Insider THreats - Priviledged

Download as pdf or txt
Download as pdf or txt
You are on page 1of 11

Address the Insider Threat of Privileged

Users

Co-written by Dr. Eric Cole and NetIQ Corporation

As a general rule, organizations typically grant IT administrators much more


access than is required to make simple changes to their production servers
and applications. In order to protect sensitive data, comply with regulations,
and ensure the integrity of their IT infrastructure, organizations need to
maintain a tighter control on their access.

This white paper is divided into two sections. First, Dr. Eric Cole discusses the
business issues around insiders, especially IT administrators. Second, NetIQ
discusses how to reduce or eliminate many of the issues that Dr. Cole
describes.
This document could include technical inaccuracies or typographical errors. Changes are periodically
made to the information herein. These changes may be incorporated in new editions of this document.
NetIQ Corporation may make improvements in or changes to the software described in this document at
any time.

Copyright © 2010 NetIQ Corporation. All rights reserved.

ActiveAudit, ActiveView, Aegis, AppManager, Change Administrator, Change Guardian, Compliance Suite, the cube logo design,
Directory and Resource Administrator, Directory Security Administrator, Domain Migration Administrator, Exchange Administrator,
File Security Administrator, Group Policy Administrator, Group Policy Guardian, Group Policy Suite, IntelliPolicy, Knowledge Scripts,
NetConnect, NetIQ, the NetIQ logo, PSAudit, PSDetect, PSPasswordManager, PSSecure, Secure Configuration Manager, Security
Administration Suite, Security Manager, Server Consolidator, VigilEnt, and Vivinet are trademarks or registered trademarks of NetIQ
Corporation or its subsidiaries in the USA. All other company and product names mentioned are used only for identification
purposes and may be trademarks or registered trademarks of their respective companies.

WHITE PAPER: Address the Insider Threat of Privileged Users


Table of Contents 
About Dr. Eric Cole ....................................................................................................................................... 1 
Introduction ................................................................................................................................................... 1 
The Importance of Understanding the Insider Threat by Dr. Eric Cole ........................................................ 1 
Key Aspects of Insider Threat ................................................................................................................... 2 
Insider vs. External Threat......................................................................................................................... 3 
Why the Insider Threat Has Been Ignored ................................................................................................ 3 
Current Solutions Do Not Scale ................................................................................................................ 3 
The Threat Is Real ..................................................................................................................................... 4 
Key Areas of Attention ............................................................................................................................... 6 
Policies and Procedures ......................................................................................................................... 6 
Audits ...................................................................................................................................................... 6 
Access Controls ...................................................................................................................................... 6 
NetIQ and the Insider Threat ........................................................................................................................ 7 
Conclusion .................................................................................................................................................... 8 
About NetIQ .................................................................................................................................................. 8 

WHITE PAPER: Address the Insider Threat of Privileged Users


About Dr. Eric Cole
Dr. Eric Cole has been working with international banks, Fortune 500 companies, and governmental
agencies such as the CIA for more than 15 years to improve their security. In addition to being a hands-
on expert, he is also a respected teacher, presenting at security conferences, working to explain security
concerns to mass media through outlets like CBS News, 60 Minutes, and CNN, and by writing articles
and books including Hackers Beware, Hiding in Plain Sight, and the Network Security Bible. Dr. Cole's
book, Insider Threat: Protecting the Enterprise from Sabotage, Spying, and Theft, reminds us that
insiders (trusted employees and contractors) can do more damage more quickly to an organization than
any outside hacker.

Introduction
Worms! Viruses! Spyware! Mass media coverage (hysterics?) about external security threats has caused
many of us to temporarily forget the most important rule-of-thumb about security – that 80 percent of the
threat to any organization comes from inside. Trusted employees, IT staff, contractors, and outsourcers
all have access to critical systems and are inside the primary lines of organizational defense. Whether the
primary security concern is data integrity, financial compliance, or privacy protection, administrators must
ensure that the insider threat is comprehended and contained.

Most organizations deal with insider threats by defining application roles, restricting access to data, and
identifying strict audit rules. Often forgotten are their computer administrators. IT administrators are
granted eminent powers over servers, Active Directory, and applications as part of their jobs. Until
recently, a solution did not exist to limit this power, outside of partial solutions like logs, but administrators
by definition have been able to evade those solutions.

The Importance of Understanding the Insider Threat by


Dr. Eric Cole1
Organizations often think that once they hire an employee or a contractor, that person is now a part of a
trusted group of people. Although an organization might allow an employee privileged access, why should
they trust that person? Many organizations do not perform background checks or reference checks. As
long as the hiring manager likes them, they will hire them. Many people might not be who you think they
are. It can be an expensive, if not a fatal mistake for a company to improperly validate their background.
Because many organizations, in essence, hire complete strangers who are really unknown and give them
access to sensitive data, the insider threat is something that all organizations must worry about.

