Of all information security threats, the ‘insider’ security threat usually isn’t the image that first springs to people’s minds. Angry young men in darkened bedrooms, perhaps. Or, maybe, offices full of reclusive geniuses, hacking away at the behest of their government.
The costliest form of information security incident is none of these things. Rather, it involves those incidents, which are caused by regular, everyday staff members, acting maliciously, accidentally or obliviously to the damage they might cause by their actions, or lack thereof. In other words, causing or enabling the leak of information to people outside the organization, or even others inside the organization who shouldn’t have it.
A recent survey1 found that security incidents caused by malicious insiders cost companies an average of over $500,000 each year. Another survey2 found that every company experienced an average of six breaches like this in 2015 alone, with 75% of organizations experiencing at least one.
Forthcoming GDPR regulations3 from the EU are set to impose extremely harsh punitive fines on any company responsible for information, which contains details of its citizens, that is leaked to the public, whatever the reason. What if a staff member accidentally share a spreadsheet containing customer names and addresses? The fine could exceed €20 million. The regulators are not messing around. This qualifies, then, as a severe, even existential, risk to companies everywhere.
DEFINING THE ‘INSIDER’
For the purposes of this discussion, I am going to give a definition of the term ‘insider’. I will exclude administrators, who often have necessarily high levels of privileged access to information in order to do their job. I will also exclude ‘hackers’, who use subversive technical means to gain access to data. Rather, I am talking about regular, everyday staff members working in a business. And also, anyone to whom they have given or lost their access credentials.
WHY THE INSIDER THREAT IS DIFFERENT
Most other information security threats stem from gaps in the IT landscape. They tend to warrant predominantly technical responses at the network perimeter, such as firewalls, DMZs, intrusion detection etc. The insider security threat is different, and deserves to be thought of separately from external hacking-type threats.
It tends to occur at a granular level, one document at a time, rather than at the level of entire systems or networks. This means that effective solutions (and useful conversations about them) are much closer to the day-to-day business operations than they are to the IT teams responsible for technology. Our most vulnerable systems4 are those that store documents: our collaboration, cloud storage and file sharing systems.
There is a roughly equal split between accidental and malicious causes. As opposed to external hacking incidents, which are 100% malicious in nature, around half of all insider security incidents are accidents, even though the business impact of these incidents is no less severe. This makes every staff member a potential assailant, including your most competent and trustworthy people.
And insider incidents have a much higher likelihood of actually occurring, often going undetected for months. Our tendency to focus on stopping the ‘big incident’ overlooks the fact that the sum total impact of smaller incidents, which occur on a regular basis, can have a far greater negative impact on the business.
THE NATURE OF THE INSIDER SECURITY THREAT
Information Management is the professional discipline concerned with connecting people with the information they need to do their jobs. Insider security incidents occur when people are connected with information they shouldn’t have. So, we could think of insider security incidents as happening when Information Management fails. To understand the threat is to recognize the nature of Information Management; that is, how information is created, shared, stored and moved within organizations. There are four pillars: people, information, business environment and technology. So, when it comes to the nature of the insider threat, we can also frame it using these four pillars. Let’s list some aspects of a company’s typical reality in relation to each of the four pillars:
- Disgruntled staff
- Phishing threats and social engineering
- People constantly joining, moving and leaving
- External partners, customers and suppliers
- Poor security awareness or too busy to care
- 20% of staff are willing to sell their passwords for $1,0005
- Massive and exponentially growing volume of data
- Multiple formats, including documents, emails, images, databases and printouts
- Moving independently through different life cycle stages
- Of various sensitivities, classifications and purposes
- Constant business change – new customers, old partners, departments starting, offices closing, strategies and priorities shifting, organizational structures changing, mergers and acquisitions
- Working practices are increasingly flexible and collaborative
- Although the best intelligence about the information lies with the people in the business who are closest to the information, IT tends to be responsible for information security
- IT tends to operate at arm’s length from the rest of the business
- Sometimes we try to bridge the gap with workflow and business processes, with varying success
- Information scattered across multiple platforms of varying maturity and capability
- The rise of the cloud – offering powerful capabilities more cheaply, but also downsizing IT teams, skills and budgets
- The rise of mobile devices and workforces – everything is available everywhere, anytime
- Many security solutions and vendors competing for market share (and plenty of them with misleading claims to have the ‘silver bullet’ solution).
