threat. Why? Because
billions of dollars are being lost. You will never be able to completely remove the insider threat because
companies need to be able to function. If you fire all your employees, you might have prevented the
insider attack, but you will also go out of business. The key is to strike a balance between the access your
employees need and the access your employees currently have.
Most people, when they think of attackers, think of someone with a huge amount of technical
sophistication that can walk through virtual cyber walls and gain access to anything that they want.
However, insiders take advantage of the fact that they already have access, so many of the attack
methods tend to be less technically sophisticated. In some cases, if an insider has partial access, they will
sometimes use additional techniques to increase their access. However, since they are typically not
dealing with any security devices, most of the methods tend to be fairly straightforward.
It is also important to remember that to launch an effective attack, attackers need knowledge of the
organization they are trying to attack. External attackers could spend weeks, if not longer, trying to
acquire the information they need to launch a successful attack. In some cases, if they cannot gain
enough knowledge, they might decide to go against a different target.
In the case of the insider, he has full knowledge of your operations. He knows what is checked and what
is not checked and can even test the system. For example, when he is trying to access his private share,
he could click on someone else’s and see if anyone notices. If he does this multiple times and nothing
ever happens, he has now gained valuable knowledge that either access is not being logged or not being
watched. Because he has access to your operations, he either has detailed knowledge of how things
operate or he can gain it quickly by testing the system.
The problem to date is that most security efforts have been focused on the external threat. For most
organizations, more energy and effort have been placed on the external threat rather than the internal
threat. The reason is simple: It is easier to stop, easier to control, and it is more visible. If you have
system “x” you can state that it should not be accessible from the Internet and have measures in place to
prevent it. Then if someone accesses it externally, it sets off a flag. The problem with the insider threat is
that people are supposed to access server “x” but only for legitimate purposes. Now you have to measure
intent when someone accesses data, which is almost impossible to do.
In addition, the outsider threat is more understood. We understand the means and methods that are
utilized to attack systems because we have case studies and history to back it up. With insider threat we
know it happens and it is damaging, but we have less factual data to base conclusions on.
Companies that are going to survive and thrive are going to need to turn their focus to the insider and
take preventative action against these types of threats. Otherwise, by the time the threat occurs, there will
not be much of their company left to save.
There are three key reasons that the insider threat has been ignored:
As we have discussed, limiting access and implementing policies and procedures are key to preventing
the insider threat. It should not be surprising that most organizations do a terrible job at controlling access
and an even worse job at having clear, consistent policies. While companies claim they are doing this,
Security measures that are in place are mainly for the perimeter and do not scale to the insider. Measures
that will protect against the insider are hard to implement at a large organization and do not scale very
well.
Think of the damage that viruses and worms cause to organizations. These are attacks that start on the
Internet and manage to get through organizations’ firewalls, perimeters, and security devices and cause
severe loss. If an external worm can penetrate an organization with ease, what can someone who is
behind the firewall and the security perimeter do? The short answer is: Almost anything they want.
Although people can argue over the validity and strength of firewalls, IDS, and perimeter security, at least
there are some measures in place.
When it comes to insiders, there is little stopping them because they are a trusted entity. What is even
worse than not preventing them is not trying to detect their actions. This means that not only is nothing
stopping an insider but there is nothing in place that is watching or recording their actions to even detect
that something is happening.
As we talked about earlier, many organizations would rather live in denial than fix the problem.
Unfortunately with a real threat, denial will only cause more harm. The insider threat is like a tumor. If you
realize there is a problem and address it, you will have short-term suffering but a good chance of
recovery. If you ignore it, it will keep getting worse, and while you might have short-term enjoyment, it will
most likely kill you.
You might be saying that you acknowledge that the threat is real but that your company is not vulnerable.
The reality is that almost every organization is vulnerable because almost every organization has
minimal, if any controls in place and do not carefully control access to data.
Some organizations might have some basic access controls in place, but that is not good enough. If even
one person has more access than they need to do their job, that is too much access. Giving everyone the
least access they need to do their job is critical, plus putting auditing measures in place to track behavior,
even if you know that access is strictly controlled. What stops someone who has legitimate access to a
file from e-mailing it to someone who should not have access? Not only do you have to strictly control
access, you must also monitor it. Too much access is what leads to ultimate compromise and too little
monitoring leads to someone not being caught or controlled. Both play a critical role in your insider threat
arsenal.
