cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post

Helping Stop Insider Threats at Your Agency

Level 12

By Joe Kim, SolarWinds EVP, Engineering & Global CTO

Last year, in SolarWinds’ annual cybersecurity survey of federal IT managers, respondents listed “careless and untrained insiders” as a top cybersecurity threat, tying “foreign governments” at 48 percent. External threats may be more sensational, but for many federal network administrators, the biggest threat may be sitting right next to them.

To combat internal threats in your IT environment, focus your attention on implementing a combination of tools, procedures, and good old-fashioned information sharing.

Technology

Our survey respondents identified tools pertaining to identity and access management, intrusion prevention and detection, and security information and log and event management software as “top- tier” tools to prevent both internal and external threats. Each of these can help network administrators automatically identify potential problems and trace intrusions back to their source, whether that source is a foreign attacker or simply a careless employee who left an unattended USB drive on their desk.

Training

Some 16 percent of the survey respondents cited “lack of end-user security training” as a significant cause of increased agency vulnerability. The dangers, costs and threats posed by accidental misuse of agency information, mistakes and employee error shouldn’t be underestimated. Agency employees need to be acutely aware of the risks that carelessness can bring.

Policies

While a majority of agencies (55 percent) feel that they are just as vulnerable to attacks today as they were a year ago, the survey indicates that more feel they are less vulnerable (28 percent) than more vulnerable (16 percent), hence the need to make policies a focal point to prevent network risks. These policies can serve as blueprints that outline agencies’ overall approaches to security, but should also contain specific details regarding authorized users and the use of acceptable devices. That’s especially key in this new age of bring-your-own-anything.

Finally, remember that security starts with you and your IT colleagues. As you’re training others in your organization, take time to educate yourself. Read up on the latest trends and threats. Talk to your peers. Visit online forums. And see how experts and bloggers (like yours truly) are noting how the right combination of technology, training, and policies can effectively combat cybersecurity threats.

  Find the full article on GovLoop.

19 Comments
MVP
MVP

“careless and untrained insiders” are the same threat to non federal agencies....

Level 20

RMF is supposed to fix all of this going forward.  It's going to be a big undertaking... that much is for sure!  We don't allow bring your own anything at this point.

MVP
MVP

I would add "Reminders"

Most companies/agencies/etc. have training - but users (including all of us) forget things that aren't at the forefront. So periodic reminders about security, best practices and policies is helpful. If it can be done in a fun way, i.e. a quiz, or did you know posts, or "here's a Nerf gun shoot violators" maybe not that last one - but it would be fun.

Level 21

It seems that all of these articles written targeting federal agencies are just as appropriate for any other company or agency. 

I'll agree with the intent of the article, and with the respondents above, and go one step further toward picking a nit.

When I read the line " identified tools pertaining to identity and access management, intrusion prevention and detection, and security information and log and event management software as “top- tier” tools to prevent both internal and external threats", I balked at the concept that logs and event management software can "prevent" threats.

Yes, it's only semantics, but semantics ARE important.  We don't want decision-makers to think log files and event management software can ever prevent threats.  Those are forensic tools, not prevention tools.  They can tell you where you were hacked or accessed, and you can use those historical records to determine the extent of your exposure and vulnerabilities.  Which then enables you to close those holes, and thus reduce your FUTURE vulnerabilities.

It's a small point.  But perhaps an important one . . .

MVP
MVP

exactly...

I would have to agree with rschroeder​ here, very good point.

I'm also shocked that only 16% realised the importance of end user training. Hopefully this was an anonymous survey as I think I spy 84% of businesses surveyed that may be at risk of a phishing or social engineering attack.

Level 12

Not shocked at the training numbers. My experience both within a Municipal Govt and previously at a large international Corporation revealed dismal investment in training of all levels of Staff, and coupled that with weakened Policies that either are not enforced (nor lack any teeth, Management not willing to enforce, etc...) or written a language that is either not clear or vague, ensure that the internal risks far exceed external ones (or at least much harder to prevent)

I think most of us are aware that internal threats many times are more realistic on our environments and much much harder to patrol or prevent, whereas for external threats we have much more control through better tools, research and security alerts to work to harden our defenses against such attacks.

I also concur with rschroeder​ the importance of forensics tools not for prevention of imminent threats but rather to be combined with other relevant data to secure reoccurances of past/present security breaches.

Good Article though shidoshi1000​ bringing some key points to bear... as well as seeing how similar the numbers are from a federal stance to a local Municipal operation.

MVP
MVP

Nice article

MVP
MVP

Agreed on the training front.

When I worked for the State of Florida I worked for an agency that had a main office and 12 "area" offices. I was in one of the area offices and provided IT support to 250 or so individuals. I had a "policy" that if I got the same or very similar requests 3 times in a couple of weeks that I would make a presentation/tip/how to guide for that request. Each week I would email everyone in the office that I supported a "tip of the week." This became such a big hit with my people that they started sending it to other offices and eventually all of the other 11 offices requested that I send it to them. I did, but of course when the "mother ship" heard about this they immediately put their foot down and required that I send the "tip of the week" to them and they would send it out - of course putting their staff name on it and taking credit.

