Controlling Internal Abuse Through The Process Of Security
{LANG_NAVORIGIN} Security Management
Keith Palmgren
02/07/2005
For five years, the Computer Security Institute (CSI) and the FBI have conducted an annual survey of the types of attacks companies experience. Invariably, dishonest and disgruntled employees top the list at about 80% as the most likely source of attack. Further, these insider attacks typically fall into the most expensive categories. According to the 2000 CSI/FBI survey, these categories amounted to over $200 million in losses in 1999 (unauthorized insider access – $22.5 million, theft of proprietary data – $66.7 million, financial fraud – $55.9 million, insider network abuse – $27.9 million, sabotage – $27.1 million). While outsiders undoubtedly caused some of these losses, the vast majority comes from dishonest or disgruntled employees. As Richard Power, CSI’s Editorial Director, points out on page 44 is his book “Tangled Web” (Que publishing, September 2000), the CSI/FBI survey dollar loss amounts are likely conservative.
More information on the CSI/FBI survey is available
HERE.
Summaries and links on computer sabotage cases are in the sidebar,
“Summary of internal abuse cases”.
Given the facts above, why is it that it is so easy to find information about protecting your network from outside attack, and so difficult to find anything about protecting yourself from this internal threat? At least in part, the answer is that stopping the internal threat is so much more difficult than building a formidable perimeter. Some would even say you can’t protect your network from allowed users and I understand the sentiment. You can’t control what you allow, and you allow users to have access. Trust is inherent when you grant access. Take heart. There are steps you can take that will make it much more difficult for an internal user to cause damage. You can also reduce the damage they can cause. Finally, you can increase the likelihood that you can recover from what damage does occur. Succeeding in these goals requires a comprehensive Process of Security.
Security is not a product, nor is it a technology. Security is a process. The Process of Security consists of many parts including policy, procedure, and training. It contains preventive control measures and a healthy dose of awareness. It includes disaster recovery and business continuity. Various products and technologies support all of these parts of the process. Most importantly, the Process of Security is a state-of-mind that must permeate a corporation and its culture to be effective. This is true because of the most fundamental issues a Process of Security must address to stem the internal threat – those of human nature and trust. When you work with someone, it is common for him or her to become your friend. It goes against human nature to think the worst of your friend. After all, friends just don’t intentionally damage or destroy the work and livelihood of friends do they? Unfortunately, the answer is that yes, sometimes they do. Today's business environment demands that supervisors prepare for the worst from their co-workers, superiors, and subordinates – many of whom they consider friends. While trust is necessary to have any real working relationship, preparing for the unfortunate day that someone betrays that trust is just as necessary. It is a fine line and a difficult one to walk.
Next let's look at the most basic requirement for successful Security Process – comprehensive security policies and procedures. It is still amazing how many companies don’t have any formal security policies. Many of those that do have them don’t have policies that are as comprehensive as they need to be. The purpose of security policies is to establish the requirements on which you build the rest of the security process. Procedures are the specific steps required to carry out those policies. A set of security policies and procedures contains many, many elements. The portions that specifically address the internal threat establish the following as a minimum:
- Separation of duties: Any single person responsible for systems or network administration, security, and backups hold the keys to the corporate kingdom. No one should have that much power without a series of checks and balances in place. Even the CEO of a company is accountable to somebody, namely the board of directors and company investors. Preferably, policy would set up a separate security department reporting direct to the CIO or higher, providing management, oversight, and monitoring of the security process. At the least, responsibility for critical security events such as system administration and control of backup media should be split to separate, specified groups.
- Backup controls: A strict sign-out procedure for all backups is a minimum requirement. Except in the most critical emergency, no single person should have access backup tapes without supervisory knowledge. In addition, verify the content of backups regularly. Perform backups of critical systems daily and all systems at least weekly. For especially critical backups (such as those of production software), impose a procedure to verify the backups are good and then place them into secure off-site storage.
- User account controls: All accounts on the system should have a password, with regular password changes required. Only accounts that absolutely require supervisory access should have those rights. Supervisory level accounts should never be any users normal login account. Instead, use a special account specifically for supervisory access, then tightly control and monitor its use.
- Special controls for special events: Eventually, special events occur in every company. Examples might include mergers and acquisitions. Another excellent example is terminating personnel. A recently terminated employee is perhaps the most dangerous. Note that in the sabotage section of the “Summary of internal abuse cases” sidebar, all the employees who perpetrated the sabotage were recently fired employees. It is important to handle termination of any employee carefully, from both Human Resources and Security Department standpoints. This requires the HR department and those with security responsibility work closely together. See the sidebar “Dealing with termination” for specific issues to consider when it becomes necessary to fire employees.
- User Training: The CEO, CIO, MIS Director, or systems/network administrators do not implement security – users implement security. Every time a user chooses a new password, decides not to give that password to a co-worker (or place it in the Rolodexâ under “P” for password), or locks a terminal before getting up from their desk, users are implementing security. None of these will happen the way they should unless users understand why they are important. These steps often cause inconvenience for the user. Again, human nature rears its head. People simply are not going to take the less convenient route unless there is a good reason that they fully understand for doing so. Obtaining a viable security posture absolutely requires user buy-in. This cannot happen if you simply tell users “do this” and “don’t do that.” They have to understand why they are and are not to do things. That requires training. Most people will be happy to take proper security steps if they understand why they need to do so. Face it; a typical user has no understanding that password crackers specifically search for names because the most common password is the name of a significant other (occasionally followed by the number one). Once they see that demonstrated in training, the lightbulb goes on over their head and password selection improves dramatically. All users should receive training at new-hire, with refresher training at least yearly after that. In addition, special training covering new security responsibilities needs to occur at promotion time (again, this highlights the need for close coordination between HR and security staffs). Formal classroom training is only the beginning. Security staff should always be available and willing (even eager) to explain security issues to anyone who asks. Day-to-day interaction is where you win or lose this particular battle. I cannot overemphasize this – you will not obtain a viable Process of Security unless you train your users!
- Preventative control and awareness: Much of the above accomplishes preventative control. Separation of duties, backup controls, training and similar measures are all examples of preventative steps. But how do you decide how far to go with these? What security measures do you really need and when is there too much security? Common sense is the best single defense for this, but awareness of the issues is what you base that common sense on. Just how much damage can a given user inflict and what steps can we take to limit that damage? You have to be aware of the potential damage and then look at preventative measures in an honest, intelligent light. Security staff should spend a reasonably significant amount of their time understanding new threats and the defenses for them. They should also spend time understanding the problems of the user community to avoid excessive security measures. Remember that too much security leads to too much inconvenience and that leads to users ignoring security measures. Understanding the day-to-day functions of the user community and designing security that makes sense in that environment is critical.
- Business Continuity and Disaster Recovery: All the security measures in the world will not guarantee the worst won’t happen. In fact, Murphy’s Law guarantees that it will. You need to have a plan in place before the inevitable occurs. Business continuity and disaster recovery plans fill this need. Think these plans out well in advance and test them thoroughly. Build the plan to meet the demands of “Murphy’s Law Times 2” (Whatever can go wrong will go wrong AND it will go wrong in the worst possible way). These plans need to address natural disasters such as fires and floods. They should also address recovery from hostile action by disgruntled employees. Building the plan is only the first step. You must test the plan regularly. These tests will show flaws in the plan and point out needed changes. For example, you will need to update your fire response plan when, during testing, you find the fire extinguishers are no longer were they were last time you ran the test.
There is no question that every company should take the steps above. There is also no question that these steps alone will not prevent insider abuse. You cannot prevent it absolutely – it just isn’t possible. What you are trying to accomplish is to make the insider abuse as difficult as possible to carry out. You want to limit the amount of damage any single person can do. Finally, you want to establish a path for quick recovery once abuse does occur. Success requires addressing the difficult issue of human nature and trust – finding the balance between corporate safety and paranoia. Being aware of the damage a network administrator could potentially do is the first step. Being willing to prepare for the worst from your friends is the second and most difficult step.
Implementing all of these measures is not a short-term project. It will take months or even years. After implementation, constant updating, modification, and monitoring is required to maintain the program. It is a full-time job for at least one person in almost every company and a job for a dedicated team in larger companies.