More and more organizations are starting to recognize that insider threat is important. The problem is that
it is after the fact. I know of a multitude of companies that have been victims to insider threat. I do not
know of any that have successfully stopped an insider threat initially. All of our case studies, histories,
and knowledge of insider threat are after the problem occurs and a company becomes compromised.
The real problem is we are not finding out about the problem because the insiders are being caught. At
least if we caught the insider after the fact we could stop that person from doing it again. Unfortunately,
we know it is happening but we do not know who did it. This creates a double-edged sword. Most
In 2005, it is estimated that more than 10 million identities were stolen, with a loss of more than $50
million resulting from it. What more proof do we want that this is a real threat? You might ask what stolen
identities have to do with insider threat. The answer is: there is a direct correlation. How is personal
information taken to steal someone’s identity? It is taken through an insider who has access to that
information for the company they work for. Credit card fraud and identity theft are both caused by insiders
stealing information they should not have access to.
The Bali nightclub bomber wrote a manifesto from jail in 2004 urging terrorists to take terrorism to
cyberspace. Why? Because he knew that was a weak link that could easily be exploited. Organizations
and countries have critical infrastructures all stored in computers. If that information is compromised, it
could have the same impact as an actual bomb.
The book Unrestricted Warfare, by Qiao Liang and Wang Xiangsui (Beijing: PLA Literature and Arts
Publishing House, February 1999), which can be downloaded at
http://www.terrorism.com/documents/TRC-Analysis/unrestricted.pdf, talks about how cyber
weapons will become the weapons of the future. The key fact is that this levels the playing field across all
countries. Who can compete with the nuclear arsenal of the U.S.? However, with cyber weapons, all the
barriers to entry and monitoring are gone. Just think if you put together two or three of the cyber weapons
together in a coordinated fashion, you would have the cyber version of the perfect storm.
Insider threat needs to be moved up in importance and discussed in boardrooms prior to attacks, not after
significant monetary loss. Proactive measures need to be taken to stop insider attacks from occurring, not
reactive measures to clean up the mess.
What is scary is there is really minimal skill needed to launch these attacks. You really do not need to
know anything if you have access. You just drag and drop information you should not be sending outside
the company and you e-mail it to a competitor or a Windows Hotmail account. Years of company
Intellectual Property (IP) can be extracted in minutes. Even if you do not have access, there are tools you
can download and run to get access. If you can install Microsoft Office, you can install and run these
tools. Unfortunately, they are really that easy to use. These tools are publicly available, free for the taking.
The sale of stolen IP makes the stolen car industry look “small time.” It is happening constantly and is
such a normal occurrence that people do not even realize it. An unprotected computer is an insider threat
even if the user of the system is the most ethical employee on the planet. The computer and account has
trusted access, not the person, and if someone can compromise the system because the person went to
lunch and left his system unlocked, that is a huge source of insider threat and potential loss for a
company.
We can predict with high reliability snowstorms and severe weather before they occur. This early warning
system enables people to prepare and take action to help minimize the damage. The reason we can
predict weather is because we look for indicators using radar and other advanced techniques. We need to
develop cyber indicators. Some initial indicators that could show a company is vulnerable are: no or weak
policies, weak passwords, and no list of critical assets. If we can better identify and track these cyber
indicators, we will have a better chance of reacting to the problem.
It is critical with any organization that everyone is on the same page with regards to protection of
information. Just because you have a policy does not mean people will follow it; however, without the
policy as the starting point, there is no way you can perform consistent enforcement across an
organization. While it is difficult, and executives never want to put things in writing, it is critical that a clear,
concise policy with appropriate repercussions be put in place. With new and existing regulations, policies
will play a key role, since organizations are required to clearly document their stance on security and how
they are going to achieve it. Written policies are a perfect way to capture this information.
