Todd Wasserman

How to Prevent Insider Attacks

Many companies focus all of their security efforts on keeping out hackers and other network intruders. But from my perspective, the threat posed by an insider attack is actually greater than that of external hackers and viruses.

If you consider the full attack path of an external hacker, the first step is to gain internal access. Organizations expend an extraordinary amount of resources on protecting their perimeter specifically to counter this threat. For the malicious insiders, though, these countermeasures don't apply, since these people are already on the inside and they enjoy a certain implicit trust.

We rarely encounter internal networks that have the same monitoring and controls as the organization's perimeter. What you need to do to create an effective security policy is understand your attack surface.

1. Ask the right security questions.

Measures such as security awareness, phishing preventions, etc., don't have a meaningful impact in cases where the attack is coming from the inside, because the deliberate insider is going to go out of his way to avoid detection. So ask yourself: Is your network flat, or is it logically and physically segregated? If flat, the insider can use his access to propagate from machine to machine, from HR to finance to executives' laptops. Are your users' local administrators on their own machines? If so, it's easy for them to obtain similar access on other machines, particularly if passwords are shared.

2. Know what your data is worth and who wants it

In the case of both internal and external attacks, make sure you know where all your sensitive information is located, and monitor or block unauthorized access or movement. Not all data should be treated equally. Classify your information so you can design and implement the proper controls for different types of data.

Also, know what your assets are and what value they have in the marketplace, including the black market. Try to identify who might be after those assets and monitor forums, chat rooms and social networking sites for suspicious activity about your organization. Have an established escalation procedure for dealing with incidents, and run drills to make sure that procedure is operating effectively.

3. Set preventive measures for insider attacks

There are simple methods to prevent employees from copying sensitive data to a USB stick or an MP3 player. Endpoints should be configured to disable all removable devices. Mobile devices -- like laptops, smartphones or PDAs -- should have full disk encryption, and your company should have the ability to erase them remotely if they are lost or stolen.

4. Recognize suspicious behavior

It's a mistake to rely just on preventive measures. Instead, supplement them with monitoring and auditing so attacks can be detected and truly stopped by removing the attacker from the organization. Although it's difficult to prevent a malicious attack from a motivated insider, there are ways to spot bad behavior before it becomes a big problem. Each employee has logical patterns of information usage, and the organization should look for abnormal usage and investigate when this occurs. For example, if an employee looks at 50 customer accounts each day and then one day looks at 100 or more, there is a potential issue that should be investigated. You always need to understand if unusual behavior is warranted or malicious.

5. Manage incident response

Incident response is a very tricky and precise job. Even a small mistake can lead to major pieces of evidence being lost or some other evidence being tainted in a way that makes it inadmissible in court. If your security team is not trained and certified in incident response, you should have a relationship with an organization that is and call them as soon as you identify a problem. They'll likely want to get on the ground immediately.

6. Keep your IT workers happy

The best defense against internal attacks has more to do with human relations and organizational effectiveness than with technology. In the simplest terms, the best way to avoid insider attacks is to make sure employees are satisfied. Every company should have a support system for those who feel they've been wronged by the company, so issues can be addressed before retaliation occurs.

Security is not just a technology issue. No matter what the size of an organization is, everyone is part of the security team. Each employee has the opportunity to improve or erode your company's security each day. Lead by example and make your employees feel included in the efforts to protect the company and its customers.