Insider Attacks: The Doom of Information Security Methods to thwart insider attacks: products, techniques and policies Anton Chuvakin, SecurityWatch research, 07/10/2001 DISCLAIMER: Security is a rapidly changing field of human endeavor. Threats we face literally change every day; moreover, many security professionals consider the rate of change to be accelerating. On top of that, to be able to stay in touch with such ever-changing reality, one has to evolve with the space as well. Thus, even though I hope that this document will be useful for to my readers, please keep in mind that is was possibly written years ago. Also, keep in mind that some of the URL might have gone 404, please Google around. Summary: this report introduces the internal threat for information security. We consider the insider attacks within the overall framework of information security and their difference from perimeter attacks, look at the developed solutions (technical, legal and psychological) and their inadequacies and outline proposals for the most effective countermeasures. We also study current trends in insider attacks. The next article in the series will provide the guidelines for increasing the level of security against internal attacks for companies. Overview So, you have a firewall in place, right? Oh, even an Intrusion Detection System. Your security policy is nicely written and posted all over the company. You accept the fact that nobody is totally safe, but you think you can manage risks successfully. In this case, it is time to think about the following issues. Can your engineers access payroll records if they really want to? Would a janitor be able to copy the business plans from your CEO computer onto the diskette and sell it to competitors? Can your system administrator encrypt the access control data and hold the company hostage after being fired? Can your ex-employees get to you company LAN one year after being let go? If you have indeed thought about those issues and found a way to resolve them, you are definitely ahead of the pack in information security race. Insider threats account for up to 80% of the information security related incidents according to recent surveys. Computer Security Institute (CSI) and FBI 1998-2001 surveys show that computer-related crimes and abuse committed by the employees are on the steep rise for at least the last 4 years. The same surveys also show that most of the information security losses are due to the theft of proprietary information, the task most likely performed by insiders. One of the earlier surveys demonstrated that the average damage from an outside intrusion was $60,000 while the losses caused by the average insider attack exceeded $2.7 million. Companies were known to go bankrupt due to the theft of their source code or lose business due to mayhem caused by ex-employees (http://www.computerworld.com/itresources/rcstory/0,4167,STO61983_KEY73,00.html?&_ref=113157946 0). Recent FBI spy case also presents a nice demonstration of the scary power of a well-entrenched insider. Comparisons of information security to castle defense are always popular. One easily pictures sturdy stone walls rising steeply above the deep moat full of water, heavy ironclad gates, and bastions with archers and ballistas. Other metaphors from siege craft abound in information security as well. Firewalls, attacks, intruders are just some examples. It is well known from military history that to take over a castle attackers need a much larger force than the one hiding in the fortress. Even with an overwhelming superiority, the attack is not a walk in the park. Defenders, located at an elevated position on the walls and towers, usually can choose from a variety of methods to repel an attack. It is also easy to see that one is coming: from a tall tower one can detect the enemy troop movements at a great distance. Now, just imagine the effect of somebody opening the castle gate under the cover of darkness to let the invading army in. The tables are instantly turned: larger force rushes in and usually overwhelms the defenders. There is also an element of surprise that gives a crucial advantage in warfare. Such is the effect of insider attacks! And it is typically too late to sort out who let the enemy in when your town turns into a burning inferno i.e. when competitors already know your business plans and new product designs or your company is sued for millions of dollars by partners who lost money due to hacker invasion into your network. Insider attacks also cast a shadow on the company PR image. The common wisdom will claim that if the company had to sue its own employees, lost revenue due to employee crimes or had to yield to extortion by former employees something must be wrong in the environment. Thus, insider attacks are more often underreported than successful perimeter breaches. It makes the study of internal attacks a complicated issue with many blank spots in the picture. Enhanced role of human factors, as will be shown below, is another aspect that contributes to this complexity. Types of threats So, what is the dreaded "threat from within"? Internal risks cover a wide variety of human and computer factors that threaten the IT environment. Lets study the human threats first. "Insider" is typically an employee, contractor, business partner or anybody who has any level of legitimate access to company computing resources. What are the typical insider goals and objectives? Insiders can violate any of the three "letters" from the famous information security triad - CIA: Confidentiality, Integrity and Availability. Examples might include theft or disclosure of proprietary information (violates confidentiality), unauthorized modification of company data (breaks data integrity) and denial of service attack or destruction of company information assets (undermines availability). They can be driven by the widest range of reasons, both rational (money, status, power) and