The inside job

In the manner of a displeased schoolmaster, Britain’s Information Commissioner last month served up a blistering denunciation of UK business practices in his annual report. With some incredulity, the Data Protection watchdog marvelled at a slew of recent security breaches in which a “roll call of banks, retailers, government departments, public bodies and other organisations” had exposed private customer information to the public – and possibly criminal – gaze. This “horrifying” spectacle, he fumed, underlined more starkly than ever the importance of enforcing strict security controls. Failure to do so, he warned UK businesses, could result in more stringent reprisals under a hardening legislative framework.

For all its admirable gusto, however, the Commissioner’s report did little to convey the true magnitude of the problem. Indeed, if data loss monitoring service Privacy Rights Clearinghouse is to be believed, the global business community is not merely leaking, it is haemorrhaging information – often without realising the fact. Between 2004 and spring 2007, reports the service, data breaches grew by 1700%, with the known number of records lost or exposed growing by a staggering 50 million between December 2006 and April 2007. Following an in-depth survey of such incidents, security specialist McAfee was able to put this surge in its broader context: of the 1,400 enterprises it surveyed globally in April 2007, a paltry 6% were able to say categorically that they had not experienced any kind of data loss within the past two years.

Even more remarkable, however, were McAfee’s insights into the primary origins of this profuse leakage: more than 60% of respondents said that such breaches were chiefly the work of individuals operating within the firewall – the staff, sub-contractors, partners and others that represent the so-called ‘insider threat’. This was not the most profound revelation, however. Participants in the research were also willing to point to the nature and intent of these insider-led leaks: although the majority of such incidents were judged to result from ignorance or negligence of security processes, in a murky 23% of cases the activity was deemed by respondents to be purely ‘malicious’.

Rarely before has the insider pheno-menon been so readily acknowledged by the collective global business community, signalling as Stephen Bonner, global head of Information Risk Management at Barclays Capital notes, a growing awareness of “both its role and prevalence” in data breaches.

Be it through malfeasance or mishap, insiders, it is clear, represent a massive security liability.

Implausible denial

Historically, few enterprises have been either equipped or inclined to address this thorny issue. Instead, they have tended – for reasons that are as much cultural and political as they are technical – to focus their energies and resources on fortifying the organisation against known threats that linger beyond the firewall – chiefly malware, viruses and hackers. This corporate myopia has led the vast majority of organisations not only to overlook the risks of insider breaches, but to wilfully ignore or suppress them when they occur, says David Lacey, former head of IT security at both the Royal Mail and Shell.

One key example of this behavioural phenomenon was the oil industry, he reveals. During the 1980s, oil conglomerates became saturated with information brokers – both planted and bribed – who systematically leaked data which was used to manipulate contract bids.

Other examples of institutionalised ignorance abound on a smaller scale too. In one extreme case, recalls a CSO at a financial services firm, the CEO of his former company wilfully ignored serious transgressions. When a hoard of illegal pornography was found on a manager’s computer, the CEO in question chose to ignore the situation.

But the era of plausible denial is slowly drawing to a close. For one thing, observes Dawn Cappelli, senior technical researcher with the Carnegie Mellon Engineering Institute’s Computer Emergency Response Team (CERT) and one of the world’s leading authorities on the subject, the blossoming of US disclosure laws has flushed out a large number of insider-related data breaches that, historically, would not have seen the light of day. Of equal if not more influence, however, is a growing appreciation of the biting financial and operational costs of such data breaches: according to the FBI Computer Crime and Security Survey of 2006, this figure averaged out last year at a bruising $4.6 million per organisation.

High as these numbers seem, they are dwarfed by those relating to the intentional appropriation of data assets such as proprietary information. Just ask the ex-employees of Colorado-based distributed computing developer Ellery Systems. According to its former CEO, Geoffrey Shaw, the US Department of Defense-funded company was driven into bankruptcy after one of its programmers passed the firm’s entire proprietary source code – representing $1 million in R&D and billions in market value – onto Chinese rival Beijing Machinery in 1994. Today, a third of organisations believe that a data breach on a similarly grand scale could potentially spell the end for them as well. Consequently, the insider risk can no longer be ignored.

Device denied

Perhaps not surprisingly for a man immersed in the world of risk assessment, Matt Potashnick, IT director for online insurer, is unsentimental about user freedoms. “Because they hold certain positions people have the attitude that they are entitled to access certain data when in fact they’re not. We have a company policy where we have restricted access, and that’s the policy.” If users want more access, he adds phlegmatically, “they have to go through the board”.

With a strong financial services background, Potashnick is acutely aware of the risks that rogue devices – be they PDAs, iPods or the ubiquitous USB memory stick – present to the corporate network, whether plugged in out of innocence or for more dubious reasons. Concerned that devices might sneak in under the radar as the network continued to expand with the business, Potashnick went to the marketplace to find a device management solution that would be both simple to install and simple to control – settling on DeviceWall from network security provider Centennial Software.

