Tag Archives: insider threat

ISNow – Insider Threat

The following introduction was originally published in the BCS Information Security Now Magazine, Autumn 2009 issue (Volume 4, Issue 1), which was on the topic of Insider Threats:

“The insider threat is not new. But when companies seek to make cost savings by divesting themselves of their biggest assets, especially during a recession when uncertainty amongst the workforce is likely to be heightened and financial pressures felt more acutely, the likelihood and impact of the threat may increase. Normal controls, such as separation of duty, audit and training, may well get left behind as the remaining employees each try to do more, due to necessity and self-preservation. Whereas a company making significant changes should review their risk assessments, which may show increased controls are required.

Taking away data
Research appears to bear out the view that staff will take information when they leave a business, and may also exploit that information in any future role. Indeed, senior management and IT staff seem more likely to take information in their possession, which may be more valuable and accessible due to their roles.

Logic bombs
Recent scandals in Formula 1 have demonstrated the value of competitor intelligence, however obtained, and secret arrangements being exposed. Also, in the last few years there have been a number of cases of logic bombs, left just in case the person lost their job, and passwords being changed on departure.

Robust contracts
When dealing with an insider threat, the whole gamut of people, process and technology controls should be considered, preferably in that order, to help mitigate the risk; including robust contracts, staff screening, training, awareness, information marking, handling, access based on business need, role and least privilege, separation of duties, logging/audit, data loss prevention and so on.”

A PDF version of the magazine is available online at:

http://www.bcs.org//upload/pdf/isnow-autumn09.pdf

ISNow – Insider Threat

The following article was originally published in the BCS Information Security Now Magazine, Winter 2007/2008 issue (Volume 2, Issue 2), which was on the topic of Emerging Threats:

“Last year provided plenty of news stories about lost laptops and CDs containing masses of personal data. Confidential data wasn’t exposed by corporate systems being compromised by outsiders (foreign or otherwise) but by insiders doing dumb things, like sending unencrypted data in unregistered post.

With all the focus on complex and emerging threats it is sometimes too easy to overlook the simple threats that are still with us. Take, for example, the insider threat – not even a malicious employee or contractor, but the naïve, careless or overly helpful ones that disregard the policies designed to protect your business.

With the continuing revelations related to how the HMRC has managed our personal information over the years, and the ongoing review into breaches of data protection, I will try to avoid adding too much to the mass of speculation as to the detail of what went wrong, and take a look at some of the broader issues.

Protection of data?
Recent data losses by the HMRC, including CDs (ironically sent for audit purposes) containing some 25 million records, secured only by a password, provide excellent examples of how not to process and protect personal data. If they were a business, would they still have our custom and revenue?

Recent data losses by the HMRC, including CDs (ironically sent for audit purposes) containing some 25 million records, secured only by a password, provide excellent examples of how not to process and protect personal data. If they were a business, would they still have our custom and revenue?

Unfortunately, these losses only highlight weaknesses in internal controls and the powers and sanctions available to the Information Commissioner’s Office (ICO).

They could be fined or have their ability to process personal information curtailed, but to what gain and who would ultimately pay? Prevention is better than cure.

I welcome the Poynter Review into this fiasco and hopefully the government responds positively and swiftly to its initial recommendations on the urgent measures needed to strengthen data security at the HMRC and any further recommendations given in the full report when it comes out in the spring.

Hopefully the lessons will be learned before the launch of the new database of every child in the country – ContactPoint. This will feature name, address, gender, date of birth and a unique number for every child, as well as information about parents, carers, schools, doctors and other relevant organisations.

One of the benefits (no pun intended) this fiasco may bring is the introduction of stronger legal remedy with respect to data protection breaches and new powers for the Information Commissioners’ Office to an effective right of audit and to be able to conduct spot checks on government data security. We can but hope.

Oh Calamity!
As for the impact – well, the sky isn’t falling; fraudsters can’t suddenly empty your bank account (unless you use personal details for authentication); identity thieves can’t steal your identity (not that they ever truly could); your children are as safe as they were before. Breathe deeply, count to 10, and continue.

That’s not to say that mislaying such personal information isn’t a concern and potentially of value to would-be fraudsters, if they were to get hold of it, as it is likely that much of their legwork would have already been done, with a large volume of fairly accurate information presented in a ready-to-use form.

The information contained on the mislaid HMRC CDs included our children’s names and dates of birth, our addresses, National Insurance numbers and the bank or building society account details used for Child Benefit payment. Not in itself a total disaster, but combined with other data bad things could happen.

Imagine, for one instance, that it wasn’t a fraudster that got hold of this sort of information, but a paedophile.

They could identify children of a particular age and gender in a local area, and know things that could be of use in grooming, such as parents’ names, address and potentially figure out what schools they attend and so on.

I don’t for one moment suspect that this is something that has happened with the CDs lost last year, but the same information is held on the HMRC database and it has already been adequately demonstrated that this has not been effectively controlled, with overly broad outputs and information retained by contractors.

Policy, schmolicy
Simply having policies in place is clearly insufficient. It may be enough to placate a disinterested auditor, but unless the policies sit within an effective framework of governance, compliance, education, authorisation and controls, you will not be able to manage your risk in an acceptable or consistent manner and be exposed.

If the information handled by a government department has an official classification, restricted or confidential, then there are clear rules governing its storage, access, transfer and destruction. The classification, sensitivity, relates to the impact if the information is lost or compromised.

Unfortunately, as far as government is concerned, the impact of the loss of a single record of an ordinary citizen is zero. Multiplied by 25 million it still doesn’t add up to enough to encrypt it or send it by recorded delivery. Clearly this must change if we are to trust HMG with more critical data, such as our biometrics.

What has been amusing to watch is the security vendors popping out of the woodwork espousing how their product would encrypt / authenticate / secure / audit everything and all would be well. Technology doesn’t offer a silver bullet to systemic failures to properly enforce policies, procedures and controls.

Rather, users need a modicum of common sense, to realise that our policies are there for a reason, have an understanding of the implications of their actions and to admit, and learn from, any mistakes. Security education is an absolute must, and should include coverage of any legal obligations, such as data protection.

Your information is out there
In an amusing aside to a talk at a recent BCS Information Security Specialist Group seminar on industrial security, Ken Munro of SecureTest gave a worked example of how much information on an individual can be readily gleaned from freely available online sources. For his example, he chose one Richard Thomas.

Well, the job (Information Commissioner) was easy, and so too was date of birth, place of birth, address, mother’s maiden name, email address, education and career history, work and travel arrangements, where he banks and types of accounts, plus plenty of other background information including details on his family.

Our Information Commissioner is not alone in revealing information about himself online; Alex Allan, the new head of the Joint Intelligence Committee (JIC), reveals his home address, phone numbers, private interests and photos of himself, friends and family – he oversees MI5, MI6 and GCHQ – and he’s not alone.

All our information, to a greater or lesser extent, is available online. It could be in government or business populated information repositories – such as registers (births, marriages, deaths or electoral roll) and directories (telephone or business) – or it is information we have actively provided or put online ourselves.

What have you put online on social or business networking sites, photo galleries, blogs, websites, newsgroups, forums – directly or indirectly? What inferences can be made? This is on top of any private communications or photos that someone could forward or post online. You have only yourself to blame.

As future employers, and even educational establishments, make more use of online information, past comments or indiscretions may come back to haunt you even years hence. Seen in context, name, address, National Insurance number and bank details may seem like small change versus employment problems.”

A PDF version of the magazine is available online at:

http://www.bcs.org/upload/pdf/isnow-winter08.pdf