Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Why we can't stop malicious insiders

Taylor Armerding | June 18, 2013
Snowden case shows that organizations can limit, but not eliminate, the damage done by inside attacks

"While there may be a lower frequency of inside jobs, the impact that an authorized insider can wreak is typically far greater, and can happen over a longer period, than that of an outsider," he said. "Having an employee go rogue —especially one in a privileged position —can turn catastrophic very quickly."

But it is simply not possible to stop all insider attacks or breaches, experts say.

"Nothing is perfect," said Bruce Schneier, chief security technology officer at BT and author/security guru. "Because something bad happened doesn't mean something went wrong."

Schneier noted that there are thousands of other people like Snowden — government contractors who have top-secret security clearances. Indeed, The Daily Beast's Laura Colarusso reported that a required report from the president to Congress showed that as of October 2012, about 1.4 million people had top-secret security clearances, and more than 480,000 of them were government contractors.

"It's amazing that it works as well as it does," Schneier said."If it wasn't working, there would be a leak like this once a month. The reality is that most people are trustworthy most of the time."

Still, there is a role for technology in combating insider threats, malicious and otherwise. McGraw, Sweet and Schneier all say every organization should "compartmentalize," so nobody has privileges everywhere.

"You don't give anyone a key to every room in the office," Schneier said. "You limit the trust you put in people."

"How would it feel to walk in the front door of your bank — the firewall — and see all the money, documents, etc. piled in the middle of the room?'" asked Sweet. "Assets need to be compartmentalized, like a bank has tellers behind high counters, safe deposit boxes and vaults."

"In accounting, you have double-entry bookkeeping," McGraw said. "You have debits and credits in different books, and you have to balance the books. You have processes set up in banks so one person doesn't have all the power, so you limit the damage that any one person can do."

McGraw, who has been an outspoken evangelist for "building security in" to cyber infrastructure, rather than trying to "bolt it on after the fact," said those designing systems for security should ask themselves what would happen, "if any part of a system was controlled by a bad guy."

Sweet said cloud and virtualization technologies, especially dynamically automated control systems, "make dynamic compartmentalization of internal resources a hands-off process. Companies and agencies need to start using these technologies. They can 'see' when something bad is going on, even if it's for an authorized user."

The Snowden case is also a reminder that security, on any level, can be improved by rigorous background checks and personality profiling. McGraw said heavier screening of developers and architects is worthwhile, since, "the worst kind of insider would be a rogue developer, who have the ability to create systems that will do anything they want."

 

Previous Page  1  2  3  Next Page 

Sign up for CIO Asia eNewsletters.