Insider Threat: How to Minimize Risks from VendorsWith Greater Access Comes Greater Responsibility for Protecting Critical Systems, Data
At Central Bank, Lexington, KY, Chris Schum, IT Security Manager, Technology Services, says the bank uses port lockdown software to prevent data from 'walking off" with visitors. This measure also ensures that only those who need access to devices such as USB drives use them. "This software also has the added benefit of logging what files are put onto USB drives for review if necessary," Schum says.
The $1.8 billion asset bank also uses intrusion detection software to constantly monitor the network for anomalous activity that could signal an attempted attack.
The lessons Schum and his team have learned from implementing these systems include: "Even while you may believe you know exactly what's going on your network, there are a lot of surprises. Whether it be how many users have unsupported and unauthorized devices such as IPods and USB thumb drives or how insecurely some software transmits information across the internal network. Since we implemented them several years ago, these systems have been invaluable in helping us prevent, monitor and remediate security risks to our organization."
Central's approach is similar to that of many financial institutions grappling with the same challenge: How do you minimize the insider threat when you're also now maximizing the number of outsiders with access to critical systems and data?
Treat Outsiders as Insiders
When your financial institution uses third-party service providers, they should be treated with the same level of scrutiny that you give your regular employees, says Randy Trzeciak, Senior Member of the Technical Staff for the Threat and Incident Management Team in the CERT Program at Carnegie Mellon University's Software Engineering Institute. Trzeciak and his team study the insider threat and offer suggestions to minimize the risk.
Trzeciak's first recommendation: Include business partners, contractors and subcontractors as part of an institution's enterprise wide view of the insider threat. Handling the insider threat is a difficult one -- institutions need to balance trusting their employees and providing them access to achieve the institution's mission with also protecting critical assets from potential compromise by those same employees. Insiders' access, combined with their knowledge of the organization's vulnerabilities, gives them the ability and opportunity to carry out malicious activity if properly motivated.
This risk only expands with institutions' growing reliance on business partners with whom they contract and collaborate. It is important for organizations to take an enterprise-wide view of information security, first determining its critical assets, then defining a risk management strategy for protecting those assets from both insiders and outsiders.
"Anyone who is allowed access to your systems should be included in your risk assessment for insider threat," Trzeciak says. "Manage them as if they are current employees within your four walls."
An institution needs to know how it is handling and protecting data. "Make sure you are limiting access to only those people who need access, and prevent those who no longer need access from continued access once their work is completed," he advises.
A good place to start is applying the best practices from the Carnegie Mellon CERT Common Sense Guide. "By following them and extending those best practices out to the outside insiders, you'll know to do ask questions such as:
Taking into account electronic access protocols is another area that institutions should pay keen attention to, Trzeciak says. "When giving access to systems to vendors, are you giving only access rights to individuals, not a broad access, and are you removing access when that person either leaves or moves to another position at the vendor?"
At any time, an institution should be able to say "We know who has access to our data, and at what level they have access at. And you should be able to disable their access before they walk out the door," he says.
One area that Trzeciak and others have seen a problem is the creation of group accounts or shared accounts of a single privileged account. "We don't recommend that be the way. For security purposes, you should be able to monitor and see what each individual is accessing. This group account is one way the disgruntled ex-employee or contractor can gain access to systems."
Institutions in Action
Dan Veasey, CISO, Piedmont Credit Union, with $34 million in assets in Danille, VA, says his institution doesn't consider insider threats a huge problem currently, but still controls users by dual controls and logging of Internet and core system activity. He applies the same controls to external vendors with access to the credit union's systems.
His advice to other institutions on thwarting the insider threat is a simple one - "Know each of your employees and treat them well. People are much less likely to steal from people they like. I realize this is easier in a small shop like ours, but even big shops have lots of small shops within them."
One example that Central Bank's Schum points to is an instance where their IDS and web filter alerted us to connections to a Skype-type VoIP service. Upon further investigation the bank's information security response team revealed that someone -- not an employee -- was approved to use a conference rooms for a presentation, but was attempting to check something on this service while they waited for their client. In this instance, connectivity was actually prevented, but it highlights the need for proactive detection/prevention systems as an added protection measure. "While you may believe you know what's going on in your network, often times you do not," Schum says.
Schum's advice: "Every institution should do what is right for their specific business and not just rely on industry standards." One of the most common things he hears from the bank's vendors is "No other bank does it that way."
Schum ignores those vendors and their comments adding, "Putting it bluntly, that really is of no concern to us since what other banks do has no bearing on us or our customers. We feel that we understand our environment and its associated risks better than anyone. Simply maintaining the status quo will ultimately result in a loss of revenue, data and, most importantly, customer confidence."