cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post

How to Prevent an Insider Accident from Becoming a Security Catastrophe

Level 11

The incorrect use of personal devices or the inadvertent corruption of mission-critical data by a government employee can turn out to be more than simple accidents. These activities can escalate into threats that can result in national security concerns.

These types of accidents happen more frequently than one might expect — and they’ve got government IT professionals worried, because one of the biggest concern continues to be threats from within.

In last year's cybersecurity survey, my company SolarWinds discovered that administrators are especially cognizant of the potential for fellow colleagues to make havoc — inducing mistakes. Yes, it’s true: government technology professionals are just as concerned about the person next to them making a mistake as they are of an external Anonymous-style group or a rogue hacker.

So, what are agencies doing to tackle internal mistakes? Primarily, they’re bolstering federal security policies with their own security policies for end users. This involves gathering intelligence and providing information and training to employees about possible entry points for attacks.

While this is a good initial approach, it’s not nearly enough.

The issue is the sheer volume of devices and data that are creating the mistakes in the first place. Unauthorized and unsecure devices could be compromising the network at any given time, without users even realizing it. Phishing attacks, accidental deletion or modification of critical data, and more have all become much more likely to occur.

Any monitoring of potential security issues should include the use of technology that allows IT administrators to pinpoint threats as they arise, so they may be addressed immediately and without damage.

Thankfully, there are a variety of best practices and tools that address these concerns and nicely complement the policies and training already in place, including:

  • Monitoring connections and devices on the network and maintaining logs of user activity to track user activities.
  • Identifying what is or was on the network by monitoring network performance for anomalies, tracking devices, offering network configuration and change management, managing IT assets, and monitoring IP addresses.
  • Implementing tools identified as critical to preventing accidental insider threats, such as those for identity and access management, internal threat detection and intelligence, intrusion detection and prevention, SIEM or log management, and Network Admission Control.

Our survey respondents called out each of these tools as useful in preventing insider threats. Together and separately, they can assist in isolating and targeting network anomalies. They can help IT professionals correlate a problem directly to a particular user. The software, combined with the policies and training, can help administrators attack issue before it goes from simple mistake to “Houston, we have a problem.”

The fact is, data that’s accidentally lost can easily become data that’s intentionally stolen. As such, you can’t afford to ignore accidental threats, because even the smallest error can turn into a very large problem.

Find the full article on Defense Systems.

Interested in this year’s cyber security survey? Go here.

15 Comments
MVP
MVP

Very good and relevant writeup !

I cringe at what some people do that they don't think is a big deal...when it actually is.

Ever vigilant! The inherent powers that one adopts when he/she becomes an IT Systems or Data Administrator is quite powerful. A whooole lot of trust goes along with that. Very few places have the proper "Checks & Balances" in place to monitor and control this type of access. The only real deterrent in place is "your job", which doesn't seem to hold much weight against the actions of a disgruntled and maliciously intended employee.

The cheaper, easier route appears to be to invest in technology that allows you to quickly: restore, rollback, and/or failover. At any moment a frustrated employee can metamorphosise into a malicious employee. It is scary to imagine the damage once can inflict with a key couple of clicks and keystrokes.

The linked article sums up nicely from its initial content:

"A fender-bender at a stop sign is 'an accident.'

The incorrect use of personal devices, or the inadvertent corruption of mission critical information can turn out to be more than simple accidents . . . they can escalate into threats that can result in national security concerns."

It's not hard to imagine some very bad things happening as the result of compromised security.  I'm not thinking about little things, like losing your life's savings.  Think bigger.  All financial institutions shut down for months or longer.  Air traffic control systems going unavailable for a year or more.  North America going without electricity for LONG periods--or random ones.

What should we NOT do as we move forward in our jobs?

  1. Facilitate communications that cannot be secured (wireless)
  2. Use solutions that are proven to be weak/vulnerable (MD5, SHA1, http, telnet, etc.)
  3. Ask users to reference down time procedures that are online (these should be printed and posted where folks can find and reference them during a network outage)
  4. Believe that what's secure today (SHA 2, CAPWAP tunnels, VPN tunnels, wireless encryption protocols, etc.) will remain secure into the future (even in the face of cheaper and more powerful computing solutions being created daily)

Playing the guy who says "no"--no matter how kindly and tactfully--can be a career-limiting decision.

But perhaps NOT if Management mandates it, and supports and trains everyone to be on the same page, and shows us all how to do it properly.

But who among us does not believe Networking is a house of cords?

We try our best to follow the guidelines and security best-practices.  But it's all for nothing if we, our peers, our clients, or our supervisors and C-level people, remain ignorant of the risks of doing things the most convenient or inexpensive way.

Can we do business without wireless?  Apparently the Center For Disease Control can.  I'm told they forbid it on their networks because they believe it's inherently insecure.

Can we do without VPN tunnels?  They're mighty convenient, but White House Security staff have explained that the government has influenced the manufacturers and the RFCs to make VPN's easier to decrypt/break--all in the name of national security, of course.

Can we continue using insecure protocols and practices in our ignorance, simply for the cost savings or convenience?  Only until we're shut down by hackers.  Or worse.

I found a cartoon online that suggests our minds might just be potentially overwhelmed by the legal documentation required to secure our world:

pastedImage_0.png

And my thoughts don't even begin to address the issue of an insider betraying a company's trust . . .

Level 14

Very good write up.  I attended a training session once that announced the 2 out of every 25 people were potential insider threats.

I'm a little more pessimistic than that.  Through their own ignorance, I'd worry that 25 out of every 25 people were potential insider threats.

MVP
MVP

Yes unfortunately there will always be that rogue employee. Gotta keep an eye on everything.

MVP
MVP

Agreed. So many times I've heard "Let's just do X" and my response is "Uhhhhh... please don't".

Level 11

Your not being a pessimist.  I would say you sound paranoid, but considering I agree with your assessment I would call it Trust but Verify.

Level 14

I don't disagree with that.  My logs back it up.

Level 15

I'm a little more pessimistic than that.  Through their own ignorance, I'd worry that 25 out of every 25 people were potential insider threats.  ²

MVP
MVP

I've been working a lot of LEM engagements lately and it's always fun when you get it set up and start showing people what it tells them about their systems and we almost invariably run into some account that none of the admins even knew what it does that logs into half their servers 50,000 times per day.  When people aren't watching their logs its surprising how much slips through the cracks.

Level 11

Definitely true.  NO ONE is above reproach.  It may be a little harder to catch a big fish but it is worth it.

Level 14

I had a lead engineer about a decade ago, that fought tooth and nail against adding firewalls and IDS's to the classified network.  He claimed that there had never been any incidents on that network, so why secure it?  After some pressure from above, he relented.  After the installation, he started reviewing the logs.  Needless to say, he became a believer very quickly.

Level 21

mesverrum​ I have had the same experience looking at logs on my own network and having to point out things I find to other teams.

Level 20

The big publicised security breaches by insiders like manning, snowden, and others have really caused many of us addition grief.

About the Author
I grew up in Forest Lake, Minnesota in the 1960's, enjoying fishing, hunting, photography, bird watching, church, theater, music, mini-boggan, snowmobiling, neighborhood friends, and life in general. I've seen a bit, have had my eyes opened more than once, and tend not to make the same mistakes twice. Reinventing the wheel is not my preference, and if I can benefit from someone else's experience, that's good all the way around. If someone can benefit from my experience, it's why I share on Thwack.