Information Security Risks – Insiders

Speaking about information security, you need to define two categories of threats which business faces: these are external and internal attacks. External attacks are anyhow connected to illegal access to confidential data; their source is outside of the enterprise or organization corporate network. Today, there are effective measures of counteraction allowing you to successfully protect your business from such intrusions – firewalls, anti-virus software, traffic filters, anti-spyware, automated security scanners, and various penetration testing and ethical hacking services, etc.; the IT market meets the business needs by offering a number of hardware-software solutions which allow reliably protecting the corporate network and data from external threats.

Meanwhile, according to the "The Insider Threat Benchmark Report – Strategies for Data Protection" research conducted by the Aberdeen Group American analytical company, during which 88 large American corporations were interviewed, the role of another danger more and more increases. Its source is not experts in cracking that work for competitors, intruders-hackers or random viruses, but people inside an organization. Here we are approaching to the term "insider" which in the majority of sources is applied without clarification, as something self-evident. To clear up and not to force the reader to burrow into reference materials, we can give the definition offered by Wikipedia: an insider is "a member of any group of people who has access to information unavailable for the general public. The term is used in the context connected to confidential, hidden or any other restricted information or knowledge: an insider is a group member who possesses information available only within this group".

Thus, with reference to business, we can say that an insider is an official in the company who has quite legal access to confidential information. It can be a manager, an analyst or a technical specialist who has the relevant authority. Let's emphasize once again – insiders already are within the organization, they are its part, so, as a rule, it is much easier for them to get access to the information of their interest, rather than for any external intruder. According to the research conducted by the Americans, modern business is seriously worried about the danger coming from insiders and is strenuously looking for ways to repel it. The companies which ignore it or try to save money on implementation of new protection systems often pay off for the carelessness with serious losses. You needn't look hard to find examples – in IT circles the resonance of the litigation over Paul Shinon Divine, Supply Chain Manager of the Apple company, hasn't died down yet. The company submitted the civil suit against the former employee argues that Divine had been selling confidential information to Asian suppliers for six years, having received from them more than one million dollars in total. According to the research results, the vast majority of respondents realizes the scale of threat and is looking for methods to avoid the financial losses connected to it. The outputs drawn by the Aberdeen Group company have something in common with the results of another "Computer Crime and Security Survey" research which was conducted by FBI. In accordance with it, 68% of respondents consider that internal threats constitute the greatest danger to business. Thus 19% of respondents, i.e. almost every fifth company, declared that there is insiders' guilt in more than 60% of total loss caused by information threats; 7% of respondents rest responsibility for 80% and more of total loss on insiders. The obtained results can be compared with the fact that, according to FBI, against the positive general dynamics of damage from IB threats, the share of losses from external threats, such as viruses, worms, hackers' actions, etc., has considerably decreased in recent years – in terms of both the number of attacks and their success. Thereby increased significance of the insider problem is emphasized.

Experts from the InfoWatch analytical center consider that such a shift of the center of gravity in the structure of threats is quite explicable. Virus attacks and unauthorized cracking of corporate networks are paling in insignificance: the number of incidents is decreasing or at least is not increasing, and the scale of losses is going down steadily year by year. This is due to the fact that effective mechanisms of business resistance to such threats have been already developed. By results of the "Computer Crime and Security Survey" research, 98% of respondents use firewalls in their activities, 97% use anti-virus software, 79% use antispyware, 70% use access control lists and 69% of respondents use intrusion detection and warning systems. We listed some most popular information security technologies used today for preventing and fighting against the impact of external attacks.

The situation with protection against internal threats, that are coming, according to data received, into leading positions in terms of caused financial damage, appears essentially more difficult. Here, first of all, we should note that the respondents find it rather difficult to determine the exact volume of losses due to personal data or commercial secret leakage. It is connected with the fact that such incidents, besides direct financial damage, can have a number of negative consequences which appear in long-term perspective. Here we should mention public opinion impairment, injury to goodwill and customer base reduction, as well as possible gain of competitors' advantage. All this can continue for weeks and months, and calculation of the short-received profit due to information leakage can take more than a year. Hence, estimation of the losses owing to the internal threat for information security, as a rule, eludes definition.

At present, there is no single solution that guarantees reliable protection of corporate information from insiders. Here, we can employ the whole complex of actions varying in each specific case. Therefore, the organizations and/or enterprises that wish to insure themselves from confidential information leakage should approach to solving the problem with all solemnity. Saving on safety means is not justified as in the nearest future it can result in very unpleasant consequences. According to the world experience, loss of 20% of corporate secrets in 60% of cases leads to company's bankruptcy. The best variant of protection which can be recommended is to resort to help of professionals specializing on insider protection systems and considering the features of business, corporate policy and office-work in each specific case.

In practice, it often appears impossible to clearly determine if the financial losses are caused by an external or internal threat. An example of this is a number of cases when Trojan software was created specifically for a certain organization to implement by insiders.

All aforesaid all over again confirms that you need to approach to information security support in a complex way, at the same time eliminating both external and internal threats. According to detailed analysis of the statistics collected during the American and domestic research, business is not completely protected from internal threats – the mechanisms are not worked out or are rarely put into practice; thus, the incident with the Apple manager given as an example can repeat (and repeats!) in other organizations. A variety of means and techniques used by insiders does not allow you to develop a uniform panacea which can reliably protect corporate secrets in all cases. However, main approaches to the problem solution have been outlined and are applied successfully. The most important approach is comprehensive active monitoring of employees' activities. It includes such aspects as the automatic configurable outgoing mail filter, hidden resident programs which record keyboard input or save screenshots with a specified frequency, recording of telephone conversations, etc. Although these technical means cannot prevent possibility of internal threat, at the same time they are quite capable to detect the moments when interference of a person – either a security officer or other authorized employee – is necessary. For example, automatic mail filtering saves you the trouble of looking through all employees' outgoing mail and allows an authorized person to inspect letters only when it is really necessary.

Various employees' activity monitoring systems are already available in the market. Certainly, their usage does non mean you do not have to use methods of staff operation; you should explain the necessity of security regulation observance to the employees, notify them about their responsibility and require from them execution of existing guidelines on operation with confidential information. However, reliable protection of corporate information against internal thievery is impossible without competent application of hardware-software means. As previously said, today the main method of protection against insiders is complex active monitoring; among the main tasks solved by it, you can select the following:

The effective solution of these tasks can be reached by using resident programs which run covertly in such a manner that the employee whose computer they are installed on does not suspect about their existence and, accordingly, about the fact that their activities are under control. Let's take a closer look at each of the tasks.

Outgoing mail filtering, which is realized automatically, allows you to avoid, on the one hand, thorough examination of all employees' correspondence (in case of large number of employees it becomes almost impossible), and on the other hand, to involve company's security officer only in the case which looks really suspicions. However, application of this protective method is constrained by the fact that the sent information can be encrypted or archived with a password.

Keyboard input logging, in other words, registration of the keys pressed by the user. Allows you to recreate partially the sequence of the actions carried out by the user during operation including reproducing a typed texts with sufficient reliability; obvious advantage of this protection method is possibility to obtain passwords used by the employee. However, you should bear in mind that there are various ways for information leak: an insider can display information and make a photograph, print a document or dictate it by telephone, at least, they can just remember confidential information. In this case, recording of keyboard input is rather useless and it is necessary to resort to other protection technologies.

Hidden audio recording allows you to provide listening to employees' vocal communication including telephone conversations made during working hours. This method also has some restrictions, for example, owing to the fact that the sense of a telephone conversation becomes clear only if its context is known.

Screenshot saving made with a given periodicity results in a frame sequence which allow you to determine how the employee's work session was realized, what programs, documents or network resources they used. An advantage of this method is that in this case an inspector as if looks with the controlled employee's eyes, repeats their actions; at the same time that is a disadvantage of this method as the exact sense of some actions can be unclear to an outside observer, for example, contents of copied documents if they were not explicitly open, etc.

As we can see, all of the above protection technologies have both their strengths and weaknesses, and any of them separately cannot guarantee reliable protection of corporate secrets. The key to the successful solution of this task is in competent complex application of the mentioned technologies so that they would complement and strengthen each other, mutually compensating for shortcomings.

A Real-Life Example

The N pension fund performs non-state pension insurance of a certain category of the population. Competition in this sector is rather fierce, nevertheless, thanks to the carefully thought strategy, the N fund operates successfully, the number of depositors increases. At a certain point, an e-mail monitoring system is implemented into the organization at the initiative of its IT department. Creation of a "suspicious" content base and setup of filters took some time, and then the system started to operate automatically. Some time later, an economic security department officer received a message generated by the automatic filter about suspicious content of some outgoing letters of the X employee. Several letters had password-protected archives attached to them. The department management made a decision to involve security officers into the investigation; as a result special software for hidden monitoring of the user's activities was installed on the suspect's computer. At last, the password used for archiving was found in the keyboard input log, and the content of the next archive was viewed. It was found out that the archive contained secret corporate information – depositors' personal data and status of pension accounts. The fact of X's economic crime was evident. However the customer was unknown – the letters were sent to an e-mail address on one of free email servers. Detailed analysis of the screen contents obtained for some working day's period allowed to ascertain a fact of sending by X an SMS through the communication provider site. The SMS text contained the password used, as it had already been determined, to archive the information. Thus, it became obvious, that the SMS was addressed to the recipient of the stolen information. The telephone number allowed determining the subscriber – it was an employee of a non-state pension fund, a direct competitor of the N fund. The insider was found out and dismissed, access to the personal information was restricted. However, the fund decided not to make business public and not to sue the infringer, fairly fearing of fund reputation damage.

Similar cases are frequent and can occur practically in any organization; moreover, different categories of employees can play the role of insiders – ill-wishers expecting dismissal or miffed with the company for any other reasons; "stool pigeons" that were specially planted by competing organization; there are also some cases when loyal and diligent employees acted as insiders, and they even did not suspect that their actions can cause damage to the company and they play into the hands of competitors. As you can see in the example, you need, apart from everything else, modern and reliable means of protection to prevail over such internal threats, prevent them and minimize the damage.

It is necessary to notice that implementation of a similar system, despite of all its advantages, as a rule, meets certain difficulties. Besides objective complexities – any means restricting employees' actions do complicate, to some extent, operating process – you need also to consider a subjective factor. Besides natural and inevitable resistance of a number of employees to implemented innovations, management sometimes also faces an ethical and/or legal aspect. To successfully overcome such problems – so that monitoring could not be equated to espionage and intrusion into private life of the employees – the security policy applied in the organization shall postulate clearly that all information and data circulating in the corporate network is intellectual property of the organization. It is useful (moreover, in some countries it is mandatory and fixed by the legislation) to warn users that organization information systems are under observation, and, if necessary, it is possible to reproduce the sequence of any employee's actions. Sometimes, one only understanding of this fact by staff is quite enough to increase the level of corporate discipline and for prevention of some leakage incidents. On the other hand, examination of personal and official correspondence or other employees' data by security service or other monitoring subdivision must be prohibited unless it is caused directly by signs of threat or a course of official investigations.

Up to now, we mainly discussed application of active monitoring tools for protection your business against internal attacks, i.e. detection and suppression of corporate information leaks. Really, this is the main domain of such systems. However, we should mention possibilities of their effective application in a number of other situations which are not directly referred to struggle against insiders. Now, we can give some examples.

The management of an outsourcing call center began regularly receive clients' complaints about operation quality and the level of competence of the operators servicing the "hot line" for support of bank card holders. The telephone exchange used at the call center had already been equipped with a hardware-software complex allowing to fix all incoming calls and to record the subsequent conversations between an operator and a caller. Analysis of conversation records made for two-month period allowed to define the reason of clients' complaints: it was found out that the "hot line" operators were not sufficiently aware of multiple new services provided to card holders. A two-day training was conducted during which the operators familiarized with the new banking programs, after that the complaint flow ceased.

This example shows how the means intended for monitoring can be used if a conflict situation between clients and the staff occurs – for detection of the conflict reason and proper resolution. It is necessary to notice that today the majority of the organizations already perform recording of employees' telephone conversations; at the same time, talks to clients conducted at the offices, break-out rooms, via the Internet, etc. frequently are not fixed in any way. In this case, there can be reasonable to use software or hardware monitoring tools.

Two periodicals simultaneously published a similar material and filed two counter-suits for intellectual property protection. As a rule, it is very difficult to prove a fact of plagiarism by judicial process; in this case, however, it could to be made because only one side provided the intermediate materials accumulated during work over the article. It was possible thanks to the complex monitoring system used in the editorial office. The following materials were presented:

The arbitration court, having studied the presented evidence, considered them sufficient for recognition of one side's copyrights. The adversary, not having the similar materials, was adjudged guilty of plagiarism and obliged to pay monetary compensation.

This example illustrates one more possible application sphere of monitoring tools – protection of intellectual property. As previously discussed, both in domestic and global judiciary practice, cases on copyright protection are considered difficult; the main weak link of the appropriate legislation is the fact that the same ideas can frequently come independently and simultaneously to different people. In such case, intellectual property rights reside in the first one who declares about them; if it has not been done, authorship attribution becomes rather difficult. Any intermediate results – preliminary canters, drafts, etc. – all that was automatically collected by the monitoring system in the considered example – can be a significant advantage.

In one of N city secondary schools there was an incident – an unknown malefactor deleted all students' works on Computer Science stored on the school server. The proceeding did not bring any results, the incident repeated in a month. Then a resident program – the pressed key logger – was installed at all workstations in the computer class. After a while, information was removed from the server again; this time consecutive study of the keyboard input logs allowed defining the malefactor. One of the students appeared to have cracked teacher's account password and to have used it for getting access to the server file system from his workstation. The guilty was exposed, and then "diversions" ceased.

A similar incident can take place both at school and in any other organization equipped with the corporate network. Danger of insiders consists not only in possible leaks but also in deliberate distortion/destruction of useful information. In this case, usage of monitoring tools, firstly, can allow you to reveal guilty and, secondly, high risk of exposure itself could stop further potential malefactors from repetition of actions similar to the described above.

Parents of thirteen-year old Sergey M. recently began to note some oddities in their son's behavior. The teenager, who usually was sociable and open, became silent and reticent, stopped meeting friends, started to show negligence in his studies. At the beginning, however, his parents were not too worried as they connected these changes with his awkward age. Sergey had changed his mode of dress; in the evening, he began to leave home or to lock up in his room, having long conversations to someone; even his eating habits had changed. At last, parents found out an esoteric brochure in his things. Attempts to have a heart-to-heart talk to their son did not succeed – the teenager kept silent, did not contact with his parents. Then, in Sergey's absence, a resident program for sound recording through a microphone and periodic copying of screen contents was installed on his computer. The first quick overview of the materials collected for some days confirmed parents' fears – Sergey appeared to be a victim of sectarian recruiters.

In this case, the child was returned to the family with assistance of a competent psychologist. However, it was the specialized software that helped define the reason of the rupture in his relations with parents and peers and select the correct line of behavior. Thereby we can demonstrate a possible scope of monitoring tool application within a family as an effective method for parents to look at children's inner world without making the latter feel intrusive surveillance, control of each step, etc. Thus, competent and timely usage of monitoring technologies can help insure children against rash acts and in some cases prevent dire consequences.

Summing up, we can say that software and hardware monitoring tools become more and more demanded both by business owners or team leaders and by private persons. In turn, the IT market meets today's requirements and offers a considerable variety of ready solutions that allows to expand considerably the extent of employee activity monitoring and to minimize a probability of damage by internal attacks to the enterprise or the company.