Insider threats: a new challenge for corporate information security services. Problems of protection from insiders

Recent information security studies, such as the annual CSI/FBI ComputerCrimeAndSecuritySurvey, have shown that financial losses to companies from most threats are decreasing year over year. However, there are several risks from which losses are increasing. One of them is the deliberate theft of confidential information or violation of the rules for handling it by those employees whose access to commercial data is necessary to perform their official duties. They are called insiders.

In the vast majority of cases, the theft of confidential information is carried out using mobile media: CDs and DVDs, ZIP devices and, most importantly, all kinds of USB drives. It was their mass distribution that led to the flourishing of insiderism around the world. The heads of most banks are well aware of the dangers of, for example, a database with personal data of their clients or, moreover, transactions on their accounts falling into the hands of criminal structures. And they are trying to combat the possible theft of information using organizational methods available to them.

However, organizational methods in this case are ineffective. Today you can organize the transfer of information between computers using a miniature flash drive, cell phone, mp3 player, digital camera... Of course, you can try to prohibit all these devices from being brought into the office, but this, firstly, will negatively affect relations with employees , and secondly, it is still very difficult to establish really effective control over people - a bank is not a “mailbox”. And even disabling all devices on computers that can be used to write information to external media (FDD and ZIP disks, CD and DVD drives, etc.) and USB ports will not help. After all, the former are needed for work, and the latter are connected to various peripherals: printers, scanners, etc. And no one can stop a person from turning off the printer for a minute, inserting a flash drive into the free port and copying important information to it. You can, of course, find original ways to protect yourself. For example, one bank tried this method of solving the problem: they filled the junction of the USB port and the cable with epoxy resin, tightly “tying” the latter to the computer. But, fortunately, today there are more modern, reliable and flexible control methods.

The most effective means of minimizing the risks associated with insiders is special software that dynamically manages all devices and computer ports that can be used to copy information. The principle of their work is as follows. Permissions to use various ports and devices are set for each user group or for each user individually. The biggest advantage of such software is flexibility. You can enter restrictions for specific types of devices, their models and individual instances. This allows you to implement very complex access rights distribution policies.

For example, you might want to allow some employees to use any printers or scanners connected to USB ports. However, all other devices inserted into this port will remain inaccessible. If the bank uses a user authentication system based on tokens, then in the settings you can specify the key model used. Then users will be allowed to use only devices purchased by the company, and all others will be useless.

Based on the principle of operation of protection systems described above, you can understand what points are important when choosing programs that implement dynamic blocking of recording devices and computer ports. Firstly, it is versatility. The protection system must cover the entire range of possible ports and input/output devices. Otherwise, the risk of theft of commercial information remains unacceptably high. Secondly, the software in question must be flexible and allow you to create rules using a large amount of various information about devices: their types, model manufacturers, unique numbers that each instance has, etc. And thirdly, the insider protection system must be able to integrate with the bank’s information system, in particular with ActiveDirectory. Otherwise, the administrator or security officer will have to maintain two databases of users and computers, which is not only inconvenient, but also increases the risk of errors.

Recent studies in the field of information security, such as the annual CSI/FBI Computer Crime And Security Survey, have shown that financial losses to companies from most threats are decreasing year over year. However, there are several risks from which losses are increasing. One of them is the deliberate theft of confidential information or violation of the rules for handling it by those employees whose access to commercial data is necessary to perform their official duties. They are called insiders.

However, organizational methods in this case are ineffective. Today you can organize the transfer of information between computers using a miniature flash drive, a cell phone, a TZ-plssr, a digital camera... Of course, you can try to prohibit all these devices from being brought into the office, but this, firstly, will negatively affect relations with employees , and secondly, it is still very difficult to establish really effective control over people - a bank is not a “mailbox”. And even disabling all devices on computers that can be used to write information to external media (FDD and ZIP disks, CD and DVD drives, etc.) and USB ports will not help. After all, the former are needed for work, and the latter are connected to various peripherals: printers, scanners, etc. And no one can stop a person from turning off the printer for a minute, inserting a flash drive into the free port and copying important information to it. You can, of course, find original ways to protect yourself. For example, one bank tried this method of solving the problem: they filled the junction of the USB port and the cable with epoxy resin, tightly “tying” the latter to the computer. But, fortunately, today there are more modern, reliable and flexible control methods.

Based on the principle of operation of protection systems described above, you can understand what points are important when choosing programs that implement dynamic blocking of recording devices and computer ports. Firstly, it is versatility. The protection system must cover the entire range of possible ports and input/output devices. Otherwise, the risk of theft of commercial information remains unacceptably high. Secondly, the software in question must be flexible and allow you to create rules using a large amount of various information about devices: their types, model manufacturers, unique numbers that each instance has, etc. And thirdly, the insider protection system must be able to integrate with the bank’s information system, in particular with Active Directory. Otherwise, the administrator or security officer will have to maintain two databases of users and computers, which is not only inconvenient, but also increases the risk of errors.

I hope that the article itself and especially its discussion will help to identify various nuances of using software tools and will become a starting point in developing a solution to the described problem for information security specialists.

nahna

For a long time, the marketing division of the Infowatch company has been convincing all interested parties - IT specialists, as well as the most advanced IT managers, that most of the damage from a violation of the company's information security falls on insiders - employees divulging trade secrets. The goal is clear - we need to create demand for the product being manufactured. And the arguments look quite solid and convincing.

