|
| |
Article: Controlling Internal Abuse Through The Process Of
Security
Keith Palmgren, CISSP
WebMaster@NetIP.com
Go directly to
the sidebars:
For five years,
the Computer Security Institute (CSI) and the FBI have conducted an annual
survey of the types of attacks companies experience. Invariably, dishonest and
disgruntled employees top the list at about 80% as the most likely source of
attack. Further, these insider attacks typically fall into the most expensive
categories. According to the 2000 CSI/FBI survey, these categories amounted to
over $200 million in losses in 1999 (unauthorized insider access – $22.5
million, theft of proprietary data – $66.7 million, financial fraud – $55.9
million, insider network abuse – $27.9 million, sabotage – $27.1 million).
While outsiders undoubtedly caused some of these losses, the vast majority comes
from dishonest or disgruntled employees. As Richard Power, CSI’s Editorial
Director, points out on page 44 is his book “Tangled Web” (Que publishing,
September 2000), the CSI/FBI survey dollar loss amounts are likely conservative.
More information
on the CSI/FBI survey is available HERE.
Summaries and
links on computer sabotage cases are in the sidebar, “Summary of internal
abuse cases”.
Given the facts above, why is it that it is so easy to find
information about protecting your network from outside attack, and so difficult
to find anything about protecting yourself from this internal threat? At least
in part, the answer is that stopping the internal threat is so much more
difficult than building a formidable perimeter. Some would even say you can’t
protect your network from allowed users and I understand the sentiment. You
can’t control what you allow, and you allow users to have access. Trust is
inherent when you grant access. Take heart. There are steps you can take that
will make it much more difficult for an internal user to cause damage. You can
also reduce the damage they can cause. Finally, you can increase the likelihood
that you can recover from what damage does occur. Succeeding in these goals
requires a comprehensive Process of Security.
Security is not a product, nor is it a technology.
Security is a process. The Process of Security consists of many parts including
policy, procedure, and training. It contains preventive control measures and a
healthy dose of awareness. It includes disaster recovery and business
continuity. Various products and technologies support all of these parts of the
process. Most importantly, the Process of Security is a state-of-mind that must
permeate a corporation and its culture to be effective. This is true because of
the most fundamental issues a Process of Security must address to stem the
internal threat – those of human nature and trust. When you work with someone,
it is common for him or her to become your friend. It goes against human nature
to think the worst of your friend. After all, friends just don’t intentionally
damage or destroy the work and livelihood of friends do they? Unfortunately,
the answer is that yes, sometimes they do. Today's business environment demands
that supervisors prepare for the worst from their co-workers, superiors, and
subordinates – many of whom they consider friends. While trust is necessary to
have any real working relationship, preparing for the unfortunate day that
someone betrays that trust is just as necessary. It is a fine line and a
difficult one to walk.
Next let's look at the most basic requirement for successful Security Process
– comprehensive security policies and procedures. It is still amazing how many
companies don’t have any formal security policies. Many of those that do have
them don’t have policies that are as comprehensive as they need to be. The
purpose of security policies is to establish the requirements on which you build
the rest of the security process. Procedures are the specific steps required to
carry out those policies. A set of security policies and procedures contains
many, many elements. The portions that specifically address the internal threat
establish the following as a minimum:
-
Separation of duties: Any single person
responsible for systems or network administration, security, and backups hold
the keys to the corporate kingdom. No one should have that much power without
a series of checks and balances in place. Even the CEO of a company is
accountable to somebody, namely the board of directors and company investors.
Preferably, policy would set up a separate security department reporting
direct to the CIO or higher, providing management, oversight, and monitoring
of the security process. At the least, responsibility for critical security
events such as system administration and control of backup media should be
split to separate, specified groups.
-
Backup controls:
A strict sign-out procedure for all backups is a minimum requirement. Except
in the most critical emergency, no single person should have access backup
tapes without supervisory knowledge. In addition, verify the content of
backups regularly. Perform backups of critical systems daily and all systems
at least weekly. For especially critical backups (such as those of production
software), impose a procedure to verify the backups are good and then place
them into secure off-site storage.
-
User account controls:
All accounts on the system should
have a password, with regular password changes required. Only accounts that
absolutely require supervisory access should have those rights. Supervisory
level accounts should never be any users normal login account. Instead, use a
special account specifically for supervisory access, then tightly control and
monitor its use.
