The world has changed. The Internet has allowed organizations to be more connected with employees, contractors and business partners than ever before. The modern-day business processes of remote access and increased communication leave organizations more vulnerable to attack. Many organizations have hardened defenses against outside hackers but have ignored the threat posed by their own employees and business partners. The insider threat has grown exponentially.
Whether corporations, governments, private entities, health care providers or others, insider threat is an increasing problem for every organization. In the past, insider threats mostly targeted payment functions by a lone trusted employee. But today, organizations are collecting more day-to-day information without realizing the liability this information may pose. With the monumental increase in storage, the risk of data exposure or the holding of information for ransom has significantly increased.
We tend to have trust in our fellow employees, contractors and business partners that we work closely with because we share the same mission and goals. We expect everybody in the organization to be trustworthy. We don’t expect fellow employees to deliberately do disloyal acts that harm our organization. We expect betrayal from enemies, not from our peers. Motivations have expanded from simple greed to feelings of injustice, revenge, entitlement, attention, validation or to hiding poor performance.
According to a study by IBM X-Force® Research2016: Cyber Security Intelligence Index, insider threats account for more than 60 percent of all intrusions. The attacks are becoming more and more sophisticated because insiders have intimate knowledge of their organization’s controls and weaknesses. Improper activities performed by rogue employees or contractors can be difficult to detect and often can circumvent controls designed to catch them. Most violations are not discovered until sometime long after the incident took place. The disaffected insiders can completely shut down operations or can simply impede an organization from accomplishing its mission. Insiders can cause financial loss or public exposures of sensitive information that places customers or business partners at risk.
In the case with government agencies, insider attacks can place citizens or the nation as a whole at risk. The two most famous insiders are Edward Snowden and Chelsea Manning. They caused havoc for U.S. foreign and domestic policy and strained relationships with our allies. Nonetheless, our awareness of tech savvy insider threats is in its infancy.
It is also apparent from the Office of Personal Management’s (OPM) breach of 21.5 million people’s background and personal information that a compromise of an operational system can have grave consequences. Rep. Jim Langevin (D-R.I.) stated, “One of the things I was really upset about with the OPM breach is the director of the agency clearly didn’t understand the value of the data they were charged with protecting.”
In 2011, President Barack Obama issued an executive order for all agencies to develop an insider threat program for classified systems. Of course, classified systems need the strongest protections, but there are no executive orders or regulations that require insider programs for non-classified systems. Many non-classified e-mail, document and business systems store valuable information that should have strong protection. Many e-mail, document and business systems configurations have not been hardened since these systems were installed and have not been reevaluated for the new insider threats that exist in today’s world.
Of course, classified systems need protecting but non-classified systems such as e-mail, documents, business and operational systems deserve similar protection. Agencies must clearly understand the value of the data they are charged with protecting. They must re-evaluate the risk to these systems to determine how they can be misused or exploited.
Five steps toward improving your organization’s Internet security
As a start, agencies must clearly document and consistently enforce policies and controls, enforce separation of duties and least privilege, implement access restrictions and monitoring capabilities for privileged users.
Security is a dynamic discipline which changes quickly to address new threats. The security boundary has expended to outside your physical walls, to teleworkers and to third-party providers. The demand for Internet access is increasing for employees and contractor need to access to Gmail, Facebook, Instagram job-posting, Craigslist and shopping sites, etc. Agencies must stay vigilant, patch promptly, decommission unsupported software, segment networks, and white and black listing software.
There are some fundamental controls that can be implemented to help to reduce the risk of insider threats:
Know the value of your assets you are trying to protect. Just because a system is labeled as non-classified doesn’t mean it should not be rigorously protected. Consider the value of information and functions of e-mail, document and business systems and consider how the information and function can be misused to harm the organization financially and ruin their credibility and integrity. Some of this information may not be stored in mission critical systems but on unclassified systems of administrative systems, common business systems or systems managed by a third-party cloud service provider.