If a competitor or similar entity wants to cause damage to your organization – steal critical secrets or put
you out of business – here is a good example of how they could succeed, if granted access. They would
locate a job opening, prep someone to ace the interview, have that person get hired, and they are inside
your organization. The fact that it is that easy should alarm you.

Many companies have jobs open for several weeks and it could take a couple of weeks to set up an
interview. That gives a competitor focused on your company a four-week period to prep someone to ace
an interview. This is a current practice of foreign governments. They know that a key requirement for that

1
Pages one through six are excerpts from the book Insider Threat by Dr. Eric Cole.

WHITE PAPER: Address the Insider Threat of Privileged Users | 1


person is to pass the polygraph. Their candidate is put through intensive training so that he or she can
pass the polygraph. This points out a key disadvantage that organizations have. The attacker is aware of
your hiring process and all they have to do is prep someone so they ace that part of the process.

Insider threat is occurring all the time, but since it is happening within an organization, it is a private
attack. Public attacks like defacing a Web site are hard for a company to deny. Private attacks are much
easier to conceal.

Because these attacks are being perpetrated by trusted insiders, you need to understand the damage
they can cause, how to build proper measures to prevent the attack, how to minimize the damage, and, at
a minimum, how to detect the attacks in a timely manner. Many of the measures companies deploy today
are ineffective against an insider threat. When companies discuss securing their enterprise, they are
concerned with the external attack, forgetting about the damage that an insider can cause.

The United States Secret Service is conducting a series of studies on the insider threat. Why? Because
billions of dollars are being lost. You will never be able to completely remove the insider threat because
companies need to be able to function. If you fire all your employees, you might have prevented the
insider attack, but you will also go out of business. The key is to strike a balance between the access your
employees need and the access your employees currently have.

Key Aspects of Insider Threat


The key aspect to remember when dealing with threatening insiders is that in most cases, they will exploit
the weakest link that gives them the greatest chance of access, while minimizing the chances that they
get caught. Why try to break through a firewall and gain access to a system with a private address, when
you can find someone behind the firewall with full access to the system? It has been emphasized many
times, but taking advantage of access is a driving force in the insider attack.

Most people, when they think of attackers, think of someone with a huge amount of technical
sophistication that can walk through virtual cyber walls and gain access to anything that they want.
However, insiders take advantage of the fact that they already have access, so many of the attack
methods tend to be less technically sophisticated. In some cases, if an insider has partial access, they will
sometimes use additional techniques to increase their access. However, since they are typically not
dealing with any security devices, most of the methods tend to be fairly straightforward.

It is also important to remember that to launch an effective attack, attackers need knowledge of the
organization they are trying to attack. External attackers could spend weeks, if not longer, trying to
acquire the information they need to launch a successful attack. In some cases, if they cannot gain
enough knowledge, they might decide to go against a different target.

In the case of the insider, he has full knowledge of your operations. He knows what is checked and what
is not checked and can even test the system. For example, when he is trying to access his private share,
he could click on someone else’s and see if anyone notices. If he does this multiple times and nothing
ever happens, he has now gained valuable knowledge that either access is not being logged or not being
watched. Because he has access to your operations, he either has detailed knowledge of how things
operate or he can gain it quickly by testing the system.

WHITE PAPER: Address the Insider Threat of Privileged Users | 2


Insider vs. External Threat
Instead of arguing over whether an insider threat versus an external threat causes the most damage, the
short answer is: They both can cause damage and they both have to be addressed.

The problem to date is that most security efforts have been focused on the external threat. For most
organizations, more energy and effort have been placed on the external threat rather than the internal
threat. The reason is simple: It is easier to stop, easier to control, and it is more visible. If you have
system “x” you can state that it should not be accessible from the Internet and have measures in place to
prevent it. Then if someone accesses it externally, it sets off a flag. The problem with the insider threat is
that people are supposed to access server “x” but only for legitimate purposes. Now you have to measure
intent when someone accesses data, which is almost impossible to do.

In addition, the outsider threat is more understood. We understand the means and methods that are
utilized to attack systems because we have case studies and history to back it up. With insider threat we
know it happens and it is damaging, but we have less factual data to base conclusions on.

Companies that are going to survive and thrive are going to need to turn their focus to the insider and
take preventative action against these types of threats. Otherwise, by the time the threat occurs, there will
not be much of their company left to save.