Audits
If an organization is going to maintain a proper level of security and prevent the insider threat from
performing serious harm, they must know what is happening. The best way to know who is accessing
what is through regular and thorough audits. Just because an organization is secure today does not mean
they will be secure tomorrow. Only through regular audits can a company keep their arms around the
problem and make sure security is properly maintained. By themselves, audits are a good thing, but with
all of the new regulations, audits are becoming a necessity. At a fundamental level, how can
organizations know they are compliant with a given regulation if they are not validating it on a regular
basis? The key problem with audits is they are very difficult to perform and almost impossible to do
manually. Key software products and tools are needed to help organizations not only produce detailed
reports but also analyze them in a time efficient manner.
Access Controls
Access is the gateway in which the insider threat is manifested. Typically, in most organizations, access
control is poorly implemented and poorly understood. Moving forward, companies are going to have to
change this. Those that have been burnt in the past by insider threat or those that want to make sure they
do not get burnt moving forward, will have to take the time to properly control access to critical data. This
is a multi-staged process, involving identifying critical IP, determining who should have access to it, and
controlling and tracking that access.
• Monitoring privileged users – Administrators and users with extensive privileged access to
critical resources represent a significant vulnerability. Their activities must be managed and
monitored in such a way as to protect the systems they are accessing without reducing their
ability to do their job.
• Excessive native and escalated account privileges – Administrators are faced with granting
escalated privileges so that operators or contractors can perform tasks, many of which are
relatively minor compared with the level of access they are granted. The potential then exists for
these accounts to be abused or compromised and for their activity to be concealed.
• Meeting audit requirements – Today the process of auditing changes and other activities can
result in a time-intensive manual effort that still proves to be inadequate to meet current
regulatory requirements for demonstrating separation of duties.
NetIQ delivers two product families in its security portfolio to address these needs: NetIQ® Directory and
Resource Administrator™ and NetIQ® Change Guardian™.
NetIQ Directory and Resource Administrator mediates access to Microsoft Active Directory, limiting
the user to particular actions for specific views of the overall directory. As part of NetIQ’s identity and
access management offering, it supports user provisioning and other automated tasks and processes.
It also eases directory consolidation efforts and helps enforce security policies and segregation of duties.
Moreover, NetIQ® Identity Integration Suite seamlessly integrates your Unix, Linux, Macintosh, VMware
ESX and other platforms with Active Directory so that you can manage and secure access to these critical
systems using the same authentication, authorization, and Microsoft Group Policy services currently
deployed for your Microsoft Windows systems.
NetIQ Change Guardian products provide real-time monitoring and notification of changes across your
distributed environment, providing detailed insight into files, directories, file shares, registry keys (on
Windows), system processes, database activity (on Oracle, Microsoft, Sybase and other databases) and
more. They also deliver enhanced audit information in order to provide greater fidelity and clarity of
information than native log events can provide, and recording pre- and post-change information for
improved incident analysis.
NetIQ provides other products to address data protection and regulatory compliance needs. To learn
more, visit NetIQ.com.
While the majority of security resources are spent preventing the anonymous hacker from causing harm,
organizations need to be aware of the even greater threat of the trusted insider. Studies have shown that
insiders can do far more harm than external hackers as a result of their unfettered access to critical
system and the general lack of oversight and accountability. An intrusion detection system may
immediately notify IT security of a hacker infiltration, but the tools to notify and address unauthorized
changes made by insiders are relatively new to the market. Most worrying of all, organizations typically do
not realize that damage has been done by an insider until it’s too late.
NetIQ offers a set of products designed to control, manage and audit changes within your IT
infrastructure. These products assure that any changes made to your IT environment are managed to
prevent any disruption of services or introduction of security vulnerabilities.
These solutions address the insider threat by tightly controlling and provisioning access to servers and
applications, and monitoring for unplanned and unauthorized changes – increasing compliance and
assuring operational integrity across your critical assets.
About NetIQ
NetIQ is an enterprise software company with relentless focus on customer success. Customers and
partners choose NetIQ to cost-effectively tackle information protection challenges and IT operations
complexities. Our portfolio of scalable, automated management solutions for Security & Compliance,
Identity & Access, and Performance & Availability and our practical, focused approach to solving IT
challenges help customers realize greater strategic value, demonstrable business improvement and cost
savings over alternative approaches.