irrational (revenge, frustration, emotional pain, other personal problems). Further, we will investigate the possibility of early detection of violations based on psychological profiles and character traits conducive to the above emotional states. We should note that security against internal threats cannot be reduced to physical security, which serves slightly different purpose. For example, shredding confidential documents before trashing them is a physical security measure that is aimed against both malicious insiders and outside attackers, curious enough to sift through company garbage. Physical security measures are of utmost importance in the enterprise security policy, but cannot be considered a sole remedy against insiders. We can, however arbitrary it might sound, classify insiders by their intent into malicious and non-malicious insiders. Malicious insiders might want to eavesdrop on private communication, steal or damage data, use information in a violation of company policy or deny access to other authorized users. They can be motivated by greed, need for recognition, sabotage (both for hire and to improve their standing at the expense of others), desire to make themselves irreplaceable for the job (by creating problems only they can fix), revenge or other intense negative emotional state. Unstable emotional states in IT employees are a new popular subject among psychologists. This research might eventually shed some light on how insider threats originate. Disgruntled employee is a favorite character in the inside threats game. His or her game is to "undo" the "wrongs" done to them by the company or a particular employee by causing damage to them or even to extract financial benefits at the expense of those parties. Non-malicious insiders are users making mistakes that compromise security. Users motivated by their desire to "explore" the company network or to "improve" how things work with blatant disregard to security regulations are also in this category. Having no malicious intent, they can still present a serious danger to the enterprise since they can open a way for outside attackers, erroneously destroy information or otherwise degrade integrity and availability of computing resources. Another category of non-malicious insiders would be an insider operating under control of a malicious outsider, such a hacker using Social Engineering, blackmail or threat of violence. Infamous Social Engineering techniques such as direct request, persuasion, threat and other forms of deception are the easiest way to get inside information about the company. Hackers are known to use Social Engineering to evaluate the target, get initial information about the protective measures and then possibly to launch a full-blown Social Engineering attack by enlisting insiders to do their bidding. A famous hacker Kevin Mitnick used to boast that he only rarely had to resort to technical means of attacks since usually people just gave him the required data. Descriptions of the known Social Engineering attack methods are beyond the scope of this document. At the very least, you should recognize that Social Engineering is a way to easily convert a much harder outside attack into an easy inside one, effectively opening the castle door for the invaders. One cost-effective way to lower the damage from Social Engineering attacks is a well-designed security awareness program, which includes the description of Social Engineering technology and signs that attack is taking place. Thus, violations, committed by insiders, can be loosely divided into three categories: 1. Mistakes, honest but no less deadly for security 2. Crimes of opportunity, that are probably preventable by awareness 3. Malicious premeditated crimes, the hardest to stop, but the most rare Different methods are used to handle each of those threats. Managing Internal Threats Several groups of methods were proposed to manage the risk of internal threats. We classify them into technological, administrative, legal and psychological methods. We will provide more details about their application, advantages and disadvantages. It should be noted, that the overall efficiency of them, even combined together, is far below the existing techniques for perimeter defense. Overall, to facilitate protection from information threats you should employ the principle of defense in- depth. It means that having a firewall should not stop you from buying and IDS, and having the IDS should not make you avoid host hardening, and having done that should not make you remove the alarm system from your server room. Some people ask question such as why they need personal firewalls on all PCs if they have an enterprise firewall from a leading manufacturer that is believed to be reliable. Defense in- depth is allocation of trust over several protection mechanisms so that when their firewall fails or is penetrated the computers inside will still be able to resist the hazard. Defense in-depth and the application of all appropriate security measures might lead to sacrificing a part of usability and productivity. Thus before applying any new security procedures, the cost and benefit analysis should be performed to determine the need. Defending a local summer camp web server with enterprise- strength firewall and managed security monitoring service is ridiculous to anybody. However, determining the need to spend $10,000 on security in case where potential loss of $1 million might happen with a 1% probability can only be done through careful cost analysis. Technical methods Technical methods appear to be the least efficient for fighting insider threats. In recent years, several products were marketed as a counter-insider solutions. Sophisticated intrusion detection or anomaly detection systems, personal firewalls, end-to-end encryption software was supposed to thwart or significantly mitigate the threat from within. Encryption, for example, was