Reading through the trade press, DLP vendor marketing collateral and various forums on information security, the conventional wisdom is that the key threat to an organization is trusted insiders. This is arguable – since it depends on your organization, the size of the business and type of operation. However -
This is certainly true at a national security level where trusted insiders that committed espionage have caused considerable damage. MITRE Corporation – Detecting Insider Threat Behavior
There are three core and interrelated problem in modern data security:
- Systems are focussed on rule-breaking (IDS, DLP, firewalls, procedures) – yet malicious insider can engage in data theft and espionage without breaking one of the IDS/IPS/DLP rules.
- The rules are static (standards such as ISO 27001 or PCI DSS 1.x) or slow-moving at best (yearly IT Governance audit)
- Ignore collusion between insiders and malicious outsiders whether for espionage purposes (a handler who manipulates an employee) or for criminal purposes (stealing customer data for resale).
You may say – fine, let’s spend more time observing employee behavior and educate supervisors for tell-tale signs of change that may indicate impending involvement in a crime.
However – malicious outsiders (criminals, competitors, terrorists…) that may exploit employees in order to obtain confidential data is just another vulnerability in a whole line of business vulnerabilities. Any vulnerability must be considered within the context of a threat model – the organization has assets that are damaged by threats that exploit vulnerabilities that are mitigated by countermeasures. The organization needs to think literally outside the box and at least attempt to identify new threats and vulnerabilities.
The issue is not that employees can be bought or manipulated, the issue is that government and other hierarchical organizations use a fixed system of security controls. In reducing the organization’s security to passive executives of defense rules in their procedures and firewalls, we ignore the extreme ways in which attack patterns change over time. Any control policy that is presumed optimal today is likely to be obsolete tomorrow. It is a fair assumption that an organization that doesn’t change data security procedures frequently – will provide an insider with enough means, opportunity and social connectivity to game the system and once he or she has motivation – you have a crime.
Learning about change and changing your security systems must be at the heart of day-to-day security management.