Take a hard look at regular and privileged users accesses. Agencies need privileged users and functions for maintaining account management, network, system, database and Web administrations. These privileged user accounts and functions should only be given to users that have compelling operational needs and need to be routinely scrutinized. Privileged users should only be employees of an organization, not an outside vendor or service provider. Agencies should consider restrictions of access privileges by account, by type of account, or a combination of both. Other attributes required for authorizing access include two-factor authentications, restrictions on time-of-day, day-of-week and point-of-origin. Examine the security and access required by service accounts including those that maintain and monitor third-party products and software, including Internet of Things (IoT) devices. Often times, service accounts are overlooked and considered outside the responsibility of the security of an organization. Service accounts often have unknown access to the Internet, excessive access rights and weak security. Security of the cloud service providers must be reviewed. Agencies can outsource services but not the responsibility of keeping their information safe. Most agencies have clauses in their cloud service contracts to ensure their information is stored within the United States. However, often access rights and locations of individuals managing the cloud data and security are overlooked. In addition, the identification of these individuals and their access rights can be complicated and obscured by the cloud provider’s business combination. An organization may contract with software-as-a-service (SaaS) who in turn contracts with sub-vendors of infrastructure-as-a-service (IaaS) and platform-as-a-service (PaaS). In turn, each of these sub-vendors may have other vendors who has access to your information. Thus, it may be difficult to determine access rights of individuals who can modify, delete or expose your information.The Federal Risk Authorization and Management Program (FEDRAMP) is important but may only apply for the PaaS. FEDRAMP usually applies to middleware, where the cloud operating system sits. Applications such as Oracle Financials or CGI Momentum may not be covered. There are several federal agencies that have vendors that maintain the middleware but Oracle Financials or CGI”s Momentum are maintained by another vendor. From an auditor perspective (from personal experience) the cloud operating environment is covered by FEDRAMP so the auditor may not need to look at the patch level or network vulnerabilities of the cloud operating system. But the auditor must check for patch levels and vulnerabilities for Oracle or Momentum. Most people believe when they go to a commercial cloud provider they are dealing with one vendor instead of several vendors in a business combination and therefore increased risk. Know the information leaving your network. Implement data exfiltration checks to ensure large files are viewed before they are sent and develop pre-authorization procedures for routine large file transfers. If OPM implemented an exfiltration check, its data breach may have been avoided.
Conduct thorough background investigations. For all of employees conduct background checks who will have access to your organization’s systems or information. Examine the cloud service provider hiring practices to determine whether they conduct thorough background investigations of operations staff, technical staff, janitorial staff, etc. In addition, the organization should ensure that the service provider preforms periodic credit checks and reinvestigations to ensure that changes in an employee’s life situation have not caused any additional unacceptable risks.
Monitor user activity of non-classified systems — detect, monitor, and analyze anomalous user behavior for indicators of misuse. Understand employees’ and contractors’ internet behaviors and investigate behaviors outside normal activity. Agencies should centralize audit logs, review, process and monitor service accounts and third-party and cloud service providers audit logs. These audit log systems should gather and integrate from all network systems and devices. Log systems must be robust enough to capture pertinent information and agile enough to detect suspicious or disruptive behavior. In addition, there must be event-reporting systems that defines events than need to be elevated to higher level of management and actions and the immediacy of actions.
Implement an insider threat awareness training program for employees, contractors, third-party and cloud service providers. In these awareness programs make sure they address the possible abuse of e-mail, document and business systems, as well as the consequences of abuse. The training should encourage employees and to report suspicious behavior to appropriate personnel for further investigation.
This increase in insider threats must be met with an increase in the vigilance of our security. If you have not re-evaluated your protection of your e-mail, document and business system in the last two years, you are at a greater risk.
George Fallon CPA, CISA, CGFM is retired partner from CliftonLarsonAllen with 30 years of experience in IT auditing of large complex agencies.