• Home
• News
  • Business Continuity News
  • Regional news
  • Sector news
  • Events Diary
  • Newsletters
  • Newsfeed
• Jobs
• Topics
  • BC: Facilities & Buildings
  • BC: General
  • BC: Markets & Companies
  • BC: Plan Development
  • BC: Software
  • BC: Statistics
  • BC: Testing & Exercising
  • Crisis Comms & Management
  • Critical Infrastructure Protection
  • Disaster Recovery
  • Emergency Management
  • Enterprise Risk Management
  • Operational Risk Management
  • Pandemic Planning
  • PS Prep
  • Standards
  • Terrorism
• Technology
  • Cloud Computing
  • Data Center / Centre Issues
  • ICT Continuity
  • Information Security
  • Recovery Facilities
• Resources
  • Webinars
  • BC software directory
  • Newsfeed
  • Twitter
  • Advanced BC information
  • Advanced ICT information
  • Basic BC information
  • Basic ICT information
  • How to advertise
  • About us
  • Contact us
  • Privacy
• Newsletters
• Training

WELCOME TO THE CONTINUITY CENTRAL ARCHIVE SITE

Please note that this is a page from a previous version of Continuity Central and is no longer being updated.

To see the latest business continuity news, jobs and information click here.

Reducing threats from within the organization

By Dr. Jim Kennedy, NMCE, CRISC, CEH, CHS-IV, MRP, CBRM

Based on all of the diligent work of IT and information security organizations corporations and government agencies are beginning to see real progress on protecting their operations against external threats. However, the bad news is that we are being faced with a more difficult challenge of protecting our information assets from insider threats.

Insider attacks (data leakage, intellectual property theft, and data corruption and/or loss) account for as much as 80 percent of all computer and Internet related incidents and crimes. 70 percent of corporate attacks causing at least $20,000 of damage and threats that could have impact on national security are the direct result of malicious trusted insiders.

In fact, the US Secret Service - National Threat Center has indicated that: “The greatest information security threat facing your organization is in your office right now. It has the ability to bypass the physical and logical controls you have put into place to protect the perimeter of your network and has already obtained credentials to access a significant portion of your infrastructure.”

There are several private sector cases and more disturbing there are also many governmental (Federal, State, and Local) that prove this out:

In 2008 in San Francisco, California a disgruntled systems administrator lockout out that city government from its systems and held passwords for ransom after being fired. At the Federal level we all know about Bradley Manning and, the most famous of all, Edward Snowden who both leaked classified information. In all of the above cases the people creating the threat were trusted users.

In February 2008 a Dallas based healthcare organization sent out notifications to about 37,000 patients that their personal and financial information had been compromised. A former data processor from that healthcare organization was apprehended a while later and pleaded guilty to fraudulent possession and use of stolen personal identification.

In March of 2007 a spouse of a US sales person loaded unauthorized personal software on to a major pharmaceutical company’s laptop for the purpose of accessing a peer-to-peer file sharing network. That software gave other users access to address information, home and/or cell phone numbers, social security numbers, and in some instances bonus data for over 17,000 present and former employees.

In another case a scientist admitted he stole $400 million in intellectual property from his former company.

In 2006 healthcare workers in a NJ hospital sold patient medical and treatment information about George Clooney who was involved in a motorcycle accident to a tabloid newspaper.

So we can see that information security breaches caused by insiders are occurring regularly, in all sized and types of firms and governmental organizations all across America. In fact, from 2000 to 2013 the number of reported incidents where insiders were found to be the source of information security breaches or leaks has grown exponentially.

Interesting statistics

Below are some interesting statistics which show that the people who cause these breaches do not require special access or advanced training. All they need is a desire, time, and simple access to the data. You can also see that the breaches turned out to be expensive to the enterprise:

• Only 17 percent of the insider events studied were done by insiders with administrator access (however a low percentage the impacts were very large);
• 87 percent of attacks used very simple user commands that did not require any advanced knowledge (people with authorization and/or clearance to information losing and/or abusing it);
• 30 percent of the incidents took place at the home of the insider using remote access to the enterprise’s network;
• Most insider events were triggered by a negative event in the workplace (a personal event like a lack of promotion or firing; a political event or events in the case of governmental leakages);
• Many perpetrators had previous disciplinary issues;
• Of the public corporations suffering breaches over a three year period reported total costs averaging about $180 per lost customer record and the average total cost per company was $4.8 million per breach and breaches ranged from $226,000 to $22 million.