Formulation of the problem

Build a system for protecting information from theft by personnel on a LAN based on Active Directory Windows 2000/2003. User workstations running Windows XP. Enterprise management and accounting based on 1C products.
Secret information is stored in three ways:

DB 1C - network access via RDP (terminal access);
shared folders on file servers - network access;
locally on the employee’s PC;

Leakage channels - the Internet and removable media (flash drives, phones, players, etc.). The use of the Internet and removable media cannot be prohibited, since they are necessary for the performance of official duties.

What's on the market

I divided the systems under consideration into three classes:

Systems based on context analyzers - Surf Control, MIME Sweeper, InfoWatch Traffic Monitor, Dozor Jet, etc.
Systems based on static device locking - DeviceLock, ZLock, InfoWatch Net Monitor.
Systems based on dynamic device blocking - SecrecyKeeper, Strazh, Accord, SecretNet.

Systems based on context analyzers

Principle of operation:
Keywords are searched in the transmitted information, and based on the search results, a decision is made on the need to block the transmission.

In my opinion, InfoWatch Traffic Monitor (www.infowatch.ru) has the maximum capabilities among the listed products. The basis is the well-proven Kaspersky Antispam engine, which most fully takes into account the peculiarities of the Russian language. Unlike other products, InfoWatch Traffic Monitor, when analyzing, takes into account not only the presence of certain rows in the data being checked, but also the predetermined weight of each row. Thus, when making a final decision, not only the occurrence of certain words is taken into account, but also the combinations in which they occur, which allows increasing the flexibility of the analyzer. The remaining features are standard for this type of product - analysis of archives, MS Office documents, the ability to block the transfer of files of an unknown format or password-protected archives.

Disadvantages of the considered systems based on contextual analysis:

Only two protocols are monitored - HTTP and SMTP (for InfoWatch Traffic Monitor, and for HTTP traffic only data transmitted using POST requests is checked, which allows you to organize a leakage channel using data transfer using the GET method);
Data transfer devices are not controlled - floppy disks, CDs, DVDs, USB drives, etc. (InfoWatch has a product for this case: InfoWatch Net Monitor).
to bypass systems built on the basis of content analysis, it is enough to use the simplest text encoding (for example: secret -> с1е1к1р1е1т), or steganography;
the following problem cannot be solved by the method of content analysis - no suitable formal description comes to mind, so I’ll just give an example: there are two Excel files - in the first there are retail prices (public information), in the second - wholesale prices for a specific client (private information), the contents of the files differ only numbers. These files cannot be distinguished using content analysis.

Conclusion:
Contextual analysis is only suitable for creating traffic archives and countering accidental information leakage and does not solve the problem.

Systems based on static device blocking

Principle of operation:
Users are assigned access rights to controlled devices, similar to access rights to files. In principle, almost the same effect can be achieved using standard Windows mechanisms.

Zlock (www.securit.ru) - the product appeared relatively recently, so it has minimal functionality (I don’t count frills), and it is not particularly well-functioning, for example, the management console sometimes crashes when trying to save settings.

DeviceLock (www.smartline.ru) is a more interesting product; it has been on the market for quite a long time, so it works much more stable and has more diverse functionality. For example, it allows shadow copying of transmitted information, which can help in investigating an incident, but not in preventing it. In addition, such an investigation will most likely be carried out when the leak becomes known, i.e. a significant period of time after it occurs.

InfoWatch Net Monitor (www.infowatch.ru) consists of modules - DeviceMonitor (analogous to Zlock), FileMonitor, OfficeMonitor, AdobeMonitor and PrintMonitor. DeviceMonitor is an analogue of Zlock, standard functionality, without raisins. FileMonitor - control of access to files. OfficeMonitor and AdobeMonitor allow you to control how files are handled in their respective applications. It is currently quite difficult to come up with a useful, rather than toy, application for FileMonitor, OfficeMonitor and AdobeMonitor, but in future versions it should be possible to conduct contextual analysis of the processed data. Perhaps then these modules will reveal their potential. Although it is worth noting that the task of contextual analysis of file operations is not trivial, especially if the content filtering base is the same as in Traffic Monitor, i.e. network.

Separately, it is necessary to say about protecting the agent from a user with local administrator rights.
ZLock and InfoWatch Net Monitor simply do not have such protection. Those. the user can stop the agent, copy the data, and start the agent again.

DeviceLock has such protection, which is a definite plus. It is based on intercepting system calls for working with the registry, file system and process management. Another advantage is that the protection also works in safe-mode. But there is also a minus - to disable the protection, it is enough to restore the Service Descriptor Table, which can be done by downloading a simple driver.

Disadvantages of the considered systems based on static device blocking:

The transmission of information to the network is not controlled.
-Does not know how to distinguish classified information from non-secret information. It works on the principle that either everything is possible or nothing is impossible.
Protection against agent unloading is absent or easily bypassed.

Conclusion:
It is not advisable to implement such systems, because they do not solve the problem.

Systems based on dynamic device locking

Principle of operation:
access to transmission channels is blocked depending on the user's access level and the degree of secrecy of the information being worked with. To implement this principle, these products use the authoritative access control mechanism. This mechanism does not occur very often, so I will dwell on it in more detail.

Authoritative (forced) access control, in contrast to discretionary (implemented in the security system of Windows NT and higher), is that the owner of a resource (for example, a file) cannot weaken the requirements for access to this resource, but can only strengthen them within the limits your level. Only a user with special powers - an information security officer or administrator - can relax the requirements.