Since its roll-out, which took less than an hour, DeviceWall has allowed full visibility on user network activity, and it’s not always a pretty picture, says Potashnick. “You’d be surprised from the audit trail the number of things that people try and plug in. I’m sure other companies [considering device management] would have a bit of a shock.” Such activity can be carefully regulated, however, meaning the IT team is able to make allowances, or not, for particular users – an important feature which ensures disabled users who might require USB access are not discriminated against. “It gives us great flexibility across our whole infrastructure, but from a very small footprint,” adds Potashnick.

Perhaps unsurprisingly, however, not all the users have embraced its restrictions. “People were kicking and screaming to start with, but now that’s passed,” says Potashnick. “You have to provide a clear explanation and so they appreciate why you’re blocking them.”

Now and again some individuals protest against restricted access, he adds. “They are generally the people you need to worry about.”

Malfeasance and mishap

Protecting the organisation against different kinds of ‘malicious’ data breaches is peculiarly challenging, however, not least of all for political reasons. “But the bottom line”, asserts Chris Simpson, former head of Scotland Yard’s e-crime unit, “is that the vast majority of cases the unit has dealt with relate to internal colleagues or former employees”, and such incidents, in appearance at least, are growing in number. Survey data collected by Cappelli and her team, working with the US Secret Service, found that in 2006 theft of both proprietary data and IP rose, and were reported by 36% and 30% of respondents respectively.

Discerning the reasons for this worrying trend is not easy, says Cappelli. A thriving black marketplace for both competitive and personal information; the proliferation of removable mass storage devices; the emergence of new communication channels enabling large file transfer; and what Lacey describes as the “collapse of information management”: these all offer, however, the necessary ‘motive, means, and opportunity’ traditionally thought to account for crime.

Certainly two of these elements were present in the case of Fidelity National Information Services, reported only last month. Using a removable mass storage device, a senior-level database administrator at the US financial services data processing company walked out the door with 2.3 million customer records which, allegedly, he had planned to sell on to direct marketing agencies.

Few will be surprised to learn that such episodes are driven by greed. But the fact that the perpetrators in question frequently hold previous criminal convictions, says Barclays’ Bonner, is somewhat disconcerting. Employee background checks are “essential” for this reason, he stresses, but many businesses lack the necessary resources and expertise to perform this task adequately.

Not only do they wrongly regard CV screening as a junior task, says Barry Clark, former superintendent at Scotland Yard and managing director of vetting service Cataphract, but they seldom pursue a candidate’s true reasons for leaving a previous employer. “Make sure they answer the questions that you want answered, not just the ones they want to answer,” he advises.

Intensive screening, however, is unlikely to identify those who might be corrupted or come to feel in time, rightly or wrongly, aggrieved by their employer. Moreover, screening will do nothing to guard against what one CIO of a chemicals manufacturer frequently experiences: the “unconscious incompetence” of the average end user. Nor will it avert the chance episode in which a hapless employee might stumble upon data which is then turned to malicious or commercial use. These potentialities are largely invisible, says Lacey. “That’s why you need technology to provide that visibility. Nobody’s going to tell you what’s going on; employees don’t know or care the CIO exists, so you have to set up intelligence.”

This can take several forms, many of which are now well-established: network monitoring, email monitoring, log management, USB tracking, firewall blocking and access management have all become standard requirements for any large organisation, says John Walker, head of operational security for a global online financial services information provider and visiting professor at Nottingham Trent School of Computing and Informatics. Labouring over security product selection, contends Walker, is unlikely to bring any added benefits however, as in the majority of cases, “the technology generally works”.

Instead, IT departments should devote their efforts to the effective application of that technology, he stresses. “You have to actually read the logs and access reports, for example. And you mustn’t just look for what you want to see.” Spotting irregularities and pursuing them when highlighted is imperative, he adds. “If you have one user who brings in viruses or a hacking tool, it might well be accidental. But if it happens a few times, you have to monitor and profile them.” This is particularly important following a person’s resignation, although more than half of organisations consistently fail to do so.

In the struggle to stem data breaches, however, the spotlight should not fall only on employee behaviour. Establishing protection around the data itself – a strategy that has long been the clarion call of security association the Jericho Forum – is also crucial. Many organisations habitually fail to both identify and classify that most precious of assets.

“They have no idea what it is, where it is, or what its value is,” says Greg Day, security analyst at McAfee. Locating and prioritising an organisation’s data might be laborious, but failing to do so prohibits the implementation of basic controls, and renders any existing controls largely redundant.

Only when confidential data and valuable IP has been appropriately organ-ised can the IT department build safeguards around it that are context appropriate. This could mean encrypting financial data as it leaves the network, but blocking the movement of source code or client lists altogether. Once “an organisation is aware of the data that it holds and aware of the available access to it, then it should understand the level of risk,” says Matt Potashnick, IT director at online insurer, who has recently implemented a data access control system.

However, no technology can account for poor management, poor communication skills, institutionalised chaos, or indifference to risk. Such failings are far too common in large organisations, says Cappelli, as the daily struggle to juggle competing priorities leads not only to the erosion of processes and controls, but to the general neglect of employee relations.

When it comes to security, “managers just need to be good managers and pay attention to their people,” she emphasises. Mastering this will not solve everything, but it will afford companies improved visibility into the working practices of their staff and greater insight into which of them might be tempted to compromise corporate security.

Information Age: Further reading

Cyber Assault

Terrorism: IT’s response

Related Topics