So who are these insiders?

Some are individuals who have malicious intent to cause harm or embarrassment to their companies or governments and others are just inattentive, bored, or complacent employees with no malicious intent at all.

Malicious perpetrators:

• IT expert with a hacker mentality or mind set.
• Terminated or demoted employee.
• Dissatisfied or disgruntled employee (contractor, administrator, worker with classified access) perhaps with government’s or corporation’s policies and/or direction.
• Fraudster motivated by financial gain.
• Employee who wants unauthorized access to information for personal enjoyment or gain.

Non-malicious individuals (employees or contractors):

• Senior level management who feel they do not need to comply with security policies and/or initiatives (perhaps find them restrictive – often resulting with high impacting breaches).
• Technically knowledgeable employee who simply finds it enjoyable to get around security measures.
• Employee who simply fails to pay attention to proper IT usage and information security policies and procedures.
• Untrained employee or new hire.
• Employee without adequate training.

What are the threats that enterprises face?

Threats can be placed into four basic areas:

• The malicious/disgruntled employee that has been recently demoted or terminated and now has a desire to do damage to the IT infrastructure or critical information because of a grievance they have against the management or the enterprise.
• Government contractor who has become disillusioned with government policies
• Unintentional exposures or breaches which are caused by employees who put the IT infrastructure and critical information at risk by installing unauthorized software, opening virus-infected e-mail attachments, being taken in by social engineering attacks, spilling coffee into a server, releasing sensitive information to friends or relatives and etc.
• Corporate espionage where hackers, thieves or spies recruit and sometimes pay employees to steal critical data or damage critical IT resources or information. Sometimes short-term low profile contractors are used.
• Dishonest insiders who abuse employee privileges to their own personal gain or satisfaction.

So what practices can be employed to help to reduce the problem? They include:

1. Implement strict password and account management policies and practices.

2. Enforce separation of duties, least privilege, and one-over-one signoff for assigning access to sensitive information or data. Rotation of assignments also helps.

3. Use extra caution in selection and training of system administration personnel.

4. Provide periodic security awareness training for all employees.

5. Log, monitor, and audit employee and especially systems administrators’ on-line actions.

6. Rotate systems administrators across systems on a regular basis.

7. Conduct enterprise-wide risk assessments regularly and, internal and external penetration tests (at least once a year).

8. Actively defend against malicious code (use people, process, and technology to accomplish).

9. Deactivate systems access ASAP following termination of employees and contractors.

10. Review administrative passwords when an administrator leaves or is terminated and change all passwords that they might have had access to (systems, network, and databases) during their time with the organization.

11. Insure that secure backup and recovery processes for critical data are in place and functioning as required.

12. Monitor and respond rapidly to all suspicious actions on systems and behavior by employees as well as administrators and systems support personnel.

13. Conduct background checks of all personnel who work inside the enterprise (employees and contractors).

Don’t let familiarity cloud good judgment

It is very uncomfortable to think that a colleague or friend might be capable of committing a cyber-crime or information/system security breach. They work and interact with us at work and sometimes at home with us every day. However, we must, as security and business continuity professionals, examine clearly and objectively all risks that can adversely affect our organizations. We cannot allow familiarity or complacency be the reason for our failure to protect critical, sensitive, personal data, or national security information.

The author
Dr. Jim Kennedy, NMCE, CRISC, CEH, CHS-IV, MRP, CBRM has a PhD in Technology and Operations Management and is the Lead and Principal Consultant for Recovery-Solutions. Dr. Kennedy has over 35 years' experience in the information/cyber security, business continuity and disaster recovery fields and has been published nationally and internationally on those topics. He is the co-author of three books, ‘Blackbook of Corporate Security,’ ‘Disaster Recovery Planning: An Introduction,’ and ‘Security in a Web 2.0+ World – a standards based approach,’ and author of the e-book, ‘Business Continuity & Disaster Recovery – Conquering the Catastrophic’. Dr. Kennedy can be reached at Recovery-Solutions@xcellnt.com

•Date: 23rd April 2014 • US/World •Type: Article • Topic: ISM

Sign up for Continuity Briefing, our weekly roundup of business continuity news. For news as it happens, subscribe to Continuity Central on Twitter.