Managing Internal Threats


Infosec InstituteThe number of annual security incidents caused by insider threats continues to increase. In The CERT Guide to Insider Threats, Capelli et al writes, “Insider threats are an intriguing and complex problem. Some assert that they are the most significant threat faced by organizations today.” Disgruntled system administrators damage data and systems, skilled professionals steal intellectual property, and inferior employees use information to achieve political or financial objectives for their self-gain. Any of these can constitute a critical national defense breach or breach of public trust.

To defend against the damage or theft caused by insiders, an organization must hold every employee responsible for detecting and reporting both behavior and technical evidence indicating a possible employee defection from policy and compliance. In addition, technical controls can help monitor suspected offenders and the overall network for evidence of criminal behavior.

Behavior Monitoring

In a 2008 article I wrote for CBS Interactive/TechRepublic, I listed employee characteristics that warn of potential defection from organizational and social policy and norms, including:

  • Appearing intoxicated at the office
  • Actual or threatened use of force or violence
  • Pattern of disregard for rules and regulations
  • Attempts to enlist others in illegal or questionable activity
  • Pattern of lying and deception of co-workers or supervisors
  • Argumentative or insulting behavior toward work associates
  • Attempts to circumvent or defeat security or auditing systems

In general, any negative change in an employee’s behavior is concerning. Furthermore, actions taken by management can trigger a borderline defector to cross into criminal behavior. For example, an already disgruntled employee might feel justified in stealing and selling intellectual property after being passed over for promotion. Any potential-employees are candidates for additional monitoring.

Terminating an employee is one way to deal with a potential problem. However, we often value employees who are simply going through rough personal times. If terminating an employee is your preferred choice, keep in mind that you need to have attempted to resolve the issues with the employee or have clear evidence of a violation in policy; otherwise the termination can result in a lawsuit. It is often better to remediate than to terminate an employee.

First, we should ensure all employees understand organizational policies regarding the use of information resources and workplace behavior. Second, management should have a clear and fair process for a workplace infraction. The response should match the level of the offense. Furthermore, every employee, without exception, should understand the consequences of defection.

Finally, problem employees will usually not commit an infraction in front of management. This means we must train employees, as well as managers, to detect suspicious behavior and report it to someone higher-up. Since many employees would rather not become personally involved, an anonymous tip line is a possible solution. For example, a large organization for which I worked had a toll-free number any employee could call to report policy violations or any other concern or complaint. In addition, if you don’t want to set up a phone line, you could set up an anonymous website where you achieve the same result. Weekly, a compliance committee met to go over all reports, and there were many. Anything that appeared critical did not wait for the weekly meeting but was handled immediately.

Technical Monitoring

While behavior monitoring can alert us to many possible incidents, it often fails when dealing with network and server administrators who go rogue. We can easily miss behavior signals when an employee does his or her best to hide them. When behavior monitoring fails or is insufficient, technical monitoring should fill the gap.


For non-administrators, we can control how much information an employee can access (and what they can do with it) by enforcing need-to-know, least privilege, and separation of duties. Organizations enforce all three by properly managed authorization policies and processes.

The first two are closely related. Need-to-know restricts the information a user can access only to that required for daily task completion. Least privilege controls what a person can do with the information accessed. For example, need-to-know might allow me to see electronic information classified as top secret, but least privilege would prevent me from changing or deleting it unless my role in the organization requires it. Together, they strictly limit insider threat damage.

Separation of duties, when properly implemented, prevents any one person from performing all tasks associated with a critical process. To illustrate, separation of duties prevents a software developer from creating malware and placing it in a production environment. In other words, developers should not be able to place their work into production systems.

Next, organizations must control the movement of sensitive information. If not possible using direct means, such as data rights management, then you should use indirect means. One of the most effective indirect monitoring methods is NetFlow analysis. NetFlow, emerging as the IPFIX standard, collects network traffic flow information at various points across the network. Information gathered and aggregated to an analysis and management server provides insight into anomalous traffic flow. If, for example, an employee decides to copy a large number of documents to an Internet location, NetFlow statistics would alert security to unusual behavior at one or more points on the network. This near-real-time identification of technological infractions happening on the network enables the possibility for a quick and effective response: stopping the employee or mitigating their effects on the organization.

In addition to NetFlow, security information and event management (SIEM) provides additional information about anomalous server or network behavior. SIEM solutions gather logs from various devices and systems, aggregating them into a correlation server. An event correlation application then mines unusual patterns or patterns known to be related to malicious behavior. Questionable activity is reported to security via email, SMS, or a Web portal.

Finally, employment termination and job change processes must include immediate revocation of all rights and privileges to previously accessed information resources. During a job change, removing all access and then granting access for the new role is a good approach. Failure to adequately perform these tasks is a significant cause of many insider incidents, especially those caused by administrators.


While the previous controls also work for malicious activities by administrators, they tend to fall short. Administrators can alter logs or create backdoor accounts for use after hours or post-termination. Monitoring all employees and using separation of duties can help eliminate these vulnerabilities.

Administrator monitoring must extend to changes applied to special purpose files. One example includes log changes. Operating systems or other third-party solutions can track changes to logs, including who made the change and when. Security teams can identify unplanned changes and respond appropriately. This also applies to other files that might contain critical system management information and applications in the production environment.

In addition to file changes, any creation of a privileged account should raise a warning. For example, one security team ran a script every morning to determine if any accounts had been added to any Windows Active Directory administrator group. If so, the addition was reviewed against change management documentation to ensure it was approved. Any questionable account was removed and the offending employee was reported to his manager. A periodic audit of all privileged accounts, whether disabled or active, is another good way of identifying possible rogue IDs.

Sharing of administrator passwords also requires special attention. Each time a shared admin account is used, log it. Each time an administrator leaves the organization, change all shared passwords. If your budget allows it, consider implementing a privileged password management solution that logs who checks out shared account passwords and changes the passwords after use.

Finally, remember that every employee has the ability to be an insider threat. The most impactful threats are caused by those at the top – managers, administrators, programmers, and security experts. Insider threats are real, and they will eventually cause an incident in every organization. Proper preparation, training, and vigilance can prevent or alleviate related consequences.

Tom Olzak is a security researcher for InfoSec Institute. InfoSec Institute is a security certification company that provides popular ccent training.

Original post

Leave a Comment

Leave a comment

Leave a Reply