Why the Insider Threat Has Been Ignored


At this point you might be saying that if the insider threat is so damaging, why has it been ignored and
why haven’t people been focused on it earlier? There are many reasons for this. First, it is not an easy
problem. It is very hard to understand and almost impossible to grasp. Both the Central Intelligence
Agency (CIA) and the Federal Bureau of Investigation (FBI) knew of the potential damages of insider
threat and took many measures to prevent it. However, over the past ten years they have still been
severely impacted by it.

There are three key reasons that the insider threat has been ignored:

1. Organizations do not know it is happening.


2. It is easy to be in denial.
3. Organizations fear bad publicity.

Current Solutions Do Not Scale


Most security devices that are deployed at organizations are meant to stop the external attack. Firewalls,
intrusion detection systems (IDS), and intrusion prevention systems (IPS) are based off of some attack
vector that they are trying to prevent. Firewalls block access to certain ports, which stop an attacker but
do not stop an insider. If an insider needs access to certain information to do his job, a firewall will allow it.
If that person uploads data to an external site or e-mails it to an unauthorized party, it is almost
impossible for a firewall to prevent. IDS and IPS work off known signatures of attack. Most external
attacks have known signatures. Most internal attacks do not. In addition, most security devices are
deployed at the perimeter. Once you get past the perimeter there are minimal internal protection
measures.

As we have discussed, limiting access and implementing policies and procedures are key to preventing
the insider threat. It should not be surprising that most organizations do a terrible job at controlling access
and an even worse job at having clear, consistent policies. While companies claim they are doing this,

WHITE PAPER: Address the Insider Threat of Privileged Users | 3


they are not doing it well.

Security measures that are in place are mainly for the perimeter and do not scale to the insider. Measures
that will protect against the insider are hard to implement at a large organization and do not scale very
well.

The Threat Is Real


Insider threat is no longer a fictitious concept that people write about and that you see in movies. It is real
and it is happening consistently, and those who do not take it seriously may be hurt by its results.

Think of the damage that viruses and worms cause to organizations. These are attacks that start on the
Internet and manage to get through organizations’ firewalls, perimeters, and security devices and cause
severe loss. If an external worm can penetrate an organization with ease, what can someone who is
behind the firewall and the security perimeter do? The short answer is: Almost anything they want.
Although people can argue over the validity and strength of firewalls, IDS, and perimeter security, at least
there are some measures in place.

When it comes to insiders, there is little stopping them because they are a trusted entity. What is even
worse than not preventing them is not trying to detect their actions. This means that not only is nothing
stopping an insider but there is nothing in place that is watching or recording their actions to even detect
that something is happening.

As we talked about earlier, many organizations would rather live in denial than fix the problem.
Unfortunately with a real threat, denial will only cause more harm. The insider threat is like a tumor. If you
realize there is a problem and address it, you will have short-term suffering but a good chance of
recovery. If you ignore it, it will keep getting worse, and while you might have short-term enjoyment, it will
most likely kill you.

You might be saying that you acknowledge that the threat is real but that your company is not vulnerable.
The reality is that almost every organization is vulnerable because almost every organization has
minimal, if any controls in place and do not carefully control access to data.

Some organizations might have some basic access controls in place, but that is not good enough. If even
one person has more access than they need to do their job, that is too much access. Giving everyone the
least access they need to do their job is critical, plus putting auditing measures in place to track behavior,
even if you know that access is strictly controlled. What stops someone who has legitimate access to a
file from e-mailing it to someone who should not have access? Not only do you have to strictly control
access, you must also monitor it. Too much access is what leads to ultimate compromise and too little
monitoring leads to someone not being caught or controlled. Both play a critical role in your insider threat
arsenal.

More and more organizations are starting to recognize that insider threat is important. The problem is that
it is after the fact. I know of a multitude of companies that have been victims to insider threat. I do not
know of any that have successfully stopped an insider threat initially. All of our case studies, histories,
and knowledge of insider threat are after the problem occurs and a company becomes compromised.

The real problem is we are not finding out about the problem because the insiders are being caught. At
least if we caught the insider after the fact we could stop that person from doing it again. Unfortunately,
we know it is happening but we do not know who did it. This creates a double-edged sword. Most

WHITE PAPER: Address the Insider Threat of Privileged Users | 4


executives do not believe what they cannot see, so they initially do not take insider threat seriously. Then,
after it happens and there is critical damage, they ask why they weren’t warned or told it was a problem
so they could have fixed it.