The main goal of developing products such as Guardian, Accord, SecretNet, DallasLock and some others was the possibility of certifying the information systems in which these products will be installed for compliance with the requirements of the State Technical Commission (now FSTEC). Such certification is mandatory for information systems in which government data is processed. a secret, which mainly ensured the demand for products from state-owned enterprises.

Therefore, the set of functions implemented in these products was determined by the requirements of the relevant documents. Which, in turn, led to the fact that most of the functionality implemented in the products either duplicates the standard Windows functionality (cleaning objects after deletion, cleaning RAM) or implicitly uses it (discriminate access control). And the DallasLock developers went even further by implementing mandatory access control for their system through the Windows discretionary control mechanism.

The practical use of such products is extremely inconvenient; for example, DallasLock installation requires repartitioning the hard drive, which must also be done using third-party software. Very often, after certification, these systems were removed or disabled.

SecrecyKeeper (www.secrecykeeper.com) is another product that implements an authoritative access control mechanism. According to the developers, SecrecyKeeper was developed specifically to solve a specific problem - preventing the theft of information in a commercial organization. Therefore, again according to the developers, special attention during development was paid to simplicity and ease of use, both for system administrators and ordinary users. How successful this was is for the consumer to judge, i.e. us. In addition, SecrecyKeeper implements a number of mechanisms that are absent in the other mentioned systems - for example, the ability to set the privacy level for resources with remote access and an agent protection mechanism.
Control of information movement in SecrecyKeeper is implemented based on the Information Secrecy Level, User Permission Levels and Computer Security Level, which can take the values public, secret and top secret. The Information Security Level allows you to classify the information processed in the system into three categories:

public - not secret information, there are no restrictions when working with it;

secret - secret information, when working with it, restrictions are introduced depending on the User's Permission Levels;

top secret - top secret information; when working with it, restrictions are introduced depending on the User's Permission Levels.

The Information Secrecy level can be set for a file, a network drive, and a computer port on which some service is running.

User Clearance Levels allow you to determine how a user can move information based on its Security Level. The following User Permission Levels exist:

User Permission Level - limits the maximum Security Level of Information to which an employee can access;

Network Access Level - limits the maximum Security Level of Information that an employee can transmit over the network;

Level of Access to Removable Media - limits the maximum Security Level of Information that an employee can copy to external media.

Printer Access Level - limits the maximum Security Level of Information that an employee can print.

Computer Security Level - determines the maximum Security Level of Information that can be stored and processed on a computer.

Access to information with a public security level can be provided by an employee with any security clearance. Such information can be transmitted over the network and copied to external media without restrictions. The history of working with information classified as public is not tracked.

Access to information with a security level of secret can only be obtained by employees whose clearance level is equal to secret or higher. Only employees whose network access level is secret or higher can transmit such information to the network. Only employees whose access level to removable media is secret or higher can copy such information to external media. Only employees whose printer access level is secret or higher can print such information. History of working with information with the secret level, i.e. attempts to access it, attempts to transmit it over the network, attempts to copy it to external media or print it are logged.

Access to information with a top secret level of secrecy can only be obtained by employees whose clearance level is equal to top secret. Only employees whose network access level is equal to top secret can transmit such information to the network. Only employees whose access level to removable media is equal to top secret can copy such information to external media. Only employees whose printer access level is equal to top secret can print such information. History of working with information with a top secret level, i.e. attempts to access it, attempts to transmit it over the network, attempts to copy it to external media or print it are logged.

Example: let an employee have a Permission Level equal to top secret, a Network Access Level equal to secret, a Removable Media Access Level equal to public and a Printer Access Level equal to top secret; in this case, an employee can gain access to a document with any level of secrecy, the employee can transfer information to the network with a secrecy level no higher than secret, copy, for example, onto floppy disks, the employee can only information with the public secrecy level, and the employee can print any information on a printer .

To manage the dissemination of information throughout the enterprise, each computer assigned to an employee is assigned a Computer Security Level. This level limits the maximum Security Level of Information that any employee can access from a given computer, regardless of the employee's clearance levels. That. If an employee has a Permission Level equal to top secret, and the computer on which he is currently working has a Security Level equal to public, then the employee will not be able to access information with a security level higher than public from this workstation.

Armed with theory, let's try to use SecrecyKeeper to solve the problem. The information processed in the information system of the abstract enterprise under consideration (see problem statement) can be described in a simplified way using the following table:

The employees of the enterprise and the area of their job interests are described using the second table:

Let the following servers be used in the enterprise:
Server 1C
File server with balls:
SecretDocs - contains secret documents
PublicDocs - contains publicly available documents

Let me note that to organize standard access control, the standard capabilities of the operating system and application software are used, i.e. in order to prevent, for example, a manager from accessing the personal data of employees, there is no need to introduce additional protection systems. We are talking specifically about countering the dissemination of information to which the employee has legal access.

Let's move on to the actual configuration of SecrecyKeeper.
I will not describe the process of installing the management console and agents, everything is as simple as possible - see the documentation for the program.
Setting up the system consists of performing the following steps.

Step 1. Install agents on all PCs except servers - this immediately prevents them from getting information for which the Secrecy Level is set higher than public.

Step 2. Assign Clearance Levels to employees according to the following table:

	User Permission Level	Network Access Level	Level of Access to Removable Media	Printer Access Level
director	secret	secret	secret	secret
manager	secret	public	public	secret
personnel officer	secret	public	public	secret
accountant	secret	public	secret	secret
secretary	public	public	public	public

Step 3. Assign Computer Security Levels as follows:

Step 4. Configure Information Security Levels on the servers:

Step 5. Configure Information Security Levels on employee PCs for local files. This is the most time-consuming part, since it is necessary to clearly understand which employees work with what information and how critical this information is. If your organization has undergone an information security audit, its results can make the task much easier.