All that to say a "tip of the week" can go a long way to maintaining awareness and you can address the most recent concerns, incidents, violations, or humorous events in a friendly "hey did you know" manner.

Level 12

"Tip of the week" Great idea.... will try to float it here then do a weekly post on our intranet

Similarly, when I started working here in 2003, I tracked those undesired Help Desk calls that woke me in the middle of the night.  If they turned out to be something the Help Desk could better triage before calling me--perhaps even fix themselves, or assign to a different team--I created a Knowledge Base article that defined all the steps they should follow.

I got buy-in from my boss and the manager of the Help Desk, and it wasn't long before I stopped getting calls in the middle of the night.

Level 13

While you were sleeping

They came and took it all away

The lanes and the meadows

The places where you used to play

It was an inside job

By the well-connected

Your little protest

Summarily rejected

It was an inside job

Like it always is

Chalk it up to business as usual

While we are dreaming

This little island disappears

While you are looking the other way

They'll take your right to own your own ideas

And it's an inside job

Favors collected

Your trusted servants

Have left you unprotected

It was an inside job

Like it always is

Just chalk it up

To business as usual

You think that you're so smart

But you don't have a f___ing clue

What those men up in the towers

Are doing to me and you

And they'll keep doin' it and doin' it

And doin' it and doin' it

And doin' it and doin' it

And doin' it and doin' it

Until we all wake up

Wake up, wake up, wake up, wake up

Thanks Don Henley

I have to believe that stopping insider threats starts long before anyone is employed at an agency.  It has to be inculcated from birth, to be trustworthy and suspicious simultaneously, and that's a conflict that could result in damaged minds and ethics at early ages.  But what alternative is there?

What "big picture" fix would you apply with your magic wand, to eliminate security risks at the root, instead of at the symptom level?

Level 12

I think the only thing guaranteed to eliminate Security risks - Remove the Humans.... drastic yes, but issue resolved... unless it becomes Bot .vs Bot.

Seriously though I think it is truly back to Education, Policy, and enforcement.

“Most neuroses and some psychoses can be traced to the unnecessary and unhealthy habit of daily wallowing in the troubles and sins of five billion strangers.”

  ― Robert A. Heinlein, Stranger in a Strange Land

There's something to that.  Remove humans and you remove the future, effectively eliminating history (which is human-centric from my point of view).

Heinlein also wrote: "A generation which ignores history has no past and no future."

Could there be something about hackers that comes from an inner problem?

Heinlein:  "If you don't like yourself, you can't like other people."

Maybe the issue is that problems are created without adequate knowledge of vulnerabilities.  And that we need a group of people trained to observe code creation, and to prevent vulnerabilities from being built.

Heinlein didn't much care for groups of people making decisions: "A committee is a life form with six or more legs and no brain."

Stranger in a Strange Land, Time Enough For Love, Friday, The Door Into Summer, Methuselah's Children . . .  He wrote so many fascinating and interesting books, with comments that make one really start thinking.  He was my favorite author for most of my life.

Level 12

Heinlein is one of my favourites too, along with most of the other Classic Sci-Fi/Sci-Fact authors like Phillip K Dick, Asimov, Herbert, Clarke, Bradbury, and Orwell, to name but a few. Frequently go back and reread their works. Always on the lookout for the next generation of soon to be Classic Authors... like John Scalzi (Old Man's War).

Nice.  I read a new science fiction author's work probably every two weeks via Kindle.  Like you, I enjoy the classics / Grand Masters, etc. 

Alfred Bester goes under-appreciated, in my estimation.  The same goes for Cordwainer Smith.

MVP
MVP

Currently reading a sci-fi kindle book called Cyberstorm (Mathew Mather).  It deals with an immense worldwide cyber attack that effectively shuts everything down from the perspective of a family in New York during a massive snow storm.  Apparently 20th Century Fox is developing it for film.

About the Author
Joseph is a software executive with a track record of successfully running strategic and execution-focused organizations with multi-million dollar budgets and globally distributed teams. He has demonstrated the ability to bring together disparate organizations through his leadership, vision and technical expertise to deliver on common business objectives. As an expert in process and technology standards and various industry verticals, Joseph brings a unique 360-degree perspective to help the business create successful strategies and connect the “Big Picture” to execution. Currently, Joseph services as the EVP, Engineering and Global CTO for SolarWinds and is responsible for the technology strategy, direction and execution for SolarWinds products and systems. Working directly for the CEO and partnering across the executive staff in product strategy, marketing and sales, he and his team is tasked to provide overall technology strategy, product architecture, platform advancement and engineering execution for Core IT, Cloud and MSP business units. Joseph is also responsible for leading the internal business application and information technology activities to ensure that all SolarWinds functions, such as HR, Marketing, Finance, Sales, Product, Support, Renewals, etc. are aligned from a systems perspective; and that we use the company's products to continuously improve their functionality and performance, which ensures success and expansion for both SolarWinds and customers.