[ISN] Book Review: Insider Threat

[InfoSec News]

http://books.slashdot.org/books/06/01/06/1421243.shtml

[ http://www.amazon.com/exec/obidos/ASIN/1597490482/c4iorg  - WK]

Author: Eric Cole and Sandra Ring  
Pages: 397 
Publisher: Syngress 
Rating: 9 
Reviewer: Ben Rothke 
ISBN: 1597490482  
Summary: Excellent overview of the insider threat to networks and
information systems

The retail and gambling sectors have long understood the danger of the
insider threat and have built their security frameworks to protect
against both the insider and the outsider. Shoplifters are a huge bane
to the retail industry, exceeded only by thefts from internal
employees behind the registers. The cameras and guards in casinos are
looking at both those in front of and behind the gambling tables.  
Casinos understand quite well that when an employee is spending 40
hours a week at their location dealing with hundreds of thousands of
dollars; over time, they will learn where the vulnerabilities and
weaknesses are. For a minority of these insiders, they will commit
fraud, which is invariably much worse than any activity an outsider
could alone carry out.

Insider Threat is mainly a book of real-life events that detail how
the insider threat is a problem that affects every organization in
every industry. In story after story, the book details how trusted
employees will find weaknesses in systems in order to carry out
financial or political attacks against their employers. It is the
responsibility to the organization to ensure that their infrastructure
is designed to detect these insiders and their systems resilient
enough to defend against them. This is clearly not a trivial task.

The authors note that the crux of the problem is that many
organizations tend to think that once they hire an employee or
contractor, that the person is now part of a trusted group of
dedicated and loyal employees. Given that many organizations don't
perform background checks on their prospective employees, they are
placing a significant level of trust in people they barely know. While
the vast majority of employees can be trusted and are honest, the
danger of the insider threat is that it is the proverbial bad apple
that can take down the entire tree. The book details numerous stories
of how a single bad employee has caused a company to go out of
business.

Part of the problem with the insider threat is that since companies
are oblivious to it, they do not have a framework in place to
determine when it is happening, and to deal with it when it occurs.  
With that, when the insider attack does occur, which it invariably
will, companies have to scramble to recover. Many times, they are
simply unable to recover, as the book details in the cases of Omega
Engineering and Barings Bank.

The premise of Insider Threat is that companies that don't have a
proactive plan to deal with insider threats will ultimately be a
victim of insider threats. The 10 chapters in the book expand on this
and provide analysis to each scenario described.

Chapter 1 defines what exactly insider threats are and provides a
number of ways to prevent insider threats. The authors note that there
is no silver bullet solution or single thing that can be done to
prevent and insider threat. The only way to do this is via a
comprehensive program that must be developed within the framework of
the information security group. Fortunately, all of these things are
part of a basic information security program including fundamental
topics like security awareness, separation and rotation of duties,
least privilege to systems, logging and auditing, and more.

The irony of all of the solutions suggested in chapter one is that not
a single one of them is rocket science. All of them are security 101
and don't require any sort of expensive software or hardware. Part of
this bitter irony is that companies are oblivious to these insider
threats and will spend huge amounts of money to protect against the
proverbial evil hacker, being oblivious to the nefarious accounts
receivable clerk in the back office that is draining the coffers.

One example the book provides is that many companies feel they are
safe because they encrypt data. An excellent idea detailed in chapter
two is to set up a sniffer and examine the traffic on the internal
network to ensure that the data is indeed encrypted. The reliance on
encryption will not work if it is not setup or configured correctly.  
The only way to know with certainty is to test it and see how it is
transmitted over the wire. Many companies will be surprised that data
that should be unreadable is being transmitted in the clear.

Some of the suggestions that authors propose will likely ruffle some
feathers. Ideas such as restricting Internet, email, IM and web access
to a limited number of users may sound absurd to some. But unless
there is a compelling business need for a user to have these
technologies, they should be prohibited. Not only will the insider
threat threshold be lowered, productivity will likely increase also.

The author's also suggest prohibiting iPods or similar devices in a
corporate environment. The same device that can store gigabytes of
music can also be used to illicitly transfer gigabytes of corporate
data.

Insider Threat provides verifiable stories from every industry and
sector, be it commercial or government. The challenge of dealing with
the insider threat is that it requires most organizations to
completely rethink the way they relate to security. It is a challenge
that many organizations would prefer to remain obvious to, given the
uncomfortable nature of the insider threat. But given that the threats
are only getting worse, ignoring them is inviting peril.

The only lacking of the book is that even though it provides a number
of countermeasures and suggestions, they are someone scattered and
written in an unstructured way. It is hoped that the authors will
write a follow-up book that details a thorough methodology and
framework for dealing with the insider threat.

Overall, Insider Threat is an important work that should be required
reading for every information security professional and technology
manager. The issue of the insider threat is real and only getter
worse. Those that choose to ignore it are only inviting disaster.  
Those companies that will put office supplies and coffee under
double-lock and key, while doing nothing to contain the insider threat
are simply misguided and putting their organization at risk.

Insider Threat is a wake-up call that should revive anyone who doubts
the insider threat.

-=-

Ben Rothke, CISSP is a New York City based security consultant and the
author of Computer Security 20 Things Every Employee Should Know
(McGraw-Hill 2006) and can be reached at ben @ rothke.com