Step 6. If necessary, SecrecyKeeper allows you to limit the list of programs that users are allowed to run. This mechanism is implemented independently of the Windows Software Restriction Policy and can be used if, for example, it is necessary to impose restrictions on users with administrator rights.

Thus, with the help of SecrecyKeeper, it is possible to significantly reduce the risk of unauthorized dissemination of classified information - both leakage and theft.

Flaws:
- difficulty in initially setting up privacy levels for local files;

General conclusion:
maximum opportunities for protecting information from insiders are provided by software that has the ability to dynamically regulate access to information transmission channels, depending on the degree of secrecy of the information being worked with and the employee’s security clearance level.

Company is a unique service for buyers, developers, dealers and affiliate partners. In addition, this is one of the best online software stores in Russia, Ukraine, and Kazakhstan, which offers customers a wide range of products, many payment methods, prompt (often instant) order processing, and tracking the order process in a personal section.

"Consultant", 2011, N 9

“He who owns the information owns the world” - this famous aphorism of Winston Churchill is more relevant than ever in modern society. Knowledge, ideas and technology come to the fore, and market leadership depends on how well a company can manage its intellectual capital.

In these conditions, the information security of an organization becomes particularly important.

Any leak of information to competitors or publication of information about internal processes instantly affects the positions that the company occupies in the market.

An information security system must provide protection against a variety of threats: technical, organizational and those caused by the human factor.

As practice shows, the main channel for information leakage is insiders.

Enemy in the rear

Typically, an insider is a company employee who causes damage to the company by disclosing confidential information.

However, if we consider the three main conditions, the provision of which is the goal of information security - confidentiality, integrity, availability - this definition can be expanded.

An insider can be called an employee who has legitimate official access to confidential information of an enterprise, which causes disclosure, distortion, damage or inaccessibility of information.

Such a generalization is acceptable because in the modern world, violation of the integrity and availability of information often entails much more severe consequences for business than the disclosure of confidential information.

For many enterprises, the cessation of business processes, even for a short time, threatens significant financial losses, and disruption of functioning within a few days can cause such a strong blow that its consequences can be fatal.

Various organizations that study business risk regularly publish the results of their research. According to them, insider information has consistently ranked first in the list of reasons for information security violations for many years.

Due to the steady increase in the total number of incidents, we can conclude that the relevance of the problem is increasing all the time.

Threat model

In order to build a reliable layered information security system that will help effectively combat the problem, it is necessary first of all to create a threat model.

You need to understand who insiders are and what motivates them, why they take certain actions.

There are different approaches to creating such models, but for practical purposes you can use the following classification, which includes all the main types of insiders.

Internal hacker

Such an employee, as a rule, has above-average engineering qualifications and understands the structure of enterprise resources, the architecture of computer systems and networks.

He performs hacking actions out of curiosity, sporting interest, exploring the boundaries of his own capabilities.

Usually he is aware of the possible harm from his actions, so he rarely causes tangible damage.

The degree of danger is medium, since his actions may cause a temporary stop of some processes occurring in the company. Identification of activities is possible primarily through technical means.

Irresponsible and low qualified employee

Can have a variety of skills and work in any department of the enterprise.

It is dangerous because it does not tend to think about the consequences of its actions, it can work with the company’s information resources “by trial and error,” and unintentionally destroy and distort information.

Usually he does not remember the sequence of his actions, and when he discovers negative consequences, he may simply remain silent about them.

May reveal information constituting a trade secret in a personal conversation with a friend or even when communicating on Internet forums and social networks.

The degree of danger is very high, especially considering that this type of offender is more common than others. The consequences of his activities can be much more serious than those of a conscious attacker.

In order to prevent the consequences of his actions, it is necessary to take a whole range of different measures, both technical (authorization, mandatory division of work sessions by accounts) and organizational (constant management control over the process and result of the work).

Psychologically unstable person

Just like a representative of the previous type, he can work in any position and have very different qualifications. Dangerous due to a tendency to weakly motivated actions in conditions of psychological discomfort: in extreme situations, psychological pressure from other employees, or simply strong irritation.

In an affective state, it can reveal confidential information, damage data, and disrupt the usual course of work of other people.

The degree of danger is average, but this type of offender is not so common.

To prevent the negative consequences of his actions, it is most effective to use administrative measures - to identify such people at the interview stage, limit access to information and maintain a comfortable psychological climate in the team.

Insulted, offended employee

The widest group of potential violators of the information security regime.

Theoretically, the vast majority of employees are capable of committing acts unfriendly to the company.

This can happen when management shows disrespect for the employee's personality or professional qualities, and when this affects the level of pay.

Potentially, this type of insider poses a very high danger - both leaks and damage to information are possible, and the harm from them will be guaranteed to be noticeable for the business, since the employee causes it consciously and knows all the vulnerabilities well.

Both administrative and technical measures are needed to detect activities.

Unclean employee

An employee who tries to supplement his personal wealth at the expense of the property of the company for which he works. Among the items appropriated may be various media of confidential information (hard drives, flash drives, corporate laptops).

In this case, there is a risk of information reaching people for whom it was not intended, with subsequent publication or transfer to competitors.

The danger is average, but this type is not uncommon.

To identify, administrative measures are needed first.

