Richard W. Walker, Contributor
Published: 18 May 2011/May 31 2011
“There is no patch for people.” That one-liner, made at a recent symposium in Washington on the Wikileaks insider threat, is no joke. It succinctly captures the hurdles facing federal managers when it comes to information security risks posed by their own users. And those hurdles are getting higher, as the Wikileaks case illustrates. Nor is Wikileaks just an isolated case: public data breaches by insiders in both the private and public sectors are on the rise.
While system breaches caused by the unwitting insider -- the employee who opens up an email message and falls for a phishing scam, for example -- are still a concern, it’s the malicious insider who represents the greatest risk. And, that risk means government cybersecurity managers will have to shift their efforts more towards actively combating that threat.
Particularly worrisome these days is the trusted insider “gone wrong”—the system administrator or IT executive whose actions turn malicious, for instance.
“You have a lot of folks that…pretty much have the keys to the castle,” said a security expert at the Homeland Security Department who asked to remain anonymous. “The enterprise admins have the ability to scour the entire network. That’s a hurdle that everyone has, especially with the move to managed services. You don’t know who the people who are managing your systems are anymore.”
Ken Ammon, chief strategy officer at Xceedium Inc., agreed that the ever-growing size, sophistication and complexity of systems have amplified the insider threat. “If you flash back 15 years ago, people who were considered privileged users -- those who had the ability to get to any platform or to any information within the infrastructure -- were a smaller group,” he said. “They tended to be the higher-assured employee or to be more fixtures than transients. Now you flash forward 15 years and the number of people and resources it takes to keep the systems running and number of people you give elevated rights or privileges to have dramatically increased.”
The advent of cloud computing also has expanded the insider threat, and even blurred the distinction between insiders and outsiders, Ammon added. “It has spread to vendors and contractors you have no control over,” he said. “You have a security boundary that has evolved and eroded from this inside-outside issue.”
Threat mitigation The increasing visibility of the insider threat is shifting the focus from security policies and user training -- which likely have negligible impact on the determined malicious insider -- to technologies and tools designed to mitigate the threat. Testifying recently at a Senate Homeland Security and Governmental Affairs Committee on “Information Sharing in the Era of Wikileaks,” Corin Stone, the information sharing executive for the Office of the Director of National Intelligence, said the government must develop a comprehensive insider threat capability, of which technology is a vital part.
The Intelligence Community’s strategy involves three interlocking elements, Stone said:
- Ensuring the right people have access to the networks and information they need to perform their duties, but not to information they don’t need.
- Technically limiting the ability to misappropriate, manipulate or transfer data, especially in large quantities, such as by disabling or prohibiting the use of removable media on classified networks.
- Auditing and monitoring user activity on classified computer systems to identify anomalous activity and follow up accordingly.
“In general, the idea that you can depend on written policy or that you have policy as a control for security is something that has to be retired,” Ammon said. “You have to modify that and put some technology in place. The days of … trusting someone to follow policy are gone, so you have to build in technical controls.”
Wikileaks and a number of less-publicized breaches have put the spotlight on insider threats to government cybersecurity. To help blunt the potential threat posed by trusted users, federal government managers should deploy technology to, in effect, look over the shoulders of their users, security experts say. That includes tools that provide end-user monitoring, full disk encryption, and end-to-end document security and tracking.
"A lot of the tools that exist in most [organizational] networks are focused on the advanced persistent threat, hackers penetrating through firewalls and those kinds of things,” said a former Defense Department security specialist who requested anonymity. “So most of the sensors are sitting at the network level. We need to focus a lot more on the user and the user's behavior, and we should be doing that where the user sits rather than at the network level.”
That’s where end-user monitoring software comes in. “You have to instrument yourself well enough to be able to effectively monitor what people do,” the DOD security specialist said. “Given the idea that everything of value is already in cyberspace, it makes sense that we should have some tools that can monitor cyberspace in a way to let us know that somebody's misusing access to [secure sensitive information], our crown jewels.”
As for the privacy aspects of user-level security, agencies have a legal right to monitor what users do on government-owned and -operated computers and networks.
Beyond monitoring: role-based access controls The Homeland Security Department’s insider strategy begins with role-based access control (RBAC), which restricts a user’s network access to a defined job function and permissions to perform certain operations that are assigned to specific roles. This approach is aimed largely at privileged users -- for example, database administrators -- who, without RBAC, would have the ability to roam around the agency’s information systems, according to a DHS security expert who asked not to be identified.
DHS auditors use Xceedium Inc.'s GateKeeper, an appliance that lets agency auditors enforce and control role-based access to critical systems, monitor the actions of privileged users and view comprehensive reports on user activity inside the network.
“It actually monitors and manages what the administrator has access to while they’re doing it,” the DHS security expert said. “It takes a snapshot of what they’re doing.”
Full disk encryption is crucial Another security technology that can help mitigate insider risk is full disk encryption, which protects data at rest on laptops, desktops and removable media. “To protect against insiders, you have to protect your data first,” said Gary McCracken, vice president for technology partnerships at WinMagic Inc., whose SecureDoc full disk encryption software is used by DHS, the Energy Department and the Treasury Department, among other federal agencies.
“If the [Wikileaks] data was encrypted while at rest on the perpetrator’s workstation, it would have been very improbable that [Bradley Manning] could have successfully exfiltrated that data,” said the former DOD security specialist.
Document tracking: search and destroy leaked docs End-to-end document tracking and control is another user-level security technology that can keep insiders from getting at critical information, according to security experts. It secures sensitive documents by embedding the security into each document so wherever it goes, it can be controlled, tracked and even wiped out at any point in time.
“It’s a very persistent form of security,” said Adi Ruppin, vice president of business development and marketing for Watchdox, which provides secure document sharing as Software as a Service to government agencies. “It never stops protecting the document until the document is destroyed.”
Watchdox furnishes a detailed audit trail that allows every interaction with a document to be logged, along with its time, user identity and geographic location.
Underlying the deployment of user-level security tools such as user monitoring, full disk encryption and document tracking is the notion of “zero trust.” You can’t trust anyone, not even your most senior or long-standing staff members.
Insider risk requires “a new look at how you’re securing your information and access,” said Ken Ammon, chief strategy officer at Xceedium. “We’re moving down this path of supporting a model called zero trust, where you don’t really trust anyone — a partner, a provider or an employee — to do what’s said in a [security] policy. You have to have an infrastructure that can enforce that policy, report on alerts and support response and investigation, if necessary.”
About the author: Richard W. Walker is a freelance writer based in the Washington, D.C., area who has been covering issues and trends in government technology for more than 10 years.