In its 2011 Data Breach Investigations Report, Verizon Business reported that 17% of all data breaches in 2010 were due to internal agents. It is true that represents a relative decrease of 31% compared to 2009, but this is mainly due to the exploding number of breaches having external agents as an origin (+22%), which is not a surprise. The bottom line is that the absolute number of such internal breaches didn’t change much over the last couple of years, meaning that you still have to pay high attention to this phenomenon.
Not all of the insider breaches are deliberate although according to Verizon they do count for 93% of all them. The rest is due to awkward, thoughtless or untrained employees, making mistakes and acting inappropriately. Let me give you a quick example. Let’s consider an employee working time to time from home using his company laptop. Because this is a company rule, he gets connected to his organization’s network through a SSL/VPN session, ensuring both confidentiality and integrity. Establishing such secured connection is the only way for him to get access remotely to his company resources, so he doesn’t have the choice actually. Furthermore, a host checker scans his laptop, making sure notably that nothing malicious is present before the VPN session is established, and also that nothing infects his machine during the session. Some while later our employee has done with his work and wants to quickly book tickets for a concert. As a conscientious person, and because this is for private usage, he terminates the SSL/VPN session and browses the Web from his laptop. And then guess what ? Just his luck ! His machine gets infected… No host checking running in background anymore, no significant evidences that something went wrong, and the result is you end up with an infected host without being aware of it at all. The next morning our employee returns to his office, bypasses all the most proven firewalls and other detection systems, and re-connects naturally his laptop to the network. Because there is no specific local access control mechanism in place, right after the laptop has been switched on, the malicious code is spread across the entire organization, causing major damages.
Can we really blame this employee? Did he adopt a risky posture? Did he act carelessly? Probably not. We could eventually make him aware of this risk, give him some extra training, but that’s more or less it. No, the reality is that it is the IT organization’s responsibility to put in place a system mitigating this type of risks.
Another interesting element highlighted in the Verizon report is that you don’t need super user’s privileges to deliberately steal data or to cause major problems on the network.
So what’s the challenge here? Traditional security assumed that the threats which enterprises needed to protect against came from somewhere outside of their network. As a result, security deployments focused mainly on providing perimeter-based protection. And this where we begin to weaken, as the insider threat opens up a whole new attack vector which completely bypasses the perimeter security strategy, so strong could it be, as my little example above has demonstrated it.
Another factor that must be seriously considered is the proliferation of smart phones and tablets we can observe now. By nature these new devices are meant to be used first and mainly on the public domain, but also more and more on the internal network (known as the BYOD effect). This multiplies then the risk of bringing malicious codes into your organization.
Whatever is the cause of the insider threat – good employees unknowingly doing bad things or bad employees exhibiting bad behavior – and regardless of the motivation behind an employee committing the threat, the results can be devastating to your organization. The remedy consists of putting in place a comprehensive solution to address and mitigate these insider threats, by notably:
The good news is that Juniper Networks has done the heavy lifting when it comes to securing your business against the insider threat. We can deliver this comprehensive security approach with our Adaptive Threat Management and Network Security Access Control solutions. The key features and benefits are:
This will ensure a global identity aware networking, both for local and remote users, users that could be employees, partners, contractors, and guests – just to name a few – and using any kind of devices and accessing from anywhere.
Just a suggestion: try to apply my little example to your own organization and see what the result is. If you come to the conclusion that your existing security defense cannot effectively stop such insider threat, there is a matter of urgency to take some quick actions. Otherwise you expose yourself and your organization to major risk.
Imagine your company’s name being inserted in this headline: “Data Breach at (name) results in 3 day business outage costing millions”
And this is not going to decrease over time with the big BYOD wave surging these days. Finally, don’t expect your users to always behave appropriately – they are just human beings…