In 2005, it is estimated that more than 10 million identities were stolen, with a loss of more than $50
million resulting from it. What more proof do we want that this is a real threat? You might ask what stolen
identities have to do with insider threat. The answer is: there is a direct correlation. How is personal
information taken to steal someone’s identity? It is taken through an insider who has access to that
information for the company they work for. Credit card fraud and identity theft are both caused by insiders
stealing information they should not have access to.

The Bali nightclub bomber wrote a manifesto from jail in 2004 urging terrorists to take terrorism to
cyberspace. Why? Because he knew that was a weak link that could easily be exploited. Organizations
and countries have critical infrastructures all stored in computers. If that information is compromised, it
could have the same impact as an actual bomb.

The book Unrestricted Warfare, by Qiao Liang and Wang Xiangsui (Beijing: PLA Literature and Arts
Publishing House, February 1999), which can be downloaded at
http://www.terrorism.com/documents/TRC-Analysis/unrestricted.pdf, talks about how cyber
weapons will become the weapons of the future. The key fact is that this levels the playing field across all
countries. Who can compete with the nuclear arsenal of the U.S.? However, with cyber weapons, all the
barriers to entry and monitoring are gone. Just think if you put together two or three of the cyber weapons
together in a coordinated fashion, you would have the cyber version of the perfect storm.

Insider threat needs to be moved up in importance and discussed in boardrooms prior to attacks, not after
significant monetary loss. Proactive measures need to be taken to stop insider attacks from occurring, not
reactive measures to clean up the mess.

What is scary is there is really minimal skill needed to launch these attacks. You really do not need to
know anything if you have access. You just drag and drop information you should not be sending outside
the company and you e-mail it to a competitor or a Windows Hotmail account. Years of company
Intellectual Property (IP) can be extracted in minutes. Even if you do not have access, there are tools you
can download and run to get access. If you can install Microsoft Office, you can install and run these
tools. Unfortunately, they are really that easy to use. These tools are publicly available, free for the taking.

The sale of stolen IP makes the stolen car industry look “small time.” It is happening constantly and is
such a normal occurrence that people do not even realize it. An unprotected computer is an insider threat
even if the user of the system is the most ethical employee on the planet. The computer and account has
trusted access, not the person, and if someone can compromise the system because the person went to
lunch and left his system unlocked, that is a huge source of insider threat and potential loss for a
company.

We can predict with high reliability snowstorms and severe weather before they occur. This early warning
system enables people to prepare and take action to help minimize the damage. The reason we can
predict weather is because we look for indicators using radar and other advanced techniques. We need to
develop cyber indicators. Some initial indicators that could show a company is vulnerable are: no or weak
policies, weak passwords, and no list of critical assets. If we can better identify and track these cyber
indicators, we will have a better chance of reacting to the problem.

WHITE PAPER: Address the Insider Threat of Privileged Users | 5


Key Areas of Attention
While there is a lot for an organization to focus on with regards to insider threat, there are some critical
areas they need to concentrate on. These areas have been alluded to earlier in the paper, but they are
critical enough to have their own section.

Policies and Procedures


Many companies, from a cyber perspective, lack clear control and direction in terms of protecting and
controlling access to their critical assets. While companies are focusing on long-term strategic plans for
their organizations, they need to address the critical IP and put together clear guidelines for what is
expected of their insiders. As we move forward, the lack of solid policies is going to manifest itself more
and more in companies. Companies that are serious about the insider threat are going to realize that the
old style of inefficient policies is no longer going to work. Therefore, instead of trying to re-work existing
policies, companies are going to realize that they are going to have to rewrite their policies from scratch.

It is critical with any organization that everyone is on the same page with regards to protection of
information. Just because you have a policy does not mean people will follow it; however, without the
policy as the starting point, there is no way you can perform consistent enforcement across an
organization. While it is difficult, and executives never want to put things in writing, it is critical that a clear,
concise policy with appropriate repercussions be put in place. With new and existing regulations, policies
will play a key role, since organizations are required to clearly document their stance on security and how
they are going to achieve it. Written policies are a perfect way to capture this information.

Audits
If an organization is going to maintain a proper level of security and prevent the insider threat from
performing serious harm, they must know what is happening. The best way to know who is accessing
what is through regular and thorough audits. Just because an organization is secure today does not mean
they will be secure tomorrow. Only through regular audits can a company keep their arms around the
problem and make sure security is properly maintained. By themselves, audits are a good thing, but with
all of the new regulations, audits are becoming a necessity. At a fundamental level, how can
organizations know they are compliant with a given regulation if they are not validating it on a regular
basis? The key problem with audits is they are very difficult to perform and almost impossible to do
manually. Key software products and tools are needed to help organizations not only produce detailed
reports but also analyze them in a time efficient manner.

