Fighting the Insider Threat
Tom Field: Hi, this is Tom Field with Information Security Media Group. I am here today to talk about the insider threat with Jerry Murphy, Senior Vice President and Director of Research with the Robert Frances Group.
Jerry, good morning to you.
Jerry Murphy: Hey Tom, how are you doing?
Field: Very well, thanks.
Jerry, the last several days we have all seen the shocking story of the French bank fraud and what happened with the bank over there. What is the most significant aspect of that crime to you?
Murphy: Well, Tom, I think for me the thing that is significant is that so much was compromised for so long. And, I think, you know, there is a real exposure that companies have to trust. This was not a case of somebody, you know, a criminal sneaking in and stealing account information or breaking in with malware or something like this. This is somebody who was a known authorized user of systems that was not doing some things that they should have been doing, and it really shows you that there is a huge risk. There is a difference between what the external threat is for people breaking in and what is the real risk to your systems and your company reputation even from the people you trust. And we can't underestimate the analysis of risk in that context.
Field: I mean this phrase gets overused, but in this case I think it is appropriate -- it really is a wake up call.
Field: Jerry, what are the most common forms of insider threat that you see in financial institutions today?
Murphy: Well, Tom, those types of threats generally come in two broad areas. There is the unintentional threat of data -- that is, people not intending to expose data to harms way, but accidentally doing it and that generally can happen in a couple different ways.
One way is there is a policy that your company has for protecting information, and I am not aware of it, either through lack of education or maybe not appropriate checks on the systems. A very typical way this would happen is, I have information that is sensitive company information, and it is on my database, and maybe I'm even encrypting it my database. Then what happens is I am authorized to access that information, I am trying to do my job, and then I take this information and then to make things easier for myself I put this stuff in a non-protected place. So, I send some information in an email to a client, so this client has authorized the information, but maybe my company policy is that I shouldn't send this information in an email because now it is no longer encrypted. So, I am doing my job, but maybe I am violating policy and didn't know it.
Or, there is a system protection, I actually found a case where one system protects data, another system protects data, but now when I integrate the two systems the way that they share information with one another is not protected. So, there is an unintentional loss of data. I'm not necessarily aware of the policy, and I'm doing my job, but I accidentally do things that are not proper from a security perspective.
And of course, the other major form is the malicious, intentional loss of data. I am authorized to use this data, but I am using it in a non-authorized way. Maybe I am a database administrator who should be maintaining files, but I take the information that I have access to and I sell it to somebody else for money. Maybe that is just for pure greed, maybe it is revenge. You know, I found out I lost my job or didn't get a promotion. And another way is sometimes this happens through coercion. We are finding more and more there are organized crime syndicates that are using social engineering. So, I am a good person, you should normally trust me, but now somebody says, 'If you don't steal this information for me, I am going to harm a member of your family' -- something of this nature. So, we are finding that this coercion happens as well.
So, those are the two broad ways that we are seeing this leakage of data from inside the enterprise.
Field: Now you see a lot of institutions facing a lot of these threats. What do you find is most misunderstood about the insider threat?
Murphy: I think the thing that is really misunderstood is the total concept of risk. And by that I mean you look at the probability of something occurring, and you multiply that by the exposure to the company if that threat occurs. And because people see a lot of the external threat -- and in fact 80% of these attacks on the enterprise are from external agents -- and so I think there is a misperceived notion that the biggest threat to my company are external hackers trying to get in to get access to information. And while there is more of that going on, there are two things you have got to consider.
The probability of an attack occurring externally is relatively low, and if there is an attack the probability that the information gotten can be exploited is itself not as high as somebody who is authorized to have this system and uses it maliciously. So, if I am accessing a system, the reality may be that I can trust 90% of the people in my company or more, and hopefully that is the case. But for that small percentage of people who do have malicious intent, the probability of them succeeding in taking information is very high, and if I am maliciously taking information the probability that that will have financial impact to my company is itself very high. I think people really misunderstand where the real total magnitude of total threat to the business is, and when you look at it from that perspective, most people realize that that internal threat is much more severe than it might be if I just looked at the probability of it happening in any given instance.
