Detecting the Enemy Within

Security Notes

Detecting the Enemy Within

Gideon Samid / Gideon@AGSgo.com

In the overwhelming majority of cases, cyber-criminal activity is carried out, or at least involves, a trusted insider. But though most of our clients know this, they still don’t take action. The reason is obvious: Any hunt for that rotten apple is likely to spoil camaraderie in the office, which after all is built on trust among employees. The sentiment I hear quite a lot is: “I don’t want to cast a shadow of suspicion on 130 employees with data privileges … it’s too high a price!” To this, we say, “Fair enough! Let’s regard this as a constraint and work around it!”
There are several things to do: 1. deterrence; 2. entrapment; 3. reshuffling; 4. tagging; 5. community ranking. Taken to­-gether, they present an effective means to meet the challenge.
Deterrence: We find that it is quite helpful to develop a list of omissions and commissions that employees should be aware of as activities or defaults that might aid and abet a hacking attempt against the company. We then ask employees to initial every item on the list, and undersign the entire list. This may be an annual ritual. Such a list will flush out innocent-looking activities that might be exposing sensitive data (for example, forwarding outside the company an innocent e-mail, such as a joke, that nonetheless features a rich list of high-level co-recipients and their personal e-mail addresses).
Entrapment: This is effective but expensive. Security consultants may put up an enticing data file, known as a honeypot, hoping to lure a criminal mind. Some even advertise the honeypot as deterrence. The downside here is that innocent employees may be concerned that a normal act of curiosity will be interpreted as “falling into the trap,” and a sense of unease may prevail.
Reshuffling: This amounts to moving people around with respect to accessible data and coworkers. Keeping track of who had which data privilege when might help a future forensic effort to understand a security event.
Tagging: This comes with several flavors. For example, data reports may be slightly altered by a dedicated computer applet such that each recipient gets a “tagged” copy. If that tag shows up in the forensic analysis of a security event, then it points to its source. Also, there are several cryptographic protocols that track data movement and data custody. Ciphersystems that require two keys for encryption and one key for decryption will help track the identity of a sender of a piece of data by having each employee use a secret second key, and require all critical data movements to be encrypted.
Community Ranking: The idea is that the people who work with the “rotten apple” are the most likely to sense who it is. The problem is that asking team members to rat out a traitor is very Gestapo-like, and I have yet to see any boss opt for it. Instead we propose that every team member be told that his private passwords and work secrets should be trusted to another employee in the company, so that in case of the member’s sudden incapacitation the company can retrieve the member’s files. Each team member is simply asked to identify who is that other team member he or she wishes to be entrusted with their secrets—just in case. In practice we work with some variations on this idea (elaborated on in my book The Unending CyberWar), but the principle is simple.
Asking who is more trustworthy than the rest yields a rank-ordered list of the team members according to trustworthiness. What to do with this list is another question. If the team is exposed to vital corporate secrets, then those on the bottom of the list may be considered for re-allocation or for closer scrutiny (e.g.: tagging).
Procedures aside, unfaithful employees hit in the soft places: the heart, the faith, the sense of wholesomeness. You cut a check for your people, you regard them as colleagues who share a goal and work together. It’s very painful to admit that even one in a thousand is flagrantly abusing you, working against your interests, betraying you and the rest of the team. For most executives, this heartache is the reason they prefer to ignore the statistics and hope against hope that in their shop—in their professional family—it’s different!
The challenge of the enemy within is the most sensitive aspect of cyber security. Once we internalize this fact, we are on our way to a solution.