-
Special controls for
special events: Eventually, special
events occur in every company. Examples might include mergers and
acquisitions. Another excellent example is terminating personnel. A recently
terminated employee is perhaps the most dangerous. Note that in the sabotage
section of the “Summary of internal abuse cases” sidebar, all the
employees who perpetrated the sabotage were recently fired employees. It is
important to handle termination of any employee carefully, from both Human
Resources and Security Department standpoints. This requires the HR
department and those with security responsibility work closely together. See
the sidebar “Dealing with termination” for specific issues to consider
when it becomes necessary to fire employees.
-
User Training:
The CEO, CIO, MIS Director, or systems/network administrators do not implement
security – users implement security. Every time a user chooses a new
password, decides not to give that password to a co-worker (or place it in the
Rolodexâ under “P” for password), or locks a terminal before getting up from
their desk, users are implementing security. None of these will happen the
way they should unless users understand why they are important. These steps
often cause inconvenience for the user. Again, human nature rears its head.
People simply are not going to take the less convenient route unless there is
a good reason that they fully understand for doing so. Obtaining a viable
security posture absolutely requires user buy-in. This cannot happen if you
simply tell users “do this” and “don’t do that.” They have to understand why
they are and are not to do things. That requires training. Most people will
be happy to take proper security steps if they understand why they need to do
so. Face it; a typical user has no understanding that password crackers
specifically search for names because the most common password is the name of
a significant other (occasionally followed by the number one). Once they see
that demonstrated in training, the lightbulb goes on over their head and
password selection improves dramatically. All users should receive training
at new-hire, with refresher training at least yearly after that. In addition,
special training covering new security responsibilities needs to occur at
promotion time (again, this highlights the need for close coordination between
HR and security staffs). Formal classroom training is only the beginning.
Security staff should always be available and willing (even eager) to explain
security issues to anyone who asks. Day-to-day interaction is where you win
or lose this particular battle. I cannot overemphasize this – you will not
obtain a viable Process of Security unless you train your users!
-
Preventative control and
awareness: Much of the above
accomplishes preventative control. Separation of duties, backup controls,
training and similar measures are all examples of preventative steps. But how
do you decide how far to go with these? What security measures do you really
need and when is there too much security? Common sense is the best single
defense for this, but awareness of the issues is what you base that common
sense on. Just how much damage can a given user inflict and what steps can we
take to limit that damage? You have to be aware of the potential damage and
then look at preventative measures in an honest, intelligent light. Security
staff should spend a reasonably significant amount of their time understanding
new threats and the defenses for them. They should also spend time
understanding the problems of the user community to avoid excessive security
measures. Remember that too much security leads to too much inconvenience and
that leads to users ignoring security measures. Understanding the day-to-day
functions of the user community and designing security that makes sense in
that environment is critical.
-
Business Continuity and
Disaster Recovery: All the
security measures in the world will not guarantee the worst won’t happen. In
fact, Murphy’s Law guarantees that it will. You need to have a plan in place
before the inevitable occurs. Business continuity and disaster recovery plans
fill this need. Think these plans out well in advance and test them
thoroughly. Build the plan to meet the demands of “Murphy’s Law Times 2”
(Whatever can go wrong will go wrong AND it will go wrong in the worst
possible way). These plans need to address natural disasters such as fires
and floods. They should also address recovery from hostile action by
disgruntled employees. Building the plan is only the first step. You must
test the plan regularly. These tests will show flaws in the plan and point
out needed changes. For example, you will need to update your fire response
plan when, during testing, you find the fire extinguishers are no longer were
they were last time you ran the test.
There is no
question that every company should take the steps above. There is also no
question that these steps alone will not prevent insider abuse. You cannot
prevent it absolutely – it just isn’t possible. What you are trying to
accomplish is to make the insider abuse as difficult as possible to carry out.
You want to limit the amount of damage any single person can do. Finally, you
want to establish a path for quick recovery once abuse does occur. Success
requires addressing the difficult issue of human nature and trust – finding the
balance between corporate safety and paranoia. Being aware of the damage a
network administrator could potentially do is the first step. Being willing to
prepare for the worst from your friends is the second and most difficult step.
Implementing all of these measures is not a short-term project. It will take
months or even years. After implementation, constant updating, modification,
and monitoring is required to maintain the program. It is a full-time job for
at least one person in almost every company and a job for a dedicated team in
larger companies.
