When former Transportation Security Administration employee Douglas Duchak was indicted last week for attempting to load malicious code onto agency servers, it hopefully served as a reminder to all of us that insider threats are not idle ones. It doesn't help to give lip service to the fact that insider threats are serious but then do nothing concrete to combat them.
Recently, I had the chance to speak with PacketMotion VP Jonathan Gohstand, about the threat posed by insiders - particularly those who are so-called "super-users" and have administrative privileges on the network. PacketMotion provides software specifically designed to monitor the activity of users inside the network and help mitigate the risk of attack from the inside. The most common problem he sees is failure to control internal user activity. He said:
[A]lthough organizations generally claim they are aware of the potential for insider threat, their actual spend on IT security reveals almost all of it goes to either protecting the edge of the network, or to fighting malware. Very little goes to monitoring and controlling internal user activity.
Two of the most important means of doing so are to not create "super-user" accounts where they aren't necessary, and to "implement audit controls specific to privileged accounts, with an element of segregation of duties to make the control viable." All too often, one "admin" account is shared by all the IT staff, he says, which makes it impossible to go back and determine who did what if/when something goes wrong.
The key is to focus on operational efficiency when creating the security architecture. It doesn't matter how good the tools are if the limited staff available can't realistically use them. The advantage for smaller to medium-sized businesses is that it's typically easier to identify the assets (servers, applications, etc.) that are really mission critical. Then implement a simple, consistent control model across this asset base.