George Santayana once famously observed; “Those who cannot remember the past are condemned to repeat it.”. But when it comes to IT security, a better way of thinking might be; “those who fail to understand the impact of the past on their thinking may find themselves somewhat exposed”…
Up until now, the primary basis for almost all security strategies has been the “moat and castle” model. A strong perimeter is established that divides the environment into a “trusted” interior and “untrusted exterior”, with security focused on establishing the perimeter, enforcing access control and securing data as it flows exterior to perimeter.
This is a tried and trusted remedy for a hostile world, and has at its base a survival trait that has served us well for millions of years, right back to the time when prehistoric man first started to walk upright and cluster together into groups for defense against a very hostile world: The Tribe.
The trusted tribe
The instinct towards tribes is well established in our psyche, and while a well founded and successful survival strategy in the past, this way of thinking can create real blind spots when it finds its way into IT security planning.
The tribal instinct is very strong; if you are a member of my tribe, you can be trusted. If not, you should be viewed with suspicion. Or in other words “folks who work for my enterprise are trusted, while folks outside are not.”.
This is human nature at its most basic … and may explain one of the more puzzling aspects of IT security.
The insider vs. the outsider
Not only is a disproportionate amount of IT security spending focused on protecting the perimeter from outside attack, it is not uncommon for senior managers to get visibly upset with even the notion that you need to protect against insiders, or that insiders ca not be trusted.
In many ways this is understandable. Instinct operates at the gut level, outside of conscious thought, and the tribal instinct is one of our strongest.
And yet, since the very first IT survey on cyber-attacks, one fact has remained a constant – a greater percentage of cyber attacks originate from the inside than the outside, by a factor of 2:1. And by virtue of their knowledge of the organization’s systems and/or databases, insiders will often pose a greater threat and be capable of greater harm than “outsiders”.
The reluctance to defend against insiders is one of the largest security “blind spots” that exists today.
However, with identity theft the number one growth crime worldwide and the skyrocketing value of personal data being held by organizations, the issue is starting to gain more visibility.
The Insider Threat Study (ITS)
In an effort to better understand this problem, the US Secret Service National Threat Assessment Center (NTAC) and CERT examined the nature of insider attacks, who are causing them and why. The intent of the study was to identify if there was a specific profile that would fit an internal attacker, which could in turn help organizations to defend against them.
The Insider Threat Study (ITS), focused on the people who have internal access to information systems and have perpetrated harm using them. The study did not include incidents where the primary motivation was financial gain or theft of information or property.
Although the study found that most insiders who committed acts of sabotage were former technical employees, there was no identifiable demographic “profile” of a malicious insider … they could be anyone. The attacks were almost always premeditated and the results were more than simply a nuisance. Most organizations involved identified financial losses, negative impacts to their business operations and damage to their reputations as a result of the attacks.
While most involved organizations identified financial losses and damage to their reputations as results of the attacks, the study found that seventy-five percent of the organizations experienced some form of impact on their business operations, including: severed communications due to shut-down networks, routers, servers, or dial-up access; lost sales due to blocked sales applications or deleted sales records; blocked customer contact due to modified customer passwords; damaged or destroyed critical information assets, such as proprietary software, data, computing systems and storage media necessary for the organization’s ability to contract work, produce product or develop new product; damaged supervisory integrity, including exposed personal or private communications, embarrassing to a supervisor.
While the insiders tended to be technical people, most of the attacks were made using relatively unsophisticated methods exploiting systemic vulnerabilities. The trust implicit in “trusted environment” worked against the organization, making it easier for the attacker to complete their sabotage.
There is no real profile of an inside attacker. It could be anyone. And one thing is very clear. IT managers need to understand that we all have a “blind spot” when it comes to trusting “insiders”, and acknowledge that this is affecting the creation of IT security strategies, potentially leaving an organization exposed.