The purpose of this chapter is to introduce the insider threat and discuss methods for preventing, detecting, and responding to the threat. Trusted insiders present one of the most significant risks to an organization. They possess elevated privileges when compared to external users, have knowledge about technical and non-technical control measures, and potentially can bypass security measures designed to prevent, detect, or react to unauthorized access. In this chapter, we define the insider threat and summarize various case studies of insider attacks in order to highlight the severity of the problem. We then discuss best practices for preventing, detecting, and mitigating insider attacks, to include application of risk management principles specific to the insider threat. Finally, we provide a survey of ongoing research into detecting irregular activities that are potentially harmful to an organization.
TopIntroduction
Organizations have long relied on security controls (e.g., combinations of policies, processes, and technologies) to reduce their exposure to harmful acts by individuals within, and outside, its perimeter to an acceptable level. As organizations have embedded more information technology into their core processes, risk mitigation has shifted from a primarily physical control issue to an electronic one. While many organizations spend a significant amount of resources on mitigating risks originating from outside the organizational perimeter, few explicitly consider the threats originating from trusted insiders. This is despite the fact that insider activities can result in significant losses in revenue, intellectual property, and reputation if the organization fails to prevent, detect, and mitigate insider threats.
Damage from insider activity, regardless of the intent, can be very significant, and perhaps even crippling. Insiders may disrupt internal network operations, corrupt databases and file servers, or deny the use of information systems and their data to authorized users. Staggering amounts of information can be stolen, lost, deleted, or corrupted literally at the press of a button. For example, an individual who mistakenly thought she was going to be fired deleted files from a computer system valued at $2.5 million (Kamm, 2008). Malicious insiders may even collude with outside parties to receive technical assistance or to help identify useful information (USDOJ/OIG, 2003). The fallout from such activities may in turn result in significant losses in corporate revenue and reputation. Unfortunately, when addressing security risks, many focus on the problem of perimeter security where we have seen tremendous advances in security technology, with countless dollars invested in perimeter security, encryption, antivirus systems, and content filtering, all of which aim to keep outsiders from harming the organization. Ironically, most security professionals would agree the insider poses the greatest risk to information systems and is the most difficult to detect (Denning, 1987; Insider Threat IPT, 2000; CSO, 2007).
Figure 1 illustrates the various factors involved in mitigating the insider threat. The figure is not all-inclusive but addresses the main points covered in this chapter. First, we have a notional organization with information systems (IS) and services that are of high, medium, and low values of importance to the organization. The organization employs security mechanisms to protect and monitor IS usage, such as firewalls, intrusion detection and prevention systems, auditing and authentication systems. The organization has vulnerabilities that arise from gaps in security policies and inherent flaws in the IS and security mechanisms. Finally, the organization has people—insiders—who represent potential threats to the organization by virtue of the access and trust granted to them. Some insiders are benign while others act with malicious intent and motivation. Insider behavior produces observables which should monitored by the organization to ensure compliance with established policies.
Figure 1. Defining the insider threat problem