Competitor's representative

As a rule, he is highly qualified and occupies positions that provide ample opportunities for obtaining information, including confidential information. This is either an existing employee recruited, bought out by competitors (more often), or an insider specially introduced into the company.

The degree of danger is very high, since the harm is caused consciously and with a deep understanding of the value of the information, as well as the company’s vulnerabilities.

To identify activities, both administrative and technical measures are needed.

What are we stealing?

Understanding the problem of insider information is impossible without considering the nature of the stolen information.

According to statistics, personal data of clients, as well as information about client companies and partners, are the most in demand; they are stolen in more than half of the cases. Details of transactions, terms of contracts and deliveries follow. Financial reports are also of great interest.

When forming a set of protective measures, each company inevitably faces the question: what specific information requires special protective measures, and what does not need them?

Of course, the basis for such decisions is the data obtained as a result of the risk analysis. However, often an enterprise has limited financial resources that can be spent on an information security system, and they may not be enough to minimize all risks.

Two approaches

Unfortunately, there is no ready answer to the question: “What to protect first.”

This problem can be approached from two sides.

Risk is a complex indicator that takes into account both the likelihood of a particular threat and the possible damage from it. Accordingly, when setting security priorities, you can focus on one of these indicators. This means that the information that is protected first is the one that is easiest to steal (for example, if a large number of employees have access to it), and the information the theft or blocking of which would lead to the most severe consequences.

An important aspect of the insider problem is the information transmission channel. The more physical opportunities there are for unauthorized information to be transferred outside the company, the more likely it is that this will happen.

Transmission mechanisms

Transmission mechanisms can be classified as follows:

oral transmission (personal conversation);
technical data transmission channels (telephone, fax, email, messaging systems, various social Internet services, etc.);
portable media and mobile devices (mobile phones, external hard drives, laptops, flash drives, etc.).

According to research in our time, the most common channels for transmitting confidential data are (in descending order): email, mobile devices (including laptops), social networks and other Internet services (such as instant messaging systems), etc.

To control technical channels, various means can be used, a wide range of products currently available on the security market.

For example, content filtering systems (dynamic blocking systems), means of restricting access to information media (CD, DVD, Bluetooth).

Administrative measures are also applied: filtering Internet traffic, blocking physical ports of workstations, ensuring administrative regime and physical security.

When choosing technical means of protecting confidential information, it is necessary to apply a systematic approach. Only in this way can the greatest efficiency be achieved from their implementation.

You must also understand that the challenges facing each company are unique, and it is often simply impossible to use solutions used by other organizations.

The fight against insider information should not be carried out on its own; it is an important component of the overall business process aimed at ensuring an information security regime.

It must be carried out by professionals and include a full cycle of activities: developing an information security policy, defining the scope, risk analysis, selecting countermeasures and their implementation, as well as auditing the information security system.

If an enterprise does not ensure information security throughout the entire complex, then the risks of financial losses from leaks and damage to information increase sharply.

Minimizing risks

Examination

Thorough screening of applicants applying for any positions in the company. It is recommended to collect as much information as possible about the candidate, including the content of his pages on social networks. It may also help to ask for a reference from a previous place of work.
Candidates for IT engineer positions should be subject to especially thorough screening. Practice shows that more than half of all insiders are system administrators and programmers.
When hiring, at least a minimum psychological check of candidates must be carried out. It will help identify applicants with unstable mental health.

Access right

System for sharing access to corporate resources. The enterprise must create regulatory documentation that ranks information by level of confidentiality and clearly defines access rights to it. Access to any resources must be personalized.
Access rights to resources should be allocated according to the principle of “minimum sufficiency”. Access to maintenance of technical equipment, even with administrator rights, should not always be accompanied by access to view the information itself.
As deep as possible monitoring of user actions, with mandatory authorization and recording of information about performed operations in a log. The more carefully the logs are kept, the more control the management has over the situation in the company. The same applies to the employee’s actions when using official access to the Internet.

Communication standard

The organization must adopt its own standard of communication, which would exclude all forms of inappropriate behavior of employees towards each other (aggression, violence, excessive familiarity). First of all, this applies to the “manager-subordinate” relationship.

Under no circumstances should an employee feel that he is being treated unfairly, that he is not valued enough, that he is being unnecessarily exploited, or that he is being deceived.

Following this simple rule will allow you to avoid the vast majority of situations that provoke employees to give inside information.

Confidentiality

A non-disclosure agreement should not be a mere formality. It must be signed by all employees who have access to important company information resources.

In addition, even at the interview stage, potential employees need to be explained how the company controls information security.

Funds control

Represents control of technical means used by an employee for work purposes.

For example, using a personal laptop is undesirable, since when an employee leaves, most likely it will not be possible to find out what information is stored on it.

For the same reason, it is not advisable to use email boxes on external resources.

Internal routine

The enterprise must comply with internal regulations.

It is necessary to have information about the time employees spend at the workplace.

Control of the movement of material assets must also be ensured.

Compliance with all of the above rules will reduce the risk of damage or leakage of information through insider information, and therefore will help prevent significant financial or reputational losses.

Managing partner

group of companies Hosting Community

Recently, the problem of protection against internal threats has become a real challenge to the understandable and established world of corporate information security. The press talks about insiders, researchers and analysts warn about possible losses and troubles, and news feeds are full of reports about yet another incident that led to the leakage of hundreds of thousands of customer records due to an error or carelessness of an employee. Let's try to figure out whether this problem is so serious, whether it needs to be dealt with, and what available tools and technologies exist to solve it.