Access Controls
Access is the gateway in which the insider threat is manifested. Typically, in most organizations, access
control is poorly implemented and poorly understood. Moving forward, companies are going to have to
change this. Those that have been burnt in the past by insider threat or those that want to make sure they
do not get burnt moving forward, will have to take the time to properly control access to critical data. This
is a multi-staged process, involving identifying critical IP, determining who should have access to it, and
controlling and tracking that access.

WHITE PAPER: Address the Insider Threat of Privileged Users | 6


NetIQ and the Insider Threat
NetIQ security products provide the ability to monitor and control privileged activity as well as remove the
need to grant powerful, general-purpose accounts to IT operators that are traditionally required for them
to do their jobs. In delivering these capabilities, NetIQ helps enterprise and mid-market customers
address the following issues and needs:

• Monitoring privileged users – Administrators and users with extensive privileged access to
critical resources represent a significant vulnerability. Their activities must be managed and
monitored in such a way as to protect the systems they are accessing without reducing their
ability to do their job.

• Excessive native and escalated account privileges – Administrators are faced with granting
escalated privileges so that operators or contractors can perform tasks, many of which are
relatively minor compared with the level of access they are granted. The potential then exists for
these accounts to be abused or compromised and for their activity to be concealed.

• Meeting audit requirements – Today the process of auditing changes and other activities can
result in a time-intensive manual effort that still proves to be inadequate to meet current
regulatory requirements for demonstrating separation of duties.

• Managing an increasing number of servers and applications with fewer administrators –


For large IT organizations, there is an ever increasing tendency to increase the number of servers
and applications, while seeking to maintain or reduce the amount of administrative overhead.

NetIQ delivers two product families in its security portfolio to address these needs: NetIQ® Directory and
Resource Administrator™ and NetIQ® Change Guardian™.

NetIQ Directory and Resource Administrator mediates access to Microsoft Active Directory, limiting
the user to particular actions for specific views of the overall directory. As part of NetIQ’s identity and
access management offering, it supports user provisioning and other automated tasks and processes.
It also eases directory consolidation efforts and helps enforce security policies and segregation of duties.
Moreover, NetIQ® Identity Integration Suite seamlessly integrates your Unix, Linux, Macintosh, VMware
ESX and other platforms with Active Directory so that you can manage and secure access to these critical
systems using the same authentication, authorization, and Microsoft Group Policy services currently
deployed for your Microsoft Windows systems.

NetIQ Change Guardian products provide real-time monitoring and notification of changes across your
distributed environment, providing detailed insight into files, directories, file shares, registry keys (on
Windows), system processes, database activity (on Oracle, Microsoft, Sybase and other databases) and
more. They also deliver enhanced audit information in order to provide greater fidelity and clarity of
information than native log events can provide, and recording pre- and post-change information for
improved incident analysis.

NetIQ provides other products to address data protection and regulatory compliance needs. To learn
more, visit NetIQ.com.

WHITE PAPER: Address the Insider Threat of Privileged Users | 7


Conclusion
Addressing the potential for insider threats is a vital, yet often overlooked security imperative for virtually
all organizations worldwide. With the increased dependence on technology to support key business
processes and activities, companies are vulnerable to a “trusted” insider causing irreparable harm to their
business.

While the majority of security resources are spent preventing the anonymous hacker from causing harm,
organizations need to be aware of the even greater threat of the trusted insider. Studies have shown that
insiders can do far more harm than external hackers as a result of their unfettered access to critical
system and the general lack of oversight and accountability. An intrusion detection system may
immediately notify IT security of a hacker infiltration, but the tools to notify and address unauthorized
changes made by insiders are relatively new to the market. Most worrying of all, organizations typically do
not realize that damage has been done by an insider until it’s too late.

NetIQ offers a set of products designed to control, manage and audit changes within your IT
infrastructure. These products assure that any changes made to your IT environment are managed to
prevent any disruption of services or introduction of security vulnerabilities.

These solutions address the insider threat by tightly controlling and provisioning access to servers and
applications, and monitoring for unplanned and unauthorized changes – increasing compliance and
assuring operational integrity across your critical assets.

About NetIQ
NetIQ is an enterprise software company with relentless focus on customer success. Customers and
partners choose NetIQ to cost-effectively tackle information protection challenges and IT operations
complexities. Our portfolio of scalable, automated management solutions for Security & Compliance,
Identity & Access, and Performance & Availability and our practical, focused approach to solving IT
challenges help customers realize greater strategic value, demonstrable business improvement and cost
savings over alternative approaches.

For more information, visit NetIQ.com.

WHITE PAPER: Address the Insider Threat of Privileged Users | 8

You might also like