6 Tips for Guarding Against Rogue IT Admins
One of the biggest threats that organizations face is losing sensitive data -- such as payment card or personally identifiable information about customers or employees -- to theft from their own employees. The threat is greatest from systems and network administrators, who have privileged access to vast amounts of corporate data and are responsible for most compromised records in insider cases.
"Today, I worry about insider threats more than hackers because that's where we are weakest," says Jason Benedict, CISO of Fordham University. "We have firewalls. We have intrusion protection. We have antivirus. We've mitigated the external risk rather successfully. The hole in the university is the insider threat. I don't think we've ever had an insider become malicious and take information and sell it. But we often see …people browsing information that they are not privileged to see. People with high-level privileges have been known to browse employee salary rates because they can."
Heather Wyson, vice president of the fraud program at the BITS Financial Services Roundtable, says there has been an increase in insider incidents among U.S. financial services firms.
"You have intentional breaches like theft of financial or propriety information and placement of logic bombs and malware, but you also have the unintentional breaches caused by insiders such as employees accidentally opening an infected file, installing unauthorized software or threats from social media," Wyson says. "We've seen an increase in the intentional and the unintentional" insider-related security breaches.
We spoke with CISOs and IT security experts about what practical steps IT departments can take to minimize the insider threat. Here's their advice:
1. Restrict and monitor users with special privileges.
Nearly half – 48% -- of all data breaches come from insiders, according to Verizon's 2010 Data Breach Investigations Report. And the insiders that you need to watch closest are those with special privileges. Verizon recommends that CIOs use pre-employment screening to eliminate potential employees who have violated usage policies in the past. BITS offers its members a fraud-prevention service where they can share information about former employees who were found guilty of crimes but not prosecuted. Also, employees should not be given more privileges than they need for their current job, and duties should be separated so that too much access and power isn't concentrated in one employee. ''Privileged use should be logged and generate message to management," Verizon recommends. "Unplanned privileged use should generate alarms and be investigated."
2. Keep user access and privileges current, particularly during times of job changes or layoffs.
Verizon found that 24% of the insider incidents involved employees who had recently undergone a job change. Half of them had been fired, while others had resigned or assigned a new role within the company. Breaches were caused when employees' accounts were not disabled quickly enough or the employee was allowed to finish the workday after being terminated. That's why Verizon recommends that companies have "termination plans that are timely and encompass all areas of access."
Benedict says Fordham is able to de-activate a user and take all of their access privileges within five hours.
3. Monitor employees found guilty of minor online misconduct.
Verizon has found that "employees engaged in minor online misconduct often graduate to bigger crimes, such as embezzlement or stealing of intellectual property." CIOs should keep an eye on employees found guilty of online policy violations and other inappropriate behavior such as pornography or illegal content on their systems as a reasonable indicator of a future breach. Verizon has found that employees who commit data theft were often cited in the past for minor forms of misuse -- what it calls "the broken window theory of cybercrime."
4. Use software to analyze your log files and alert you when anomalies occur.
When Verizon investigates a security breach, evidence is found in the log files in 86% of its cases. The company cites three major anomalies to watch for in log data: an abnormal increase in log data; abnormally long lines within logs; and an abnormal decrease or absence altogether of log data. Verizon says it has seen log entries increase by 500% following a breach, and it has seen log entries disappear altogether after an attacker disabled logging. SQL injections and other attacks leave longer lines than standard activity. Too many IT departments set up event monitoring and analysis tools and forget about them, instead of regularly monitoring their output. Verizon recommends that you configure these tools to look for obvious problems -- what it calls the haystack rather than the needle. It's as easy as a simple script that counts log lines and sends an alert can be effective, Verizon says. Benedict says Fordham's security staff reviews audit logs manually on a regular bases to identify anomalies.
5. Consider deploying data-loss prevention technology.
Increasingly, CIOs are worried about intellectual property leaving their corporate networks, and they are installing software to monitor and filter outbound network traffic. Unisys, for example, has a pilot project underway of data loss prevention technology to protect against loss of the company's intellectual property, says CISO Patricia Titus. Benedict says that Fordham is planning to invest $500,000 in DLP software as soon as his budget will allow. Verizon recommends that all organizations filter outbound network traffic, as well as inbound network traffic. "By monitoring, understanding and controlling outbound network traffic, an organization will greatly increase its chances of mitigating malicious activity," Verizon notes.
6. Educate your employees about the insider threat.
CISOs recommend regular training for all employees -- especially IT staff -- about security threats and how to identify co-workers who might be engaging in malicious behavior such as stealing valuable data. Titus says a CISO's greatest ally in the battle against internal agents is other employees. Wyson recommends that companies offer a hotline so that employees can anonymously report fraud that they know or think is occurring. Benedict not only runs annual security awareness training courses but provides handouts, flyers and pamphlets to employees about the latest IT security threats. Fordham also is embracing social media services, including Facebook, Twitter and blogs, to continuously educate the university's staff about security threats.
Read more about wide area network in Network World's Wide Area Network section.