once presented as the final solution to the insider threat. In fact, it only stops insiders from listening to the network wire. Moreover, one should keep in mind that any encryption scheme is as secure as its endpoints. If one can read another person's email by sitting at his PC, how is your fancy 128-bit network protection making email more secure? Intrusion and anomaly detection systems are promising tools to distinguish attack attempts from normal network traffic even if no vulnerability is exploited (as it is often the case for insider attacks). Unfortunately, current anomaly detection research (directed mostly towards statistical profiling and mathematical methods to fish for various anomalies in network traffic and host access patterns) does not allow for a reliable detection. The systems sometimes produce a flood of false-positives i.e. taking a normal network behavior pattern for an intrusion. These systems will help address the big portion of insider network-based attacks when they mature. Access controls based on a well-written security policy with clear marking of resources and entities authorized to access them will go further and will at least stop your secretaries from perusing the payroll database at their leisure. The next level in access control facilities would be the military-style scheme with information classification and clearances, supported by the mandatory access controls. However, it was suggested that the differences between business and military security requirements are too vast to fit into a logically simpler military scheme. For instance, classifying corporate information into various security classes proves to be an unfeasible task. Overall, creating and maintaining such an environment is very expensive, might require special hardware or software (some of it might not even be off-the-shelf) and dedicated administrative staff with rare and highly advanced skills. All other personnel will also have to be retrained for the use of new IT infrastructure. The impact on usability and productivity is likely to be disastrous as well. Some degree of "need to know" basis will definitely help to combat the internal risks in the corporate environment. It might simply mean giving each employee just enough privileges to do his or her job, but no more. Keeping track of this activity requires might require extra effort by your security administrators, but it will most certainly pay off in case of attempted intrusion. It is evident that the company firewall that separates the internal networks from the hostile Internet offers absolutely no protection against the internal threats. However, information flow might be compartmentalized using the set of internal firewalls to cut the company LAN into comparatively independent subnetworks. This measure is a commonly suggested security feature that also helps against outside hackers who already entrenched themselves into the company network and against the spread of certain kinds of malware such as worms. Moreover, if your engineers spent time hacking at the internal firewalls instead of working productively, you have more serious troubles than can be cured by the firewall. When using the firewalls to partition your LAN always remember that "Titanic" was also divided into 16 separate watertight compartments that were supposed to make it "unsinkable"... Another avenue of technology-based protection is employee monitoring. The companies that sell content filtering and personnel monitoring equipment are quick to claim that if you record every keystroke, store all email traffic and network access logs and utilize video surveillance you can be reasonably sure you are safe. The first objection that comes to mind is "what about people who scan the logs, man the displays, read your email?" Who is watching the watchers? Another set of even more trusted elite employees? Ok, so who is watching over their shoulders? Some reports also indicate that many highly invasive measures, while being legal, can poison the atmosphere, lower employee morale and create the climate of unneeded paranoia. If you are required to be subjected to fingerprint scanning before you are allowed to touch the office trashcan, even good employees might rebel and leave the company. There is a fine balance between trusting your employees and cultivating more company loyalty and trusting them too much to allow for abuse and other violations. Here we are not talking about nuclear facilities, missile bases or shadowy NSA compounds, but a business environment that always has its own secrets. Security monitoring is useful to combat certain narrow range of threats such as Internet access abuse or harassing email messages, but hardly goes beyond that. To control costs, a selective monitoring program might be introduced as part of a general information security awareness program. It will serve to enhance security in the organization and to guide employees towards the acceptable practices in case of problems. Security department can "offer help" in accessing company resources upon detecting the unauthorized access attempt by contacting the employee with proper procedures for the access to the resource. The sample follows: "Hello! John? This is security department. We have noticed that you tried to get into the accounting database from your computer. To do that you just have to fill the form ABC-123 at the Accounting Department and get a temporary access code. Thanks for your cooperation!" Keeping a detailed audit trail is considered an important part of security monitoring. This part is indispensable for tracking insider violations. All the critical systems should record an audit trail of all user actions, network accesses and sensitive file accesses. The guidelines for system auditing are freely available and should be followed. The art and science of system auditing calls for an effective configuration of audit controls, which is highly non-trivial, otherwise the information flow will be huge and thus unmanageable so that nobody will pay any attention to audit data. Reliable audit data will not stop an enemy, but will greatly assist in determining his or her identity, which is usually well covered in insider attacks. Unfortunately, however many protection and monitoring mechanisms are in place, the risk of disclosure by authorized employees is totally indefensible by technical methods. If you have a valid reason to access company new product plans or if you are a chief designer of the above plans, no technical controls will stop you from selling them to the highest bidder. To lessen this exposure we should look beyond the software. Legal and administrative methods Legal prevention mechanisms should be viewed as a part of an enterprise security awareness program. The personnel should be aware of the appropriate country and local laws, company regulations and the procedures for their application in their working environment. Ideally, the implications of the potential violation should be clearly stated. Examples include "disclosure of this information is punished by the $100,000 fine and a jail sentence of up to 5 years", "employees who violate this rule are subject to immediate termination" and so on. Legal means include various non-disclosure clauses, legal warnings and general fear of prosecution. Non- disclosure agreement is a valid way to keep company secrets private. Your company legal department should prepare this document since there are many possible loopholes that might arise in case of a lawsuit. Legal disclaimer should be shown before the access to a resource is granted. Resources might include company computer systems or intranet web pages "for internal use only". The more often it is shown to a user, the more likely that it will be remembered he or she is about to abuse a company resource. Here is the sample disclaimer shown before the sign-on process: "The information that you are about to access is Company confidential and part of a proprietary database. By your actions (which may be monitored) of logging in to this database, you acknowledge that you are a XYZ, Inc employee or authorized sub-contractor with an authorized account on this XYZ, Inc provided system, and such information is Company confidential and part of a proprietary database, you will not share such information with anyone who does not have the right to view it, and the treatment of this information is governed by the applicable employee policy acknowledged by you, which provides, in part, that confidential information will not be shared with others who do not have access privileges to this system. Violation of your confidentiality obligations will result in disciplinary action, up to and including termination and may subject the offender to criminal liability." Development of such controls is to be conducted as a joint effort of IT and legal departments. Information security policy also plays a huge role in administrative protection from insider threats since it outlines the acceptable use of information systems in the company. The important issue related to the information security policy is its wide dissemination. Every employee should know about the authorized use of company computing resources and company expectations of its employees. Regular training might be required to keep the employees current about the policy changes. The training should be designed not only to make employees know about the policy, but to make them comply with its regulations. Separation of duties is yet another administrative control. This is similar to military procedure when more than one person is needed to launch the ballistic missiles. If a single person is responsible for making backups, storing them, verifying them, delivering them to an off-site storage, it creates a catastrophic single "point of failure". If that administrator develops an emotional instability or just a strong dislike for his or her supervisor, disastrous consequences are soon to follow. All technology that has a potential to "make or break" the company should not be controlled by a single person. Proper termination of employment and all access rights is also an easy administrative method that costs a little, but saves a lot in case leaving employees harbor any sort of negative feeling towards the company and are prepared to act on them. Former administrators causing chaos in their former networks were reported several times during recent years. This measure is extremely simple, very effective and unfortunately is most often forgotten by the companies! To conclude, most of the legal protection mechanisms work to stop the "crime of opportunity"-type offenses and not the malicious premeditated crimes. A mole, specially planted to discover company secrets, an insider hoping for a big financial gain or a person under intense emotional pressure or blinded by his or her desire to revenge usually is more risk tolerant and thus likely to ignore legal warnings. Fighting those categories will require more sophisticated (which almost always means more expensive) methods. Psychological methods The idea to use the psychological profiling similar to the one used to track serial killers and terrorists for computer crimes committed by insiders only recently came into light when the first systematic data on insider attacks became available. Personnel security audit, as suggested by Dr Eric Shaw and Dr Jerrold Post of Political Psychology Associates in http://www.infosecuritymag.com/articles/july00/features2.shtml (with specific details at http://www.infosecuritymag.com/articles/july00/features2b.shtml) is a way to approach internal threats by studying the potential perpetrators using profiling techniques, pre-employment screening, detection of risky character traits and their tracking, security awareness training and effective intervention by human resources specialists. Another component of