Sidebar 1: Dealing with termination
Any time a user leaves the company, swift action to prevent possible damage by that person is necessary. This is especially true if the person left the company under less than friendly circumstances. Further, if that person held a position of high trust such as a systems or network administrator position, these actions become much more critical. Some of the procedures to have prepared before the event include:
- Establish a strong rapport between the Human Resources and Security staffs. The HR staff should always inform the security staff of promotions or similar changes in responsibility so they can schedule training for that person. A touchier issue involves disciplinary action and terminations. There is valid reason to keep details of disciplinary actions private. At the same time, there is a valid business reason for the security staff to be aware of these events. Disciplinary actions often point to signs of disgruntled employees. Under no circumstances should the security staff be unaware of a planned employee termination. They need to know in advance to prepare all the following steps.
- Any time termination involves a person in a position of trust such as a systems administrator, have the replacement administrator chosen and ready to assume their duties immediately. The replacement should be intricately involved in searching for and disabling any malicious plans of the predecessor.
- Lock all accounts the person had access to. Don’t delete the accounts immediately since there may be important information in the home directories.
- Change all passwords on every account. This is especially critical if the person leaving were an administrator since that person is likely to know many peoples passwords. It is important to do so regardless of whom is involved since you never know if the person may have co-workers passwords.
- Perform a fresh backup and store it securely. This backup is not a replacement or substitution for normal backups. Its purpose is to provide a snapshot of systems. This snapshot will be critical as evidence if sabotage does occur. It also serves the purpose of a normal backup in case the terminated individual somehow managed to damage or destroy normal backups.
- Perform a general security scan of the system for any known back doors etc. Many “script kiddie” programs are available on the Internet that allow unauthorized access once installed. Administrators can install these with ease, but a determined user can also get them in place. Most good scanning software will identify such programs.
You may well need to consider outside consulting help for one or more of these steps. They all need to be accomplished immediately and will typically require more than one person to complete them in a timely manner.
Sidebar 2: Summary of internal abuse cases
Sabotage
In what may be the most expensive and best-publicized incident of computer sabotage in American history, Timothy Lloyd, a former network administrator for Omega Engineering Corp of Bridgeport, New Jersey planted a computer time bomb that wiped out over 1000 manufacturing control programs. The incident, according to Network World, resulted in an estimated $10 million in damages to Omega Engineering and eventually led to the lay-off of 80 Omega workers. Sharon Gaudin, a feature writer for Network World followed the case from the beginning and published several detailed accounts. Links to her Network World articles are:
http://www.nwfusion.com/research/2000/0626feat.html
http://www.nwfusion.com/archive/2000/102660_07-24-2000.html
http://www.nwfusion.com/research/2000/0626featside4.html
http://www.nwfusion.com/research/2000/0626featside2.html
http://www.nwfusion.com/research/2000/0626featside1.html
http://www.nwfusion.com/research/2000/0626featside3.html
In November 1997, a former temp worker at Forbes Inc., publisher of Forbes Magazine, was charged with breaking into the computer and destroying budget and salary information. The incident left five of eight servers inoperable for a period of time and cost Forbes Inc., over $100,000. See this link at The ZFNet News Channel for more information:
http://www.zdnet.com/zdnn/content/reut/1125/245337.html
In 1998, Shakuntla Devi Singla received 5 months in jail after she used another employee’s user ID and password to log into Coast Guard computers and destroy information. It took 115 Coast Guard employees more than 1,800 hours to recover the data at a cost of $40,000. Singla holds the distinction of being the first woman in the United States convicted on hacking charges. See the story here:
http://www.cnn.com/TECH/computing/9807/22/coastguard.idg/
http://www.gcn.com/archives/gcn/1998/October26/54a.htm
In 1999, Thomas Varlotta was charged with stealing the only copy of software used to direct jetliners at O’Hare International Airport. He faces up to 25 years in prison. See the story here:
http://news.airwise.com/stories/99/10/940530321.html
“Netspionage”
Harold Worden, a Kodak employee caused Kodak over $26,000 in damages when he provided trade secrets to competitors. The C-J Online story is here:
http://www.cjonline.com/stories/082997/kodak.html
Copyright
http://www.netip.com/
NetIP, Inc. is a small company totally devoted to Knowledge Transfer. The President of the company, Keith Palmgren, divides his time between writing articles and teaching classes on Information Protection, Network Security, and Computer Security.
E-Mail Link
Your IP address will be sent with this e-mail
