By Travis Greene, NetIQ, the security portfolio of Micro Focus
In 1992 during the preparation for Bill Clinton’s first presidential campaign, political strategist James Carville, in an effort to focus the messaging, hung a sign in the campaign headquarters that read, in part: The economy, stupid.
The phrase focused America’s attention on economic policies, helping Clinton win the White House. In popular culture, it lives on as a meme used to describe observations that focus attention on what should be obvious.
In enterprise security, it's often the insiders, stupid. (No offense intended!) Many recent highly publicized breaches indicate a need to better secure insider access, particularly that of privileged users and contractors.
Insider Credentials and Other Issues
Typically we think of the insider threat as coming from malicious or careless employees. That is part of the story, but the following examples demonstrate that insider credentials are also ripe for abuse by outsiders, whether the credentials are weak or stolen through carefully designed spear-phishing attacks or malware.
Ashley Madison hack. Noel Biderman, the CEO of Avid Life Media, which runs the website, stated that, "We’re on the doorstep of [confirming] who we believe is the culprit, and unfortunately that may have triggered this mass publication. I’ve got their profile right in front of me, all their work credentials. It was definitely a person here that was not an employee but certainly had touched our technical services."
U.S. Office of Personnel Management (OPM) breach. Department of Homeland Security Assistant Secretary for Cybersecurity, Dr. Andy Ozment testified before Congress that attackers had gained valid user credentials to the systems that they attacked, likely through social engineering, allowing undetected access for months.
Anthem breach. The attack was detected when a database administrator noticed a suspicious query running using his logon information. He had not initiated that query and upon notifying Anthem’s information security department, it was determined that the credentials of other database administrators had also been compromised.
Morgan Stanley data theft. Data on 350,000 wealth management clients was stolen by an insider, including account names and numbers. In January 2015, Morgan Stanley fired the employee responsible for the theft.
DuPont intellectual property theft. In March, 2014, DuPont announced that its proprietary formula to cleanly manufacture the white pigment used in paper and plastics was stolen and sold to a competitive Chinese company in the $14 billion market. A contractor working for DuPont sold the formula for $28 million in contracts. The contractor was found guilty of 22 counts of economic espionage, trade-secret theft, witness tampering and making false statements.
Of particular concern is that attacks using insider credentials can go undetected for weeks or months at a time, since security monitoring is looking for outsider intrusions, not the everyday work habits of insiders doing their jobs with legitimate credentials.
Survey Says: Lack of Controls a Problem
Recent surveys back up this assertion that insiders, or outsiders posing as insiders with stolen credentials, are today’s biggest threat.
The 2015 Verizon Data Breach Investigations Report states, "the common denominator across the top four [incident classification] patterns – accounting for nearly 90 percent of all incidents – is people." It goes on to say that 95 percent of [Web app] attacks involve harvesting credentials stolen from customer devices, then logging into web applications with them.
The 2015 Global State of Information Security Survey, published by PwC, states that, "many companies do not have an insider-threat program in place, and are therefore not prepared to prevent, detect and respond to internal threats," while, 72 percent of security incidents at financial services organizations and 62 percent of security incidents at industrial product organizations involved a current or former employee.
The 2015 Cyberthreat Defense Report, published by the CyberEdge Group, found that, "only 23 percent of respondents are confident their organizations have made adequate investments to monitor the activities of privileged users."
Couple this insider threat with the vulnerability that comes from a lack of controls, and the insider risk for organizations is remarkably high.
How to Mitigate Insider Risk
Mitigating insider risk is buttressed by three complementary disciplines:
Minimize Rights. Also known as enforcement of the least privilege principle. Identity and access management (IAM) is the standard approach to provision the right amount of access for employees, contractors and partners. This is coupled with access governance to catch "access creep" that happens as employees change roles or as projects come to an end. The end goal is to reduce the amount of rights that insiders maintain, to minimize the risk of abuse and enforce separation of duties.
Enforce Access Controls. As users interact with applications, systems or data, the way they authenticate must be contextually controlled. Simple credentials (username and password) may be appropriate for low-risk authentications, but as the risk context increases there may be a need to step-up authentication. And when doing a step-up authentication, it makes more sense to use a second factor rather than ask for another piece of information, which is probably something an attacker could find on social media. Ultimately, we want to minimize the risk that insider credentials are being abused by outsiders.
Monitor User Activity. It isn’t enough to control access because, as we have seen, legitimate insiders will abuse their privileges and we have to assume that well-funded, creative attackers will eventually gain insider credentials. We must also monitor user activity and identify abnormal patterns to raise alerts that have the potential to indicate an attack. This can be done by using analytics in conjunction with traditional SIEM, integrated with identity and access management to tie patterns to users. The goal of this discipline is to raise only the most significant alerts that indicate insider abuse to minimize the reaction time and reduce the breach damage.
The degree to which these disciplines are applied must also take into consideration the threat. For example, privileged users require more rigorous user activity monitoring than users who do not have such broad access. Insider risk will be reduced just by advertising the fact that you are monitoring, and therefore, are capable of prosecuting abuse. But for privileged users, additional minimization of rights such as delegated administration and password vaulting may be necessary.
You can also think of these disciplines as a closed loop that can move in either direction. Policies built in IAM can dictate the level of authentication required. User activity monitoring that indicates potential for abuse can initiate step-up authentication, or drive IAM to de-provision privileges if the risk is significant enough.
There are plenty of candidates running for president of the United States this year. There are plenty of security challenges to consider as well. Voting where to make limited investments logically focuses on addressing the biggest challenges. Insiders, and their credentials, deserve serious focus by IT security teams; national policy makers should consider that insider risk is a bigger problem than what bombastic politicians would have us believe as well.
Travis Greene is an Identity Solutions strategist at NetIQ, the security portfolio of Micro Focus. After a 10-year career as a U.S. Naval Officer, he started in IT as a data center manager for a hosting company. In early 2002, Travis joined a managed service provider as the leader of the service level and continuous improvement team. Today, he conducts research with NetIQ customers, industry analysts and partners to understand current identity and access management challenges, with a focus on provisioning, governance and user activity monitoring solutions. Travis is expert certified in ITIL and holds a BS in computer science from the US Naval Academy.