Looking Out for Insider Threats DC

Stacey McDaniel

If the topic of protecting against insider threats makes many a government IT worker shudder, it's for good reason. Besides the millions of people employed by government agencies, the number of federal civil servants is on the rise, as is the number of people working for government-funded contractors and organizations that receive government grants. Add to that the number of postal workers and military personnel, and the "true size" of the federal government is around 14.6 million employees, according to Paul C. Light, government professor at New York University.

That's a lot of insiders.

IT threats from employees or contractors are a real problem -- and one of the most difficult problems managers must face because of the trusted position that insiders have. Various research estimates that up to 80% of security threats come from someone inside the organization. All it takes is one person to cause irreparable damage to an agency's data, systems, operations and reputation. The federal government's dependence on interconnected networks and communications systems significantly increases the risk of harm that could result from malicious inside activity. Therefore, it's critical that government agencies educate their employees to watch out for tell-tale characteristics of an attacker, and to employ security solutions designed to detect and deter these threats.

Identifying behaviors
Being able to recognize certain behaviors or traits commonly exhibited by employees preparing for an IT attack can help thwart a potential problem. The findings of a survey conducted by the U.S. Secret Service in 2006 show that internal compromises of computers and networks aren't an impulsive undertaking -- most are planned in advance. This means that educated employees and alert managers can often spot signs of potential attackers before a problem escalates.

Here are some of the other findings from the Secret Service study:

• 80% of insiders who launched attacks on their companies had exhibited negative behaviors before the incident.
• 92% had experienced a negative work-related event, such as a demotion, transfer, warning, or termination.
• At the time of the incident, 59% were former employees or contractors, while 41% were still on the company payroll.
• Of the former employees, 48% had been fired, 38% had resigned, and 7% had been laid off.
• 86% were employed in a technical position. Of those, 38% were system administrators.
• 21% were programmers, 14% were engineers, and 14% were IT specialists.
• 96% of the inside attackers were male.
• Just under one-third of the insiders had an arrest history.
• 57% of insiders were perceived by others to be disgruntled.
• The majority of insiders compromised computer accounts, created unauthorized backdoor accounts, or used shared accounts in their attacks.
• Remote access was used to carry out the majority of the attacks.
• The most frequently reported motive was revenge.

In June 2007, the Office of the National Counterintelligence Executive their own set own set of guidelines, intended to help government employees know how to identify, and then report, behavior that is indicative of a potential insider threat.

Security precautions
While securing the IT perimeter from external threats is essential, knowing and controlling who does what inside the perimeter is equally important. This requires network access control as well as endpoint and database security solutions.

Network Access Control makes sure that each endpoint connected to the networks is compliant with the agency's security and access policies. This stops unauthorized endpoints from gaining access and also prevents compromises from remote employees.

Endpoint Protection proactively analyzes application behaviors and network communications to detect and block attacks. Should a disgruntled insider try to run exploits like rootkits or spyware on an internal endpoint, this activity will be detected before it happens. Protection features also block read/write/execute commands from removable drives and prevent unauthorized applications from running on protected systems.

Database Security detects malicious database activity from legitimate users and provides an audit trail for all database activity. The solution's intelligent profiling technology automatically learns "normal" database usage patterns and alerts administrators when suspicious activity occurs.

The government is brimming with employees and contractors who have been given some form of access to the networks and communications systems on which our government operates. At the same time, insider threats are becoming more common, and they can be especially difficult to detect and thwart. Government IT systems hold information crucial to our national security, and can't afford the risk of an internal compromise. However, knowing the warning signs to look for and combining that knowledge with internal IT security measures are the best ways to keep the government's networks secure and national security intact.

Stacey McDaniel has been writing about high-tech issues for more than six years.