Dan GriffinHappy New Year and welcome to the sixth edition of the JW Secure Informer, our bi-monthly newsletter. This is an opportunity to share what’s on our radar, specifically with respect to enterprise network security, but also regarding IT and business more generally.

The Informer is intended to be useful content and good for a quick read. So if it’s just clutter in your inbox, we’ve failed, and I hope you’ll let us know.

2010: The Year of the Insider Threat

Two high-profile news stories in 2010 served as a reminder of the tough challenges faced by IT managers, specifically regarding insider threats. That is, the potential damage that can be caused, intentionally or unintentionally, by people with privileged access to data and systems.

The first insider threat story of note from 2010 is WikiLeaks. At first blush, the type of threat represented by WikiLeaks is this: people can take sensitive information from inside an organization, publish it to a forum designed for that purpose, and make a big splash. But more generally, the threat is of any sort of unauthorized disclosure (e.g. classified data; software source code; a customer list; etc.), and it’s important to note that it can happen maliciously or accidentally.

Mitigation of the unauthorized disclosure risk can be a major effort. Organizations must undertake the time-consuming and frequently ambiguous process of:

  1. Locating and classifying data
  2. Determining who has access to that data, who should have access, how, and when
  3. Instituting the necessary access controls for enforcement
  4. Auditing access and archiving logs

Even so, discretionary access controls don’t protect the organization against rogue insiders who are authorized to access certain information but not to disclose it externally. Some additional protection is afforded by commercial Data Loss Prevention (DLP) technologies, but it is infeasible to guard against every possible way that sensitive data can be exfiltrated or disclosed. The importance of the human element – including instituting periodic vetting of personnel in a manner commensurate with the risk – cannot be overlooked, and neither can the importance of being prepared in advance to respond to a disclosure incident when one occurs.

The second prominent insider threat story from 2010 is StuxNet. StuxNet makes an interesting contrast to the WikiLeaks story for two reasons. First, it reinforces the point that the insider can be innocent, albeit careless. While it’s admittedly unclear to what extent user carelessness played a role in the propagation of StuxNet, the takeaway for the rest of us is clear: a trusted user can, for example, introduce an infected USB key into the vulnerable internal LAN. User education is crucial.

But StuxNet also reminds us of the importance of two parallel efforts: secure configuration on the part of the IT organization and the disciplined employment of Security Development Lifecycle practices on the part of software vendors.