Regardless of industry, insiders always pose the greatest threat to an organization's security. Insiders are risky, especially ones with axes to grind.
Researchers within CERT's Software Engineering Institute at Carnegie Mellon have reviewed internal threats for the last decade, examining the threats posed by so-called malicious insiders. Now CERT offers some new insights, about the threats posed by unintentional breaches - those that happen by accident.
This week, during RSA Conference 2012 in San Francisco, Dawn Cappelli of the CERT Program at the Carnegie Mellon Software Engineering Institute, said most organizations continually fail to adequately address internal threats, though most agree insider fraud is a growing area of concern. [See this video interview with Cappelli from RSA.]
"About 50 percent of all companies out there experience at least one malicious insider attack," said Cappelli, who co-authored The CERT Guide to Insider Threats with two other CERT researchers. "And an internal attack has more of an impact than an external attack."
When companies break down breaches, about one-third are directly linked to insiders, and more probably have some link to an insider that the organization simply has not identified. "A lot of the attacks we've seen this year, with cyberattacks, were unintentional," Cappelli says.
CERT is focused on helping companies and organizations with what it calls pattern analysis, which ultimately provides a more scientific way of identifying potential threats before they lead to breaches.
Top 10 Tips
Here are Cappelli's top 10 tips for fighting the insider threat:
- Repeat Offenders and Offenses. Learn from past incidents. Most organizations get hit more than once because they fail to address their weaknesses.
- Focus on the Crown Jewels. You can't protect everything, so identify what information is most important and focus on protecting and securing that information first.
- Use Existing Technology. Don't rush out to buy new systems; just learn to use your existing technologies differently. The same fraud-detection systems used to detect and prevent external attacks can be used to monitor internal behavior.
- Mitigate Threats from Business Partners. Anyone with access to your systems and databases poses risk.
- Recognize Concerning Behavior or Patterns. Incidents don't happen in isolation. If you pay attention to the signs, you can often prevent a breach.
- Recruited Employees. Many internal threats are posed by employees who have either been planted or those who are disgruntled and have been recruited to commit fraud.
- Watch Behavior During Resignation or Termination. How much access and information does the individual have, and what can you do to secure it?
- Be Mindful of Employee Privacy Concerns. Bring your general counsel in to the discussion. You want to monitor behavior, but you don't want to violate employee privacy policies and laws.
- Cross-Department Involvement. Make the fight against internal fraud an organizational initiative. "Create an insider threat program," Cappelli said. "It's a very complex issue. It involves management and HR, and even the janitor, who could plant malicious code on your network."
- Get Buy-In from the Top. Executives have to understand the threats, so then they can support your initiatives to mitigate the risks.