Field: Sure. Now how do you see financial institutions responding to these threats?
Murphy: Well, I see them responding in a number of different ways. The first way I see things happening is there is increasing recognition that I need to have a functional separation of duties. And by that I mean if you look at a database administrator, typically they are the person that is responsible not only for maintaining my data storage, but people have looked to them as being the person for looking at my log files and checking for any bad activity.
But if we believe my proposition that if that person who has the trust also may be the threat, I don't want to have the person responsible for maintaining my data storage being the same person that is monitoring for malicious activity. So, people are starting to separate, you know, checking on security for data as a different role from the person maintaining security. People are starting to have organizational separation there, and they are starting to put in tools that will, for example, prevent the database administrator from actually being able to look at the database transaction logs.
So, there is that that is happening, and there is starting to be an increased recognition that I need to have more training because most people do want to do the right thing, but when people start to realize there is this unintentional exposure of data, people realize that they need to increase my training and awareness as well.
So, those are areas, and also an increase of auditing. I mean, in the financial institutions auditing has been for a long time because there has been a lot of external governance compliance regulations that financial institutions have to adhere to, but what I am seeing is a shift from auditing from a compliance perspective to changing the focus of my auditing to being more aware of security threats and data leakage.
Field: So, that is how they are responding. Jerry, where do you continue to see institutions fall short in their response to the insider threat?
Murphy: The biggest place I see people fall short today are in two main areas. The first one I would say is in training. What we find is if you have the right policies in place and if people follow the policies, even without a tool, you are going to dramatically increase your security posture. So I think people need to spend more time one, making sure they have the right policies and processes in place; and two, doing a better job educating people on what those are, giving more incentives to people for being more proactive on looking at security. And then, lastly, I think people need to do a better job of doing what I would call proactive behavior analysis.
The reality is, unfortunately, people that are trying to violate security things tend to be ahead of the technology curve from the people in the security community who are trying to prevent things. So instead of waiting for identifying a threat after the fact, we need to do a better job getting in front of actually looking at behavior, identifying anomalous behavior and proactively checking the behavior. So, those are the areas where I think there needs to be more work to improve on.
Field: Okay, now you are doing a webinar on this topic of defending against the insider threat. What is going to be the key take away of your presentation?
Murphy: Well I think the key take aways are essentially going to be three parts --and they are all things that I have touched on. The first part is identify where the true risk to the business is, recognizing that even though the probability of an individual person most will see as doing something low, if they decide to do it, the probability of them succeeding is very high and because of that -- that's the risk that you really need to focus on. So that is probably going to be the biggest take away.
And then the second one is going to be, regardless of all the great technological advances that are occurring in the security space -- and there are a number of them and I will touch on - really, if you have the proper processes and policies in place and incent people to follow those policies, that is going to actually be a much better investment of your money than the dollars you spend on specific security tools. Not saying that you don't need them, but if you have--what you find is if people had the proper patches in places and people were following the proper security procedures and I was verifying that, you are going to get far better protection than the fact that I put a particular tool in place.
So, those are probably going to be the main take away messages. And then increasing the training and letting people know what the specific vulnerabilities are and some of the short term actions people can take to mitigate some of those specific threats.
Field: Excellent. The timing couldn't be better. Jerry, just to close with a comment on the French bank fraud again. Looking at what we have learned over the past week, what do you see as the key lesson to financial institutions to really take to heart from what they have read?
Murphy: Well, I would go back to Ronald Reagan and some of the things he said when he was dealing with the Cold War, dealing with Russia, and I come back to that key term he used, which was "Trust but verify." We want to assume our employees are good employees and are doing the right thing. But one, even if they think they are doing the right thing they may not be; and two, unfortunately, they all may not be. So I do have to give people trust, but I have to recognize that even when there are people I should be able to trust, there are reasons I should still verify people's behavior to protect my business.
Field: Well said, Jerry. I appreciate your time. I appreciate your insights today.
Murphy: Sure thing Tom. I enjoyed it.
Field: That's been Jerry Murphy with the Robert Frances Group. For Information Security Media Group I am Tom Field. Thank you very much.