- August 19, 2015
- Info notes
Shortly after the leak of data from Hacking Team, news agencies reported that former employees of the company were under investigation. The company CEO had previously filed a complaint against these people for revealing the company's trade secrets. In another case, early in August 2015, Australian court documents revealed that an employee of the Australian Department of Defence copied a document labelled "Secret" to a CD-ROM, and published it on a public forum.
While these investigations are not over yet, they are a good examples of the Insider Threat.
By definition, insiders have access to information that can be considered sensitive in nature. Employees of the Human Resources (HR) department need to know personal information; those of the Marketing department have access to sales figures and product strategies; and intelligence analysts have access to classified information. This is standard practice: companies and organisations rely on their employees and hence give them the access they need in order to perform their tasks. It becomes a problem when insiders abuse the information they have access to: HR employees can abuse personal data to stalk other employees; marketers can leave the company with customer lists or sell designs of future products to the competition; analysts can become spies or whistle-blowers.
Information leak due to insiders can be intentional or not. The following list covers the most common causes:
- Money: a recent surveyshows that a large proportion of polled employees would leak information for surprisingly small amounts of money (caveat: this survey was commissioned by a company that sells products whose purpose is to prevent data leakage);
Ideology: when the goals of the organisation and the personal goals of the employee are in contradiction, the latter may choose to leak sensitive information in order to punish their employer, or to prevent the latter to achieve its goals;
Carelessness: people privy to sensitive information can leak it unwillingly, by being overheard in public places, or on public online forums;
Convenience: employees who wish to work from home, or need to collaborate with remote colleagues, sometimes copy sensitive data on external sites for later retrieval;
Loss: laptops and removable media can be lost or stolen.
It should be recognised from the start that there is no silver bullet against the insider threat. By its very nature, it cannot be completely avoided. As always in such cases, the threat can only be addressed through a set of different measures, not only technical. Even with extensive resources, a residual risk will always remain.
Data Classification Policy and Acceptable Use Policy
The Acceptable Use Policy (AUP) and the Data Classification Policy are the foundation of leak prevention. Among other things they informs all users of
- Who owns information;
- How is information classified;
- The technical measures in place to limit access to information;
- The processes that grant access to information;
- The allowed usage of information;
- The consequences of violations of the policies.
While it is not possible to limit access to the information people need to perform their duties, it is possible to restrict access to other kinds of information. For example, HR employees need not necessarily have access to product designs. The proper use of Role-Based Access Control (RBAC) technologies meets this requirement.
Fine-grained access controls require a lot of work from the information owners, who grant access to information: the finer-grained the access control, the more requests to be dealt with. The IT department implementing such controls will also have proportionately more work. Every organisation has to balance its business needs, the workload on IT and information owners, as well as the level of control over information.
An audit trail keeps the record of who accessed what information, and when. While it does not prevent any data leak, it can help mitigate the consequences of a leak, by identifying its source. It serves as source during forensic investigations, and as evidence in the case of disciplinary actions.
Removable Media Limitations
It is possible to limit the use of removable media, like USB keys: they can be completely disabled, or only certain authorised devices can be allowed (encrypted ones, for example). The decision to take such measures must be based on a trade-off between ease of use and security.
Data Loss Prevention systems
Mature organisations, with a well-established practice of information classification, can implement Data Loss Prevention (DLP) systems. These systems integrate with different systems (file servers, mail servers, operating systems etc.) in order to prevent information from getting out of allowed areas.
Typical capabilities of DLP systems include
- Prevention of copy-paste from certain documents;
- Prevention of file copying outside certain directories or on removable media;
- Stopping email attachments.
The drawbacks are financial costs on one side, and workload on the other. Indeed, they can only work if information has been properly classified and labelled, which requires a lot of preparatory work, and constant vigilance on the part of information owners to make sure every new document is properly labelled. Even then, they are not fool proof: no tool can prevent someone from taking pictures of their computer screen (though physical security measures could alleviate this particular risk). Considering these limitations, DLP systems are good tools to prevent common sources of accidental leaks, and some intentional ones.
Responsibility and Accountability
Since technical measures alone cannot completely prevent insiders from leaking information, organisations should strive to persuade their employees not to leak information. This starts with the recruitment process, which must ensure that candidates not only have the right competences for the job, but will also fit in their team, and share the goals of the company.
The AUP informs employees of the consequences of leaking information for themselves. For very sensitive information or positions, companies can go further by also informing their staff of the consequences of a leak for others. A famous example is the "Loose lips might sink ships" campaign during World War II: in a few words, it put a heavy burden of responsibility on anyone leaking information.
The insider threat is real and impossible to prevent completely. Extensive protection can be costly, either in direct financial costs, or in manpower. Nevertheless, a combination of technical and non-technical measures can mitigate the threat to a manageable residual risk.
About “Info Notes” from ENISA
With the “Info Notes” series ENISA aims at giving the interested reader some background and recommendations about NIS related topics. The background and recommendations are derived from past experiences and common sense, and should be taken as starting points for discussions on possible course of action by relevant stakeholders. Feel free to get in touch with ENISA to discuss or inquire more information on the “Info Notes” series (firstname.lastname@example.org).