First of all, it is worth determining that a threat to data confidentiality is internal if its source is an employee of the enterprise or some other person who has legal access to this data. Thus, when we talk about insider threats, we are talking about any possible actions of legitimate users, intentional or accidental, that could lead to the leakage of confidential information outside the enterprise's corporate network. To complete the picture, it is worth adding that such users are often called insiders, although this term has other meanings.

The relevance of the problem of internal threats is confirmed by the results of recent studies. In particular, in October 2008, the results of a joint study by Compuware and Ponemon Institue were announced, according to which insiders are the most common cause of data leaks (75% of incidents in the United States), while hackers were only in fifth place. In the 2008 annual study by the Computer Security Institute (CSI), the numbers for the number of insider threat incidents are as follows:

The number of incidents as a percentage means that of the total number of respondents, this type of incident occurred in the specified percentage of organizations. As can be seen from these figures, almost every organization has a risk of suffering from internal threats. For comparison, according to the same report, viruses affected 50% of surveyed organizations, and only 13% encountered hackers infiltrating their local network.

Thus, internal threats are a reality of today, and not a myth invented by analysts and vendors. So those who, in the old-fashioned way, believe that corporate information security is a firewall and antivirus, need to take a broader look at the problem as soon as possible.

The law “On Personal Data” is also increasing the degree of tension, according to which organizations and officials will have to answer not only to their management, but also to their clients and the law for improper handling of personal data.

Intruder model

Traditionally, when considering threats and defenses against them, one should start with an analysis of the adversary model. As already mentioned, we will talk about insiders - employees of the organization and other users who have legal access to confidential information. As a rule, with these words, everyone thinks of an office employee working on a computer as part of a corporate network, who does not leave the organization’s office while working. However, such a representation is incomplete. It is necessary to expand it to include other types of persons with legal access to information who can leave the organization’s office. These could be business travelers with laptops, or those working both in the office and at home, couriers transporting media with information, primarily magnetic tapes with a backup copy, etc.

Such an expanded consideration of the intruder model, firstly, fits into the concept, since the threats posed by these intruders are also internal, and secondly, it allows us to analyze the problem more broadly, considering all possible options for combating these threats.

The following main types of internal violators can be distinguished:

Disloyal/resentful employee.Violators belonging to this category may act purposefully, for example, by changing jobs and wanting to grab confidential information in order to interest a new employer, or emotionally, if they considered themselves offended, thus wanting to take revenge. They are dangerous because they are most motivated to cause damage to the organization in which they currently work. As a rule, the number of incidents involving disloyal employees is small, but it can increase in situations of unfavorable economic conditions and massive staff reductions.
An infiltrated, bribed or manipulated employee.In this case, we are talking about any targeted actions, usually for the purpose of industrial espionage in conditions of intense competition. To collect confidential information, they either introduce their own person into a competing company for certain purposes, or find a less than loyal employee and bribe him, or force a loyal but careless employee to hand over confidential information through social engineering. The number of incidents of this kind is usually even less than previous ones, due to the fact that in most segments of the economy in the Russian Federation, competition is not very developed or is implemented in other ways.
Negligent employee.This type of violator is a loyal, but inattentive or negligent employee who may violate the internal security policy of the enterprise due to ignorance or forgetfulness. Such an employee might mistakenly send an email with a sensitive file attached to the wrong person, or take home a flash drive with confidential information to work on over the weekend and lose it. This type also includes employees who lose laptops and magnetic tapes. According to many experts, this type of insider is responsible for the majority of leaks of confidential information.

Thus, the motives, and, consequently, the course of action of potential violators may differ significantly. Depending on this, you should approach the task of ensuring the internal security of the organization.

Technologies for protecting against insider threats

Despite the relative youth of this market segment, clients already have plenty to choose from depending on their goals and financial capabilities. It is worth noting that now there are practically no vendors on the market who specialize exclusively in internal threats. This situation has arisen not only due to the immaturity of this segment, but also due to the aggressive and sometimes chaotic policy of mergers and acquisitions carried out by manufacturers of traditional security products and other vendors interested in a presence in this segment. It is worth recalling the RSA Data Security company, which became a division of EMC in 2006, the purchase by NetApp of the startup Decru, which developed systems for protecting server storage and backup copies in 2005, the purchase by Symantec of the DLP vendor Vontu in 2007, etc.

Despite the fact that a large number of such transactions indicate good prospects for the development of this segment, they do not always benefit the quality of products that come under the wing of large corporations. Products begin to develop more slowly, and developers do not respond as quickly to market demands compared to a highly specialized company. This is a well-known disease of large companies, which, as we know, lose in mobility and efficiency to their smaller brothers. On the other hand, the quality of service and availability of products for customers in different parts of the world is improving due to the development of their service and sales network.

Let's consider the main technologies currently used to neutralize internal threats, their advantages and disadvantages.

Document control

Document control technology is embodied in modern rights management products, such as Microsoft Windows Rights Management Services, Adobe LiveCycle Rights Management ES and Oracle Information Rights Management.

The operating principle of these systems is to assign usage rules for each document and control these rights in applications that work with documents of these types. For example, you can create a Microsoft Word document and set rules for who can view it, who can edit and save changes, and who can print. These rules are called a license in Windows RMS terms and are stored with the file. The contents of the file are encrypted to prevent unauthorized users from viewing it.

