Insider Risks: What Have We Learned?Organizations Still Not Taking Threat Seriously
News about the existence of a new government leaker exposing national security documents rekindled conversations about the insider threat. Yet, even a year after the Edward Snowden disclosures first brought great attention to the problem, many organizations still haven't heeded the lessons about the risks posed by insiders (see: Report: New Government Leaker Confirmed).
See Also: Data Center Security Study - The Results
"I think a lot of people unfortunately viewed Edward Snowden as an anomaly," says Eric Cole, a SANS Institute fellow and IT security author. "This was just one person that did harm; this is not a real threat. Unfortunately, there are a lot of Snowdens out there. There are a lot of people that are doing this."
In June 2013, Snowden leaked information on a classified National Security Agency program known as Prism, which allowed the government to tap into the central servers of nine leading U.S. Internet companies and collect the metadata - not the content itself - of audio and video chats, photographs, e-mails, documents and connection logs (see: NSA's Prism: Balancing Security, Privacy).
In the wake of those revelations, insider threat experts spread the word: To address these inherent risks, organizations must inventory where their most critical data is being stored and begin implementing basic security controls to detect and respond to insider incidents.
A year later, organizations still neglect to invest in insider threat programs and use obvious security measures, experts say - even when most are faced with a clear risk, such as the potential for non-malicious leaks like a lost or stolen laptop.
"Not only in security but even in the real world, the biggest motivator for change is pain," Cole says. "Organizations need to suffer pain before they do things."
'Death by 1,000 Cuts'
Even security leaders that do see the need for an insider threat program often can't get funding for one, says Ira Winkler, information security expert and former intelligence and computer systems analyst at the National Security Agency. "Security managers are given the budgets they deserve, not the budgets that they need," he says. "They only get the budgets that they know how to cost-justify from a business perspective."
The problem, Winkler says, is that when organizations look at a situation such as the Snowden leaks, they see it as an event that doesn't pertain to their specific company or industry. Unless security managers make a strong case for it, there won't be a significant impact, explains Winkler, now the president and co-founder of Secure Mentem, which offers security awareness-related services.
Yet, the reality is that most organizations experience losses related to insiders, Winkler says, pointing to non-malicious security incidents as examples, including lost laptops and inadvertently leaking information on the Internet. "Frankly, non-malicious acts, when you look at them in the aggregate, are more devastating than the malicious actors," he says. "Companies are suffering deaths by a thousand cuts with regards to the insiders. Snowden is clearly a gash, but it's death by a thousand cuts which is impacting organizations."
Obvious Steps Make a Difference
When it comes to mitigating the insider threat, the obvious measures can help in preventing data loss and are often the most over-looked. Measures that can stop the little losses from occurring would have stopped Snowden, Winkler says, including access controls and audits.
Organizations should be paying attention to the "little things" that are the biggest indications of a problem, Winkler says. "I've investigated a lot of malicious crime," he says. "In every case, there were dozens of small incidents that should have been detected and put together."
Among the obvious clues:
- Somebody asking for data for which they should not have been asking;
- People asking for access they shouldn't receive;
- Attempts to violate their defined access privileges;
- Requests to bring in mass storage devices.
A Call to Action
If there is, indeed, a second government leaker in the wake of the Snowden case, that could be the trigger point for organizations to start taking the insider threat more seriously, says Cole at SANS Institute. "If [organizations] step back and look at how their organization is structured, I think they're going to realize that they're more exposed than they realize."
Cole says organizations working to mitigate insider risks - whether they have a formal insider threat program or not - must immediately:
- Inventory critical data: This important step can assist in locating where sensitive data is stored and allow organizations to place proper controls and protections around that data, Cole says. "[In identifying the location of critical data], we have never, ever had an organization that got that correct."
- Better manage access controls: In most insider threat cases, including Snowden, there's a gap between the information an employee needed to do their job and the information they had access to, Cole explains. "In most cases in the work I've done, usually about 70 percent of the information that an insider had access to they did not need to do their job."
Robert Bigman, former CISO at the CIA, on mitigating insider threats.
New Leaker Revelations
CNN recently reported that proof of the new leaker comes from documents that were cited in a news story published Aug. 5 by The Intercept, a news publication launched by journalist Glenn Greenwald, who also published the leaks by Snowden.
The Intercept article provides details into President Obama's supposed secret terrorist tracking system. The article says documents used for the story, which were obtained from a source in the intelligence community, "reveal that the Obama Administration has presided over an unprecedented expansion of the terrorist screening system."
The leaked documents cited in the article by The Intercept were allegedly prepared by the National Counterterrorism Center, the publication says. According to CNN, the documents were dated August 2013, which is the timeframe after Snowden headed to Russia to avoid U.S. criminal charges.