One of the biggest problems facing organizations is lack of rigorous definitions for trusted insider threats, data loss and how to estimate potential damage from a data loss event. With a lack of rigorous definitions for data loss and trusted insider threats, it’s hard to benchmark with other companies and difficult to select a good set of data security countermeasures.
Referring to work done by Bishop – “Defining the trusted insider threat”
An insider can be defined with regard to two primitive actions:
- Violation of a security policy using legitimate access, and
- Violation of an access control policy by obtaining unauthorized access.
Bishop bases his definition on the notion “...that a security policy is represented by the access control rules employed by an organization.”
It is enough to take a glancing view at the ISO 27001 information security management standard to realize that a security policy is much more than a set of access control rules. Security policy includes people policies and procedures,good hiring practices, acceptable usage policies backed up by top management committment to data governance,audit, robust outbound data security monitoring (or what is often called “DLP Light”) and incident response. Information security management is based on asset valuation, measuring performance with security metrics and implementing the right, cost-effective portfolio of security countermeasures.
A definition of trusted insider threats that is based on access control is therefore necassarily limited.
I would offer a more general definition of a trusted insider threat:
Any attack launched from inside the network by an employee, contractor or visitor that damages or leaks valuable assets by exploiting means (multiple accounts) and opportunity (multiple channels).
Using this definition, we can see that trusted insider threats is a matter of asset value and threat surface – not just access control:
- For example, employees in an organization that crunches numbers of weather statistics have nothing to gain by leaking crunched data – since the assets have no intrinsic value.
- For example, employee tendency to click on Microsoft Office documents can turn them into a trusted insider threat regardless of the access controls the organization deploys – as RSA learned recently.
RSA was hacked in the beginning of March 2011 when an employee was spear phished and opened an infected spreadsheet. As soon as the spreadsheet was opened, an advanced persistent threat (APT) — a backdoor Trojan — called Poison Ivy was installed. The attackers then gained free access into RSA’s internal network, with the objective of disclosing data related to RSA’s two-factor authenticators.
RSA is a big company with a big threat surface, lots of assets to attack and lots of employees to exploit.
The attack is similar to APTs used in the China vs. Google attacks from last year. Uri Rivner, the head of new technologies at RSA is quick to point out that that other big companies are being attacked, too:
“The number of enterprises hit by APTs grows by the month; and the range of APT targets includes just about every industry.Unofficial tallies number dozens of mega corporations attacked […] These companies deploy any imaginable combination of state-of-the-art perimeter and end-point security controls, and use all imaginable combinations of security operations and security controls. Yet still the determined attackers find their way in.”
Mitigating the trusted insider threat requires first of all defining whether or not there IS a threat and if so – finding the right security countermeasures to mitigate the risk. One wonders whether or not RSA eats their own dog food and had deployed a data loss prevention system. Apparently not.