Monday, December 19, 2005

Insiders - insights, trends and possible solutions

A recent research of the content monitoring market, and the U.S 2004’s "Annual Report to Congress on Foreign Economic Collection and Industrial Espionage" I've recently read, prompted me to post an updated opinion on this largely unsolved issue.

I have been keeping an eye on the insider problem for quite some time, in fact, I have featured a short article entitled “Insiders at the workplace - trends and practical risk mitigation approaches” in Issue 18 of the monthly security newsletter you can freely subscribe yourself to!

Insider as a definition can be as contradictive as the word “cheater” is :-) Does an individual become an insider even when thinking about it, or turns into such prior to initiating an action defined as insider’s one? The same way, can someone be defined as a “cheater” just for thinking about what’s perceived as cheating, compared to actually doing anything?! :-) When does one become the other, and is this moment of any importance to tackling the problem?

The biggest trade-off as far as the insider’s problem is concerned is between dealing with the problem while ensuring productivity, and that the company’s work environment isn’t damaged -- exactly the opposite. And while productivity is extremely important, the direct, or most often indirect and long-term loss of intellectual property theft is currently resulting in a couple of billion dollar unmaterialized revenues for nations/enterprises across the globe.

Going through 2004's “Annual Report to Congress on Foreign Economic Collection and Industrial Espionage”, a major trend needs to be highlighted as I greatly believe it’s a global one, namely, private enterprises efforts to obtain access to sensitive technologies in unethical way, outpaces a foreign government’s efforts to do the same. Corporations spy more on one another than governments do, but is this truly accurate? I don’t think so! The use of freelancers, among them ex-intelligence officers or experienced detective agencies to conduct national funded economic espionage is a growing trend, and the lines in this area are so blur, we should therefore try to grasp the big picture when it comes to national competitiveness -- both companies and nations directly/indirectly benefit from possible economic/industrial espionage, and you can’t deny it!

Yet another important fact to keep in mind, is the unusually high success of the oldest, and most common sense social engineering attack -- asking!! In certain cases a social engineer will inevitably establish contact with customer-service obsessed personnel taking care of you all your requests! A certain organization’s members may experience troubles differentiating sensitive and secret information, not taking the first one as serious as they should. Even worse -- U.S Secret Service and CERT’s “Insider threat Study : Illicit Cyber Activity in the Banking and Finance sector” reveal that,”83% of the insider threat cases took place physically from within the insider’s organization, and another 70% in all cases, the incidents took place during normal working hours”! No secretaries or CEO’s logging in at 3:00AM, and in this case, the lack of detected security incidents posed by insiders, means they are already happening!

Though, I have always looked at the insider’s issue, from both negative and positive point of view. Can an insider be of any use for the good of a free speech organization or a government? Yes, it can if you take into account the U.S government’s efforts to locate democratically minded individuals living in countries with restrictive regimes, or active Internet censorship efforts.
Now given, you are truly interested in the democratization of this particular region, and not another successful PSYOPS operation, being able to locate, establish, and actually, maintain contact with these individuals will prove crucial in case of a objective picture of what exactly is going on there! Ignoring the local, totally biased news streaming for certain regions, and focusing on locating insiders within rogue states has been a common practice for years.

Is there a market for protecting from intellectual property theft and sensitive information leakage? If so, how does it ensures today’s digital workplace, and road warriors’s flexibility is not sacrificed for the sake of protecting the company’s resources? Mind you, the current solutions scratch only the surface of the issue -- creating digital signatures of data and trying to spot it leaving the network. While a commonly accepted approach, it’s like one way authentication(passwords) when it comes to access control-- the first line of defense, but among the many other!

The insiders’ problem is far more broader one and given the today’s complexity and connectivity, a possible insider’s actions will most often constitute of normal daily activities. But what is the market up to anyway?

Currently, the content monitoring market is steadily growing fueled by the need of ensuring information marked as sensitive, or intellectual property doesn’t leave the company’s premises, or is alerted when someone attempts to transfer it, due to negligance or on purposely!

The main players are : Vontu, Tablus, Reconnex, and Vericept.
Whereas these solutions are a great concept,they all mainly rely on content analysis,and sensitive information signatures,monitoring multiple exit point)(email,web,chats,forums,p2p,ftp, even telnet), namely, reactive protection, while sophisticated insider’s actions may remain hidden due to covert channels or 0day vulnerabilities in the vendor’s product for instance!

Something else to consider, is should a IP(intellectual property) trap be considered as a benchmark for insider tensions?! In other words, should you consider an employee that has been on purposely sent a link containing company information he/she isn’t supposed to have access to, but has clicked to obtain it? Stanford thinks – yes! The University suspended potential candidates for obtaining info on their admission process only by following a link..you are either a one or zero, right?

Honeypots targeting insiders have also been discussed a long time ago by Lance Spitzner, from the Honeynet Project. Another proactive protection would be to look for patterns defined as malicious behavioral based mostly.
From an organization’s point of view, take into consideration the following :
- Clearly communicate the consequences, both individual and career, in case an insider is somehow identified, based on the company’s perception of the problem
- Ensure the momentum of negative attitude towards the organization is minimized to the minimum to ensure the lack of to-be-developed post-effect negative sentiments
- Do no fell victim of the common misunderstanding that technology is the key to the solution. Insiders are the people your technology resources empower to do their daily tasks, technology is as often happens, the faciliator of certain actions
- Does system identification accountability have any actual effect? My point, does as user’s loss of accounting data, resulting in successful attack is anyhow prosecuted/tolerated. If it isn’t, this puts any employee in extremely favorable “it wasn’t my fault” position, where the data could be shared, on purposely exposed, sold, pretended to be stolen etc.
- Building active awareness towards the company’s efforts and commitment to fighting the problem will inevitably discourage the less motivated wannabe insiders, or at least make them try harder!

From a nation’s point of view, the following issues should be taken into consideration :
- In today’s increasingly transparent and based on digital flow of information marketplace, open source intelligence capabilities played a leading role in the development of cost-effective competitive intelligence solutions. Even though, nations or their companies are very interested in exploiting today’s globalized world.
- Ensuring the adequate security level of the private and academic sectors’ infastructure(where research turns into products and services, or exactly the opposite) through legislations, or further incentives, will improve the national competitiveness, while preserving the current R&D innovations, as secret as necessary.
- Outsourcing should be considered as a important factor contributing to information leakage, and the individuals involved, or the company’s screening practices, should be carefully examined.
- A fascinating publication that I recently read is “Quantifying National Information Leakage” describing the implications of the Internet’s distributed nature, namely to what extend, U.S Internet traffick is leaking around the world, where it “passes by”. A nation’s habit or lack of efficient alternative of plain-text communications can prove tricky if successfully exploited. Of course, this doesn’t include conspiracy scenarios of major certificate authorities breached into.

The insiders’ problem will remain an active topic for discussion for years to come given its complexity and severity of implications. Insiders’s metrics are a key indicator for patterns tracking, whereas their creativity shouldn’t be understimated at any cost!

In case you are interested in various recommended reading, statistics, and other people’s point of view, try this research :