Posted by: David Schneier
assessment, Audit, breach, insider threat, Regulatory Compliance, risk assessment, Security
I was reading an article last week about how there’s been a recent increase in the number of reported security breaches caused by internal resources. The insider threat is not a new one as corporate espionage is as old as civilization but it certainly is getting more press lately as patterns are shifting and criminal activity is adapting with the times.
But what was really eye opening for me was the conversation I had later that day while onsite at a client. I was sharing some of the details of the story with an associate and the person sitting across the aisle was one of those freaky smart network people: The sort who speaks IP as well as English, who can read a network topology as if though it’s the morning paper and who are often consumed with getting every component plugged into his (HIS) network configured and secured perfectly much like Claude Monet wanted to get the tone and dimensions of every flower just right on the canvas. When he heard what we were talking about, he perked up and joined in on the conversation.
I was sharing in my amazement of how technology has made it so much easier to collect sensitive information in unobtrusive ways. One of my favorites was the availability of an audio recording device embedded within a network cable. It has a transmitter built into it that broadcasts up to 160 feet away so someone can record boardroom conversations with relative ease. And of course it not only looks like a network cable, it is a network cable and functions normally so there’d be no reason to be suspicious. I’ve long advocated for outside-the-box thinking regarding how foreign devices can (and do) circumvent the very best security controls and here was a great example as to why. So the network guy chimed in that there are so many ways to gain access to sensitive information without detection. He described how there are many vulnerabilities that exist that none of the frameworks or regulations come close to addressing (I’m not offering examples; no need to give anyone any ideas). But what struck me was how impassioned and concerned he was in discussing this subject. And it occurred to me that he couldn’t just turn this off; that this was something he had on his mind somewhere close to all of the time. And so I asked him if he ever shared this during any of the various risk assessment activities conducted during the year and he couldn’t recall being included or asked.
How do you support activities focused on protecting your infrastructure without including your experts in the dialogue? How do you know where the risks really are if you’re not asking the people who are charged with the responsibility of mitigating them?
I’m a bit biased based on my own personal experience. I came into the audit and compliance domain in the mid-90s in a somewhat less than flattering way. I had been an application project manager with a well-earned reputation of breaking just about every change management control in place. When I had something that needed to get moved into production, I lacked the patience to work through the required processes and figured out how to get around almost all of them. The architect of many of those controls was himself an auditor (and still one of the very best I’ve worked with) and he and I forged a healthy respect for one another along the way. When Y2K rose to prominence and the client was concerned about maintaining their remediated production environment, I was recruited by the same person to help guard the gate, sort of like hiring the bank robber to protect the bank. But it turned out to be a great idea as I sniffed out a number of undocumented backdoors and workarounds that were being used and ultimately led to my then new and now current career path. And it also proved to be an important lesson that’s served me well all these years: If you want to find out what you need to be worried about, ask the people who have the necessary skills to make you worry.
If you want to identify as many vulnerabilities and potential exposures to your infrastructure from the insider threat, start by engaging the people who can speak IP like a second language, who can read a network topology like it’s a treasure map and who know they can easily download an entire database without detection or insert devices in the data center that capture non-tokenized, unencrypted data streams as they travel through the pipelines. I’ve always found that for the most part these people are eager to share what they know because it’s their best chance to affect any sort of change. While conducting an IT general controls audit recently I had someone coax me into asking a question about the physical designs of their datacenter because there was a structural issue that deeply concerned him and he was desperate to see it show up on my report.
Times are tough, people are desperate and there’s no telling what some people are capable of or willing to do in order to survive. Make sure you’re doing what you can to protect yourself and your customer’s sensitive information and make sure you’re including the right people in the conversation. The best defense against the insider threat may very well be the people sitting alongside them.