Now, if any user tries to open such a protected file, the application contacts a special RMS server, confirms the user's permissions, and, if access to this user is allowed, the server passes the key to the application to decrypt this file and information about the rights of this user. Based on this information, the application makes available to the user only those functions for which he has rights. For example, if a user is not allowed to print a file, the application's print feature will not be available.

It turns out that the information in such a file is safe even if the file gets outside the corporate network - it is encrypted. RMS functionality is already built into Microsoft Office 2003 Professional Edition applications. To embed RMS functionality into applications from other developers, Microsoft offers a special SDK.

Adobe's document control system is built in a similar way, but is focused on documents in PDF format. Oracle IRM is installed on client computers as an agent and integrates with applications at runtime.

Document control is an important part of the overall concept of insider threat protection, but the inherent limitations of this technology must be taken into account. Firstly, it is designed exclusively for monitoring document files. If we are talking about unstructured files or databases, this technology does not work. Secondly, if an attacker, using the SDK of this system, creates a simple application that will communicate with the RMS server, receive an encryption key from there and save the document in clear text, and launches this application on behalf of a user who has a minimum level of access to the document, then this system will be bypassed. In addition, one should take into account the difficulties when implementing a document control system if the organization has already created many documents - the task of initially classifying documents and assigning rights to use them may require significant effort.

This does not mean that document control systems do not fulfill the task, we just need to remember that information security is a complex problem, and, as a rule, it is not possible to solve it with the help of just one tool.

Leak protection

The term data loss prevention (DLP) appeared in the vocabulary of information security specialists relatively recently, and has already become, without exaggeration, the hottest topic in recent years. As a rule, the abbreviation DLP refers to systems that monitor possible leak channels and block them if an attempt is made to send any confidential information through these channels. In addition, the functions of such systems often include the ability to archive information passing through them for subsequent audits, incident investigations and retrospective analysis of potential risks.

There are two types of DLP systems: network DLP and host DLP.

Network DLP work on the principle of a network gateway, which filters all data passing through it. Obviously, based on the task of combating internal threats, the main interest of such filtering lies in the ability to control data transmitted outside the corporate network to the Internet. Network DLPs allow you to monitor outgoing mail, http and ftp traffic, instant messaging services, etc. If sensitive information is detected, network DLPs can block the transmitted file. There are also options for manual processing of suspicious files. Suspicious files are placed in quarantine, which is periodically reviewed by a security officer and either allows or denies file transfer. However, due to the nature of the protocol, such processing is only possible for email. Additional opportunities for auditing and incident investigation are provided by archiving all information passing through the gateway, provided that this archive is periodically reviewed and its contents are analyzed in order to identify leaks that have occurred.

One of the main problems in the implementation and implementation of DLP systems is the method of detecting confidential information, that is, the moment of making a decision about whether the transmitted information is confidential and the grounds that are taken into account when making such a decision. As a rule, this involves analyzing the content of transmitted documents, also called content analysis. Let's consider the main approaches to detecting confidential information.

Tags. This method is similar to the document control systems discussed above. Labels are embedded in documents that describe the degree of confidentiality of information, what can be done with this document, and to whom it should be sent. Based on the results of the analysis of the tags, the DLP system decides whether a given document can be sent outside or not. Some DLP systems are initially made compatible with rights management systems to use the labels that these systems install; other systems use their own label format.
Signatures. This method consists of specifying one or more sequences of characters, the presence of which in the text of the transferred file should tell the DLP system that this file contains confidential information. A large number of signatures can be organized into dictionaries.
Bayes method. This method, used to combat spam, can also be successfully used in DLP systems. To apply this method, a list of categories is created, and a list of words is indicated with the probabilities that if the word occurs in a file, then the file with a given probability belongs or does not belong to the specified category.
Morphological analysis.The method of morphological analysis is similar to the signature one, the difference is that not 100% match with the signature is analyzed, but similar root words are also taken into account.
Digital prints.The essence of this method is that a hash function is calculated for all confidential documents in such a way that if the document is slightly changed, the hash function will remain the same or also change slightly. Thus, the process of detecting confidential documents is greatly simplified. Despite the enthusiastic praises of this technology from many vendors and some analysts, its reliability leaves much to be desired, and given the fact that vendors, under various pretexts, prefer to leave details of the implementation of the digital fingerprint algorithm in the shadows, trust in it does not increase.
Regular expressions.Known to anyone who has dealt with programming, regular expressions make it easy to find template data in text, for example, telephone numbers, passport information, bank account numbers, social security numbers, etc.

From the above list it is easy to see that detection methods either do not guarantee 100% identification of confidential information, since the level of errors of both the first and second types in them is quite high, or require constant vigilance of the security service to update and maintain an up-to-date list of signatures or assignments labels for confidential documents.

In addition, traffic encryption can create a certain problem in the operation of network DLP. If security requirements require you to encrypt email messages or use SSL when connecting to any web resources, the problem of determining the presence of confidential information in transferred files can be very difficult to resolve. Don't forget that some instant messaging services, such as Skype, have encryption built in by default. You will have to refuse to use such services or use host DLP to control them.

However, despite all the complexities, when properly configured and taken seriously, network DLP can significantly reduce the risk of leaking confidential information and provide an organization with a convenient means of internal control.

Host DLP are installed on each host on the network (on client workstations and, if necessary, on servers) and can also be used to control Internet traffic. However, host-based DLPs have become less widespread in this capacity and are currently used mainly for monitoring external devices and printers. As you know, an employee who brings a flash drive or an MP3 player to work poses a much greater threat to the information security of an enterprise than all hackers combined. These systems are also called endpoint security tools, although this term is often used more broadly, for example, this is what anti-virus tools are sometimes called.

As you know, the problem of using external devices can be solved without using any means by disabling the ports either physically or using the operating system, or administratively by prohibiting employees from bringing any storage media into the office. However, in most cases, the “cheap and cheerful” approach is unacceptable, since the required flexibility of information services required by business processes is not provided.

Because of this, a certain demand has arisen for special tools that can be used to more flexibly solve the problem of using external devices and printers by company employees. Such tools allow you to configure access rights for users to various types of devices, for example, for one group of users to prohibit work with media and allow them to work with printers, and for another - to allow work with media in read-only mode. If it is necessary to record information on external devices for individual users, shadow copy technology can be used, which ensures that all information that is saved on an external device is copied to the server. The copied information can be subsequently analyzed to analyze user actions. This technology copies everything, and currently there are no systems that allow content analysis of stored files in order to block the operation and prevent leakage, as network DLPs do. However, an archive of shadow copies will provide incident investigations and retrospective analysis of events on the network, and the presence of such an archive means that a potential insider can be caught and punished for their actions. This may turn out to be a significant obstacle for him and a significant reason to abandon hostile actions.

It is also worth mentioning control over the use of printers - hard copies of documents can also become a source of leakage. Hosted DLP allows you to control user access to printers in the same way as other external devices, and save copies of printed documents in a graphical format for later analysis. In addition, the technology of watermarks has become somewhat widespread, which prints a unique code on each page of a document, which can be used to determine exactly who, when and where printed this document.

Despite the undoubted advantages of host-based DLP, they have a number of disadvantages associated with the need to install agent software on each computer that is supposed to be monitored. Firstly, this can cause certain difficulties in terms of deploying and managing such systems. Secondly, a user with administrator rights may try to disable this software to perform any actions not permitted by the security policy.

However, for reliable control of external devices, host-based DLP is indispensable, and the problems mentioned are not unsolvable. Thus, we can conclude that the concept of DLP is now a full-fledged tool in the arsenal of corporate security services in the face of ever-increasing pressure on them to ensure internal control and protection against leaks.

IPC concept

In the process of inventing new means of combating internal threats, the scientific and engineering thought of modern society does not stop, and, taking into account certain shortcomings of the means that were discussed above, the market for information leak protection systems has come to the concept of IPC (Information Protection and Control). This term appeared relatively recently; it is believed that it was first used in a review by the analytical company IDC in 2007.

The essence of this concept is to combine DLP and encryption methods. In this concept, with the help of DLP, information leaving the corporate network through technical channels is controlled, and encryption is used to protect data media that physically fall or may fall into the hands of unauthorized persons.

Let's look at the most common encryption technologies that can be used in the IPC concept.

Encryption of magnetic tapes.Despite the archaic nature of this type of media, it continues to be actively used for backup and for transferring large volumes of information, since it still has no equal in terms of the unit cost of a stored megabyte. Accordingly, tape leaks continue to delight the newswire editors who put them on the front page, and frustrate the CIOs and security teams of the enterprises who become the heroes of such reports. The situation is aggravated by the fact that such tapes contain very large amounts of data, and, therefore, a large number of people can become victims of scammers.
Encryption of server storages.Despite the fact that server storage is very rarely transported, and the risk of its loss is immeasurably lower than that of magnetic tape, a separate hard drive from the storage can fall into the hands of attackers. Repair, disposal, upgrade - these events occur with sufficient regularity to write off this risk. And the situation of unauthorized persons entering the office is not a completely impossible event.

Here it is worth making a small digression and mentioning the common misconception that if a disk is part of a RAID array, then, supposedly, you don’t have to worry about it falling into the wrong hands. It would seem that the interleaving of written data across multiple hard drives, which is done by RAID controllers, provides an unreadable appearance to the data that is located on any one hard drive. Unfortunately, this is not entirely true. Interleaving does occur, but in most modern devices it is done at the 512-byte block level. This means that, despite the violation of file structure and formats, confidential information can still be extracted from such a hard drive. Therefore, if there is a requirement to ensure the confidentiality of information when stored in a RAID array, encryption remains the only reliable option.

Encryption of laptops.This has already been said countless times, but still, the loss of laptops with confidential information has not been out of the top five of the hit parade of incidents for many years now.
Encryption of removable media.In this case, we are talking about portable USB devices and, sometimes, recordable CDs and DVDs if they are used in the business processes of the enterprise. Such systems, as well as the aforementioned laptop hard drive encryption systems, can often act as components of host DLP systems. In this case, they talk about a kind of cryptographic perimeter, which ensures automatic transparent encryption of media inside, and the inability to decrypt data outside of it.

Thus, encryption can significantly expand the capabilities of DLP systems and reduce the risk of leakage of confidential data. Despite the fact that the concept of IPC took shape relatively recently, and the choice of complex IPC solutions on the market is not very wide, the industry is actively exploring this area and it is quite possible that after some time this concept will become the de facto standard for solving problems of internal security and internal security. control.

conclusions

As can be seen from this review, internal threats are a fairly new area in information security, which, nevertheless, is actively developing and requires increased attention. The considered document control technologies, DLP and IPC make it possible to build a fairly reliable internal control system and reduce the risk of leakage to an acceptable level. Without a doubt, this area of information security will continue to develop, newer and more advanced technologies will be offered, but today many organizations are opting for one solution or another, since carelessness in matters of information security can be too expensive.

Alexey Raevsky
CEO of SecurIT