As with any risk, the insider threat can be stated as the likelihood of an incident, multiplied by the potential severity of an incident. So, any effective solution for minimizing the insider security threat needs to sit at the junction between all four areas at once, in order to reduce the likelihood and severity of any incident. Solutions that focus too narrowly on only one or two of these areas are only ever going to have limited overall effectiveness.
There is a wide variety of technology types relevant to insider security. Choosing which technologies are right for your business must begin with an analysis of your own specific circumstances, risks and priorities.
The following is a list of some of the relevant technology types. This is certainly not an exhaustive list, but should cover the main areas of interest for most organizations:
- Access Management – controlling and reporting on whom has access to what, and how that changes over time
- Data Loss Prevention – detecting, alerting and preventing documents and other forms of information containing sensitive details (such as credit card numbers, DOBs, social security numbers etc.) when moving across boundaries or between people in violation of business rules
- Behavioural Analytics – monitoring people’s interactions with systems and information, detecting, alerting and preventing anomalous behaviour; e.g., if a user tries to download an entire document library when they’ve not actually been involved with the information might trigger an alert for an administrator to investigate
- Data Classification – classifying information by some combination of criteria, such as sensitivity, audience or purpose, and then using those classifications to drive security behaviours in both people and technology
- Rights Management – extending and enforcing rights to interact with information in different ways, including when the information has left its host system; e.g., a person may only open a particular document if they have the rights to do so, even after the document was emailed to them outside the network.
Other technologies, such as authentication, identity management, lockboxes, CASBs, encryption, firewalls and intrusion detection, are also relevant in a general sense, but are more foundational and technical than this discussion is intended to cover.
HOW SHAREPOINT AND OFFICE 365 MEASURE UP
Some technology types relevant to the insider threat are quite well serviced through SharePoint, particularly Office 365, which is evolving rapidly. Mileage will vary for on-premises deployments of SharePoint, depending on which version of SharePoint you’re running, as well as which related technologies you’ve deployed alongside it.
- Rights Management – now generally available through Office 365; on-premises, requires Active Directory Rights Management Services (ADRMS)
- Data Loss Prevention – capabilities coming online6 in Office 365
- Behavioural Analytics – while this is not generally provided through Office 365 at present, the combination of the Audit and Graph APIs is now providing much of the big data, which are the basis for behavioural analytics – expect to see this space maturing over the next 12 to 18 months.
SHAREPOINT’S BIGGEST AND MOST DIFFICULT INSIDER SECURITY GAP
In my judgement, the biggest gap in SharePoint, in terms of the insider security threat, is, and has always been, its permissions model. Here, I am referring to on-premises SharePoint, SharePoint Online and OneDrive for Business in the collective sense, because their permissions models are effectively identical. SharePoint’s model for managing user permissions tends to be difficult to manage, especially at scale. Configuration errors, in which people have access to information they shouldn’t have, are commonplace. They are also extremely difficult to detect because doing so requires a close understanding of the people, business and technical perspectives of every individual piece of information (i.e., each of the four pillars above).
A recent survey7 (not SharePoint-specific, but certainly relevant) found that 71% of staff has access to more information than they should. Bringing this number down dramatically is very difficult. For years, Information Architects have prescribed governance processes to address this issue, but the success has always been limited. But minimizing this number is fundamental to minimizing the likelihood and severity of insider security incidents. If this number were theoretically zero (i.e., it is always the case that every person only has access to the information they need at any given moment, and nothing else), this would equate to a minimization of the insider attack surface and in turn a minimization of the risks.
HOW THIS GAP ARISES – 1. USER EXPERIENCE
Firstly, the SharePoint user experience is oriented towards information sharing, by making it easy to grant access for people to information. This is vital to facilitating collaboration and information reuse. Conversely, revoking access for people to information when it is no longer needed is much less prominent.
