Among the many issues raised by the ongoing Edward Snowden affair, one of the lesser discussed angles is the risk of insider threats to organizations. While not every enterprise houses highly classified or sensitive documents, every organization has data it needs to keep secure, for competitive, legal or regulatory reasons.
Data loss always involves two components: the human and the technological. The human factor falls into two camps: accidental data loss and intentional data loss.
Careless Data Loss
It is a safe bet that most enterprise data loss is accidental. Even well-intentioned workers can lose important business data by several means:
- Email addressed or copied to erroneous parties. Speaking from personal experience, I once received a misdirected message from a law firm sharing a private partners-only attachment. Someone had simply mistyped a recipient’s e-mail address.
- Malware that gives attackers access to the company network or business files on a personal machine.
- Mobile devices containing sensitive files, like smartphones or particularly USB thumb drives, which are easily lost or stolen.
Deliberate Data Loss, aka Theft
Edward Snowden is said to have “liberated” the documents he has leaked (plus allegedly more) via a USB thumb drive. Snowden has described his motivation in political terms and cast himself as a whistle-blower. But regardless where you stand on his particular actions, Snowden is a textbook example of an intentional insider threat: someone with deep access in an organization who, for whatever reason, chooses to take sensitive data outside the organization.
By one estimate, some 11 percent of employees have reported knowledge of an insider (sometimes themselves) stealing company data for personal gain.
Defending against both careless and deliberate data loss requires a multi-layered implementation of technological controls.
Data Loss Prevention Policies
Organizations should have policies emphasizing data loss prevention. One such example is sometimes called a “least privilege” or “need to know” policy. To draw an analogy to network firewalls, it is recommended practice for firewalls to allow outgoing connections only to applications which are known to need them. Likewise, employees and contractors should ideally be limited to accessing the least number of files needed for their work. Restrictions can be put in place by file type and/or user privilege level, such as using a group access policy.
Some policies are more psychological — for example, health insurer Cigna’s system for requiring employees to provide a reason for copying files. From an educational point of view, this requirement can cause employees to think about company policy and consider the necessity of their action, possibly reducing carelessness. The policy also provides the company with a log of each such transaction, and forces someone with bad intentions to explicitly lie.
Careless data loss, particularly through mobile devices, can be significantly mitigated with system-wide use of data encryption. Drive-level encryption is built-in, although optional, in Windows and Mac OS X. Requiring the use of encrypted portable drives will thwart data loss in case of loss or theft.
At an OS-level, a variety of vendors market data loss prevention (DLP) products which can encrypt files on the fly — that is to say, when they are copied to other devices. These encrypted files will require company-provided keys to unlock.
Data encryption is a strong defense against careless data loss, but it is not particularly useful again deliberate data theft. Insiders who have access to sensitive data will necessarily have the credentials to decrypt it. Against this type of threat, the best technical defenses must address the ability for data to be removed from the organization.
‘In Motion’ DLP
Sophisticated data loss prevention suites — of which there are many — monitor, analyze and potentially stop files containing sensitive data from moving out of the business network by means such as email and other forms of file transport. Some of these packages operate at the application layer, monitoring specific programs like Microsoft Outlook and Office or particular network activities like email communications. Some critics cite their heavy resource consumption as a potential drawback — think of an anti-virus scanner on steroids.
Vendors like Cisco with a focus on network boundaries market DLP suites that monitor activity at the network edge. Naturally, this software is designed to integrate with their own network devices, but it promises the advantage of adding no load to individual workstations while standing between a company’s internal network and the outside world.
Big Data Risks in Tiny Packages
Fact is, despite the complex suites for monitoring employee activity, most data loss — both accidental and intentional — is vectored through the unassuming, easily hidden USB thumb drive.
Not only are thumb drives a threat for introducing malware into the company network, but they are simply the easiest way for data to leave the network — and the premises entirely. So what can a company do to manage the risk of insiders (or careless users) taking data by USB drive?
- Most radical: superglue. This gooey defense will definitely shut down USB drives as a leak vector, but it shuts down USB drives for any legitimate use, as well. It is said that you will find glued ports at the most secretive organizations, but most companies actually need to use USB drives for legitimate purposes.
- USB drive whitelisting. Employing whitelisting software, you can restrict USB access to only known, company-issued USB drives. While this may not prevent someone from purposefully copying sensitive data, it can aid in tracing who was in possession of said device when a leak occurred.
- Similarly, a variety of “device lock” products can prevent access to a USB drive unless it is plugged into an authorized machine.
Hole that Can’t Be Plugged
The Edward Snowden situation highlights a lot of strategies that companies can use to defend against deliberate or accidental insider threats. But there is one reality for which there is no defense: the “suicidal” insider.
For any organization, Edward Snowdens are the worst case scenario — an insider with deep privileged access, high-level technical skills, and no desire to protect their identity. Because Snowden did not try to avoid being fingered for his actions, there is little that could have stopped him. But considering his unenviable circumstances in the weeks after the leak, it is the rare insider who will take their actions quite so far.
Aaron Weiss is a technology writer and frequent contributor to eSecurity Planet and Wi-Fi Planet.