Security – are staff your enemy? It is OK to say `quite possibly’ and let paranoia play a sensible role
- Summary:
- The staff working in a company are the weakest point for hackers to attack, and the more privileged the person, the more chance there is of a damaging hit.
The answer is quite likely to be `quite a lot’, not least because there is good evidence to indicate that they (the bad guys) really are out to get you (all employees, but especially those that can be ranked by any business as a privileged user). The upshot of this is that all employees, indeed all businesses, will have to expect to be subject to far more intrusive activities concerning their collective and individual behaviour.
The reason is simple. As cloud services make connectivity between any combination of businesses, service providers, suppliers and consumers both far easier and more fluid, those who use the services available start to need increasing amounts of self-discipline on how they use them and what they set out to achieve with them.
Some background to this problem emerged at round-table discussion held towards the end of last year that had as its core-topic, `Are Your Employees Your Enemy?’. The answer that emerged from the debate was that it is quite likely that they are, even though they don’t mean to be.
The Round Table debate was hosted by Hungarian cyber security firm, Balabit, which focuses much of its attention on user behaviour analytics. This itself is an interesting side-step from the common `pure-tech-solutions’ approach that most security vendors offer. Those solutions can be excellent at curtailing a security breach once it is underway, and remediating the situation after the attack has occurred.
Staff are the way in for hackers
Most often, however, it is through the actions or inactions of users, be they individual consumers or the most highly privileged staff in a business, that the opportunity to inject the necessary malicious code arises. It is through their behaviour that such opportunities can be found by the hackers with malicious intent.
So monitoring the behaviour of as many staff as feasible, in as near real time as possible, is a logical first line of defence in trapping attacks because most attacks vectors have the common start point of gaining access to a network through the actions of a staff member.
Most large enterprises are reckoned to have more than 200 security products running at the same time, with many layered one on top of another. Yet despite this level of defence successful attacks still happen, which suggests that just having tools is not a suitable answer. It is Balabit’s position, therefore, that the trick is using behavioural monitoring.
Founded in Budapest is 2000, Balabit predates the more widely known Splunk in its exploitation of system logs as the basis for monitoring and identifying activity on a network that is potentially malicious, or at least falls outside of approved operations and activities. This is particularly the case where users have sufficient privilege levels on their access rights to have regular access to a company’s `crown jewels’ when it comes to data and information.
The obvious question was posed to debate by Dr Lee Hadlington, senior lecturer in Cognitive Psychology & Chartered Psychologist at De Montfort University: is any detected action by a staff member an accident or a malicious act? This, in itself, is now a significant analytical issue, for the combination of complexity and openness inherent with cloud-based systems makes tracking the results of such actions difficult.
Accidents are accidents and they do happen. They are also the most difficult to trap because they happen randomly and some can end up somewhere in the system by a route that could not have been predicted.
Part of this process moves both the business and the staff member on to some sensitive ground, because it now goes beyond examining the flow of a technology process. It also means getting to grips with the profile and psychology of both the individual staff member and the culture of the business itself, as Consultant in Human and Social Engineering, Jenny Radcliffe, pointed out.
If it is a malicious attack the first thing to try and identify is a possible motive that an individual (or small team) might have. The most obvious motive is personal gain, but even that can hard to identify for it can be more than just money. It can include trying to bring someone else `down’ because of a personal grudge, such as an individual being passed over for promotion. Individuals can also have deeper problems such as personality disorders or extroversion.
Hadlington noted that there could be other motivations, such as some form of personal `plan’, often associated with the notion of escape from the daily grind. One common motive he suggested is the dream to get out of a current job and buy a Public House, so the objective becomes one of accumulating just sufficient money to achieve that.
Continuously at the vet
The basic need these days is to have a continual level of vetting of staff, particularly for evidence that might prove to be a precursor to a malicious insider attack. This, of course, is where the situation can get a bit tricky, for it starts to involve actions that some staff are likely to consider intrusive. And as Radcliffe indicated, some of them can be, as they involve finding out if members of staff are in trouble in any way, for they will be the ones with exploitable weaknesses, such as having poor credit ratings, or County Court Judgements against them.Many staff will much prefer employers not to know such things, not least because of the fear that they may be penalised in some way by the company. This can become more apparent, and important, as staff take on more responsibility and gain more privileged access to company data.
So, as Radcliffe pointed out, one of the best benefits around is if the company management can itself be as open as possible about the need for openness and reduce the fear of retribution.
The need here is to make it a positive process so that staff want to go along with the vetting process. And there should be no punishment attached. Companies could also make it a positive benefit of employment that help, advice and support is available to those open about being in need of it. This comes down to one of the key problems in most businesses – the lack of communication between the parties.
Two preconceptions often affect this communications process however. One is that managements tend to believe that the staff absolutely share their view of what represents the company culture. It is quite common that they don’t, and to make matters worse, the management has no idea this is the case.
The other is that staff are obviously scared to be seen as a boat-rocker or trouble-maker, while managements are too scared to talk openly about insider threats. It could be taken as veiled threat or accusation, or perhaps as a sign of weakness and doubt. Either way, neither side will be sharing whatever knowledge they have on how serious such possibilities might be.
As well as communication issues, there are also practical ones to confront, not least being the concern that many managements do not know where their critical information and data assets are in their system, and sometimes are not even clear about what constitutes such assets. Most important of all, perhaps, is that most will not know how those assets are protected or whether any necessary patching is up to date.
The next highest priority is monitoring those assets as to how they are being used. Who is accessing them and what are they doing with them. The key capability here is being able to monitor such activity for anomalies. This does, of course, mean having a clear set of information as to who has authorised access, when they have that access, and what processes they are permitted to then perform.
Hadlington suggested that many businesses could profit from information held at The Centre for the
Protection of National Infrastructure which addresses many of these issues of personnel and people security.According to Balabit co-founder and CEO, Zoltán Györkő, such continuous monitoring of staff and their behaviour is the best way to reduce the risk of insider security threats. Building such `people-profiles’ needs to focus particularly on privileged users as they are the staff that provide hackers with the best opportunities.
A business needs to monitor changes in behaviour while they are working under specified levels of authentication or authorisation. Are they starting to do more than allowed? But managements also be aware that this can just as easily be a sign they have discovered a legitimate process shortcut as being part of a malicious action.
My Take
Underpinning this approach to security is the idea that paranoia is a very useful cyber security tool, just so long as it is used openly and with all parties knowing it is being used. It is people that are the weakpoint in all security processes, so if focused and controlled paranoia is used, in conjunction with the right monitoring tools, then many of the roads leading hackers to successful security breaches can be closed.
But it is about communications right across the workforce of a business rather than the pantechnicon-loads of technology that most businesses opt for.