Take the following screenshot of a SharePoint document library as an example. There are two prominent links in the main user experience, suggesting that we expand access rights, which are circled in red. What if you want to revoke access to a document for a particular person? I count eight clicks: Context menu > … > Advanced > Shared with > Advanced > Select User > Remove User Permissions > OK. And that is only after a trigger has occurred for someone to go on this journey in the first place. In reality, however, this is just not going to happen in any normal course of events. The result is that people tend to accumulate access to information over time. Although the business circumstances, which made it appropriate for a person to have access to a piece of information, may have changed, people usually keep their access anyway. We call this phenomenon ‘privilege creep’.
HOW THIS GAP ARISES – 2. ‘WHO’ IS NOT MEANINGFULLY CONNECTED TO ‘WHY’
It is easy to grant a person access to a piece of information. It is much harder to know why this was done in the first place, unless you happen to be the person who made that decision. Even then, are you really going to remember why you gave someone access to a document at 2.00am around 18 months ago? Probably not.
How is this relevant? Well, unless we know why someone has access to something, we cannot easily reassess whether they should continue to have access to that something. It is very difficult to determine the appropriateness of access permissions in the future, especially as the information ages and people’s attention moves on. If we cannot assess that, then we cannot revoke people’s access when they no longer need it, unless we interrogate the institutional memory of those specifically involved. We certainly cannot do that automatically. Given that we may have thousands of staff, millions of documents and squillions of individual access control decisions along the way, however, the automatic approach is the only way it is ever going to work.
Indeed, SharePoint 2010 actually provided the basis for improving things in this area, when it enabled role-based access control through claims-based authentication. This allowed us, for example, to provide read permissions for a document to anyone in a given department. This was about why someone should have access, not who should have access. It was a great start.
Unfortunately, however, this functionality didn’t fully reach its potential. It required complex customization to be used in practice. It had scaling issues, was difficult to manage and, above all, could not be ‘just switched on’, unless you were a serious SharePoint expert. Even though this functionality remains in SharePoint 2016, perhaps the fatal blow was that it is not supported in Office 365.
HOW THIS GAP ARISES – 3. EMPOWERING IT, NOT THE BUSINESS
A number of vendors have tried to fill this need by providing tools, which empower IT teams to monitor, manage and audit people’s access to information, providing varying levels of aggregation across the security groups involved. But this highlights another fundamental problem – IT tends to operate at arm’s length from the rest of the business. Whoever is responsible for controlling who has access to what, as well as how that changes over time, must be in a good position to understand the context, sensitivity, purpose and nature of the information itself. This is only ever going to be those in the business who are closest to the information. It is never going to be the IT team, no matter how many business processes we create to try and bridge that gap in understanding.
Information security is one of the most defining business concerns of modern times. As practitioners of SharePoint, the biggest information management system in the world, it is our responsibility to put information security at the top of our list of concerns in everything we do.The insider threat is the most costly type of threat there is, as well as one of the most difficult to address. Given the nature of the threat lies at the junction between people, information, business environment and technology, any kind of effective solution will require a drastic shift in how we think about the problem. ■
2 http://www.pwc.co.uk/services/audit-assurance/ insights/2015-information-security-breaches-survey.html
3 https://en.wikipedia.org/wiki/General_Data_Protection_ Regulation
4 http://www.infosecbuddy.com/wp-content/uploads/2015/06/Insider-Threat-Report 2015.pdf
ABOUT THE AUTHOR
Peter Bradley has spent his career as a consultant, specializing in secure information management. His deep understanding of the nature of information flow and life cycle in organizations enables him to make a powerful and effective contribution to the information security discussion. In 2014, Peter founded Torsion Information Security. Torsion provides automated, intelligent and cross-platform information access control and reporting. Torsion helps control insider security risk, together with streamlining regulatory and standards compliance.
This article was initially published in the Cybersecurity Review and has been shared with the FIC Observatory as as part of their partnership with FIC2017.