this program is setting up online (possibly anonymous) contact points for personnel professionals to interact with IT employees in order to detect early danger signs. Dr Post and others outlines three major obstacles to the widespread use of these techniques: high costs, complex technical challenges and the isolated position of most information security groups within corporate bureaucracies. Almost no company can afford an infosec-trained psychologist, particularly considering the fact that there are not many of them around. Even routine background checks are only done by the most security-conscious organizations such as the military and intelligence. The mentioned lack of expertise is also made difficult by the introverted nature of many IT employees. This means that untrained observers do not see many of the danger signs until the damage is already done. However, some of the more common sense ways to observer employee behavior (such as change in their office social habits) can be done by managers. Dr Post has also developed a classification of insider types (available http://www.infosecuritymag.com/articles/july00/features2a.shtml) by their motivation, purpose and typical actions. The general list of personality traits that make an individual more prone to becoming an insider threat was also proposed (http://www.securitymanagement.com/library/000762.html). Those are 1. Frustrations 2. Computer dependency 3. Ethical flexibility 4. Reduced loyalty 5. Entitlement 6. Lack of empathy Having any or all of those characteristics common for IT professionals does not compel one to attack one's company, to blackmail, extort, steal or destroy. However, people possessing these traits under certain conditions of emotional stress are much more likely to cause problems. Combined with an intense stress and lack of supervisor interaction those traits often led to security compromises, including the breaches of national security. Unfortunately, accurate identification of those signs and especially the actions required upon their detection require a high level of proficiency in the field of psychology and information security. Even with the highly trained personnel professionals present (such as in intelligence services), the precise identification of future intruders is not always possible. This fact is demonstrated by most of the recent spying cases such as recent FBI Robert Hanssen case. It is interesting to note that Hanssen job was closely related to information technology and one of his alleged crimes involves unauthorized accesses to FBI databases. Another risk factor is that such employees, even if detected and let go before they explode, are in a perfect position to launch Social Engineering attacks by abusing trust of their former coworkers. This risk can be managed by maintaining the high degree of security awareness among employees. Conclusion Insider threat will remain a primary information security risk for the foreseeable future. A number of diverse factors (technical, administrative, psychological) contributing to the problem make it one of toughest challenges in information security. In addition, combined with a high potential financial and reputation loss, as suggested by the recent surveys, it deserves more attention than it is currently given. Our analysis suggests that only by making use of a well-balanced prevention program that includes technical (protective hardware and software, online communication monitoring), administrative (legal disclaimers, awareness programs, proper termination handling) and psychological (employee screening and profiling, training managers in identifying the internal threats) measures, one can hope to mitigate the risks. This program should be based on organization security policy, designed using the comprehensive resource and threat assessment. Another important aspect is the need for strict security policy enforcement - every employee should know what things are prohibited and why no exceptions are tolerated. Having security policy is a huge step in the right direction for the company, however, such policy should be willingly followed by all employees, from janitor to CEO - only in this case the internal threat will become just another factor in information security management rather than an unstoppable force that can destroy the company. ABOUT THE AUTHOR: This is an updated author bio, added to the paper at the time of reposting in 2011. Dr. Anton Chuvakin (www.chuvakin.org) is a recognized security expert in the field of log management and PCI DSS compliance. Anton leads his security consulting practice www.securitywarriorconsulting.com, focusing on logging, SIEM, security strategy and compliance for security vendors and Fortune 500 organizations. He is an author of books "Security Warrior" and "PCI Compliance" (www.pcicompliancebook.info) and a contributor to "Know Your Enemy II", "Information Security Management Handbook"; and now working on a book about system logs. Anton has published dozens of papers on log management, correlation, data analysis, PCI DSS, security management (see list www.info-secure.org). His blog www.securitywarrior.org is one of the most popular in the industry. In addition, Anton teaches classes (including his own SANS class on log management) and presents at many security conferences across the world; he recently addressed audiences in United States, UK, Singapore, Spain, Russia and other countries. He works on emerging security standards and serves on advisory boards of several security start-ups. Dr. Anton Chuvakin was formerly a Director of PCI Compliance Solutions at Qualys. Previously, Anton worked at LogLogic as a Chief Logging Evangelist, tasked with educating the world about the importance of logging for security, compliance and operations. Before LogLogic, Anton was employed by a security vendor in a strategic product management role. Anton earned his Ph.D. degree from Stony Brook University.