Sidebar 1: Dealing with
termination.
Any time a user leaves the company, swift action to prevent
possible damage by that person is necessary. This is especially true if the
person left the company under less than friendly circumstances. Further, if
that person held a position of high trust such as a systems or network
administrator position, these actions become much more critical. Some of the
procedures to have prepared before the event include:
-
Establish a strong rapport between the Human Resources and
Security staffs. The HR staff should always inform the security staff of
promotions or similar changes in responsibility so they can schedule training
for that person. A touchier issue involves disciplinary action and
terminations. There is valid reason to keep details of disciplinary actions
private. At the same time, there is a valid business reason for the security
staff to be aware of these events. Disciplinary actions often point to signs of
disgruntled employees. Under no circumstances should the security staff be
unaware of a planned employee termination. They need to know in advance to
prepare all the following steps.
-
Any time termination involves a person in a position of trust
such as a systems administrator, have the replacement administrator chosen and
ready to assume their duties immediately. The replacement should be intricately
involved in searching for and disabling any malicious plans of the predecessor.
-
Lock all accounts the person had access to. Don’t delete the
accounts immediately since there may be important information in the home
directories.
-
Change all passwords on every account. This is especially
critical if the person leaving were an administrator since that person is likely
to know many peoples passwords. It is important to do so regardless of whom is
involved since you never know if the person may have co-workers passwords.
-
Perform a fresh backup and store it securely. This backup is
not a replacement or substitution for normal backups. Its purpose is to provide
a snapshot of systems. This snapshot will be critical as evidence if sabotage
does occur. It also serves the purpose of a normal backup in case the
terminated individual somehow managed to damage or destroy normal backups.
-
Perform a general security scan of the system for any known
back doors etc. Many “script kiddie” programs are available on the Internet
that allow unauthorized access once installed. Administrators can install these
with ease, but a determined user can also get them in place. Most good scanning
software will identify such programs.
You may well need to consider outside consulting help for one or more of these
steps. They all need to be accomplished immediately and will typically require
more than one person to complete them in a timely manner.
Sidebar 2:
Summary of internal abuse cases.
Sabotage
In what may be the most expensive and best-publicized
incident of computer sabotage in American history, Timothy Lloyd, a former
network administrator for Omega Engineering Corp of Bridgeport, New Jersey
planted a computer time bomb that wiped out over 1000 manufacturing control
programs. The incident, according to Network World, resulted in an estimated
$10 million in damages to Omega Engineering and eventually led to the lay-off of
80 Omega workers. Sharon Gaudin, a feature writer for Network World followed
the case from the beginning and published several detailed accounts. Links to
her Network World articles are:
http://www.nwfusion.com/research/2000/0626feat.html
http://www.nwfusion.com/archive/2000/102660_07-24-2000.html
http://www.nwfusion.com/research/2000/0626featside4.html
http://www.nwfusion.com/research/2000/0626featside2.html
http://www.nwfusion.com/research/2000/0626featside1.html
http://www.nwfusion.com/research/2000/0626featside3.html
In November 1997, a former temp worker at Forbes Inc.,
publisher of Forbes Magazine, was charged with breaking into the computer and
destroying budget and salary information. The incident left five of eight
servers inoperable for a period of time and cost Forbes Inc., over $100,000.
See this link at The ZFNet News Channel for more information:
http://www.zdnet.com/zdnn/content/reut/1125/245337.html
In 1998, Shakuntla Devi Singla received 5 months in jail
after she used another employee’s user ID and password to log into Coast Guard
computers and destroy information. It took 115 Coast Guard employees more than
1,800 hours to recover the data at a cost of $40,000. Singla holds the
distinction of being the first woman in the United States convicted on hacking
charges. See the story here:
http://www.cnn.com/TECH/computing/9807/22/coastguard.idg/
In 1999, Thomas Varlotta was charged with stealing the only
copy of software used to direct jetliners at O’Hare International Airport. He
faces up to 25 years in prison. See the story here:
http://news.airwise.com/stories/99/10/940530321.html
“Netspionage”
Harold Worden, a Kodak employee caused Kodak over $26,000
in damages when he provided trade secrets to competitors. The C-J Online story
is here:
http://www.cjonline.com/stories/082997/kodak.html
The information
on this page is Copyright, 2001 by NetIP, Inc. and Keith Palmgren, CISSP.
|
