Security Minded - from Kai the Security Guy

Some thoughts on security (and other stuff) from a Microsoft security professional

Dripping Data: Understanding and Reducing Insider Threat (Part III)

Dripping Data: Understanding and Reducing Insider Threat (Part III)

  • Comments 1
  • Likes

Today I'm going to discuss exactly who the these "insiders" are. As I mentioned earlier, the book "Insider Threat: Protecting the Enterprise from Sabotage, Spying and Theft" by Eric Cole and Sandra Ring has some terrific analysis and classification. Here's the breakdown:

"We Love Bob!"

 image "Hey everyone....it's Bob! Hi Bob!!" (please no reminders from our college days). Let's talk about our good 'ol Bob, from the Accounting Department. Been here as long as I can remember. Here's what I know about Bob. He's been a full time employee of the company for several years. He's always done a good job for us. Since he's a trusted employee, we provide Bob with a security badge and of course, any keys he needs to get into the filing cabinets to do his job. We've even setup a domain account so Bob can logon to check his email, run reports off the sales database, etc. Bob is what we classify as a Pure Insider. Here is what we know about Bob:

  • He has access.
  • He has credentials.
  • He may have motive (we'll discuss that later).

....but is Bob an Elevated Pure Insider? Let's see....does he have just enough access and credentials to do his job, or does he have more than enough? It's okay to admit that you've given Bob more access, because you're past experience has probably been that his manager is going to come in the server room screaming about this issue at a later date, and you're just trying to avoid the hassle. You've also known Bob for along time. 9 out of 10 times the answer:

"Of course we did. We love Bob. Bob would never harm us. Bob is good."

The question is simple: Does Bob love you? Now that is something we cannot be sure.

 

"Have A Nice Evening Mr. Johnson!"

image

I got to admit that I don't really know the names of the cleaning crews that come and clean our offices. It's not that I'm rude or uninterested, but usually I'm gone by the time they get there. Maybe you are an exception, and you've invested the time to meet and say hello to your cleaning staff. Eric Cole and Sandra Ring place the cleaning staff in a category known as Insider Associate. That's someone who has limited physical access to the facility, based on their role. I bet some of them have more access to the building than you do. After all, these service people have a need to get into the CEO office....do you? Before I start getting flame mails from all the cleaning services on the planet, let's also include other who may fall into this category.....the plant services people, the soda machines guys, that nice contractor lady, etc.

Think about it. Really take a moment and ponder what it is you leave in unlocked desks and server rooms every night before you go home. Do you have a yellow Labrador dog that sheds daily in your office? No? Then explain why your office needs to be vacuumed every night? Here's some advice that more companies are following: Only unlock your office when you need it to be vacuumed. Keep it locked otherwise. "What about my trash, Kai?" Simple. Place the trash outside the office door before you leave each night. Heaven forbid we empty our own trash. (Not only a good security practice, but it's a Wal-Mart corporate principle...even Sam Walton emptied his own trash. That Sam was all about creating value.) What about all that crap on your desk? "No no. Not my desk. I know where every scrap of paper is." Do you really? How would you know if I took just one paper? First thing you'd think is "Oh crap....where did I put it?!" Bottom line: Messy desk = Easy target.

 

Meet Mary: Bob's Wife

image Everyone knows Mary. That's Bob's wife. She's always the one to say hello on her way to Bob's office. No one ever asks sweet Mrs. Bob where her badge  is. "I know the way!" she says as she smiles and waves. When Bob is on a long call, Mary wanders around the office saying hello to all of Bob's co-workers. We all know someone like Mary.Think about this: If Bob has access, and Bob is married to Mary, then Mary probably has Bob's access as well. What is it that Mary can simply pick up off a messy desk?

Mary is what we call an Insider Affiliate.

If Bob goes on a business trip, takes his wife and his laptop, and VPNs into the corporate network.....and Mary asks to check her Hotmail account, what are the chances that Bob says, "Sorry sweetheart....my wife of 20 years...I need to practice good information security practices. You need to go downstairs and use the hotel business center, okay?" (Not if he plans to make it to his 21-year anniversary, he doesn't.) Be aware that it's potential threats like these that you can only hope to minimize.....it's very tough to handle these.

 

"Some Guy....said he was looking for the Post Office or something..."

image

The next class of insider is the Outside Affiliate. These are just people that happen to wander in, by, or through your premises. Normally they don't draw suspicion, but if they are stopped, they usually just explain it away rather quickly with an "Oops....wrong building." type answer. All they are doing is using open access to get resources. I certainly hope that your physical security teams are doing things like separating the public/"customer areas" and the private or "employee only" areas of the building. It's very important! Sorta like domain isolation for humans.

 

NEXT TIME: Insider Threat continues with: "Why Do They Do It?"

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment