New study emphasizes the risk posed by insider threats
Many information security programs focus on preventing unauthorized outsiders from accessing an information system; insiders, however, often are in a better position to cause just as much damage because they are trusted by their organization
A U.S. Defense Department-sponsored organization has issued a report that illustrates how vulnerable an operational information technology system can be to threats from the inside of an organization. The Information Assurance Technology Analysis Center (IATAC) published The Insider Threat to Information Systems: A State of the Art Report to help define what constitutes an insider attack and how government, industry, and academia are addressing these threats. The report also presents best practices government and industry can use to mitigate potential attacks.
IATAC is one of ten information analysis centers managed by the Defense Technical Information Center, which serves the Defense Department community as a central resource for department- and government-funded scientific, technical, engineering, and business research. IATAC provides the Defense Department with emerging scientific and technical data in support of information assurance and information operations.
Gene Tyler, IATAC’s director, shares that IATAC publishes approximately one state-of-the-art report (SOAR) each year. “Because IATAC handles information assurance and cybersecurity-type issues, our steering commission suggested insider threats would be a good topic to research” for a new SOAR, he says.
Tyler notes that contributors assigned to a particular SOAR are chosen “because they have the best knowledge” of the topic. “We connect with organizations that have a vested interest in the topic, creating a collaborative effort across government, academia and industry,” he says.
Signal Connections’s Katie Packard writes that the SOAR on insider threats explains that many information security programs focus on preventing unauthorized outsiders from accessing an information system. Insiders, however, often are in a better position to cause just as much damage because they are trusted by their organization, it states. Contributors to the report defined an insider as a person within an organization who has privileged access to the organization’s information, information systems or facilities. This can include a former employee or someone who formerly held such privileges. An insider attack is defined as an abuse of these privileges that interferes with resources or impedes the organization’s mission.
Report authors also looked at how organizations are responding to the potential for insider incidents. Insider threat solutions often include intrusion detection system technologies that focus inward, but more organizations are utilizing products that focus on host-level activities, including behavior profiling to help distinguish between accidental misuse and true malicious activities, they found.
For example, the national security sector has concentrated on threats made possible by malicious code, unauthorized access to data, exfiltration of sensitive data, and alterations to system activity and system topography. The national security sector uses traditional counterintelligence and information assurance programs to safeguard against such threats, but it also has been working to adopt new technologies to monitor, detect, prevent and recover from insider incidents. These new prevention methods include a multipart technical solution that features host and network anomaly detection capabilities and a correlation engine that analyzes the anomaly data.
Packard writes that the report’s authors recommend a series of best practices that organizations adopt to help prevent insider attacks. “We always want organizations to have good policies and procedures and to adhere to them,” Tyler shares. “Make sure you have password changes; make sure you audit capabilities. That way, you’re checking at all levels to make sure there isn’t a problem.”
Prevention, however, does not come just from one source. “No information assurance professional will ever say one prevention solution is the best. It’s always a combination of defense in depth and defense in breadth. Be ever on guard,” Tyler cautions.
If you are interested in obtaining a copy of the report, you may do so by contacting IATAC directly.