The House recently passed the Department of Homeland Security Insider Threat and Mitigation Act of 2017 (HR 666), a bill to tighten defenses against insider threats. This comes just months after another National Security Agency (NSA) contractor, Harold Martin, allegedly stole sensitive government information.
Martin was arrested by the FBI in August 2016 and recently indicted by a federal grand jury, accused of violating the Espionage Act by carrying out what officials claimed was the “largest theft of classified information in US history.”
While Martin’s attorneys argue he had no malicious intentions to release the information, the fact is any individual who has been given legitimate access to systems and data is an insider, and their actions must be better monitored and controlled.
The Department of Homeland Security (DHS) Insider Threat and Mitigation Act of 2017, which was approved at the end of January, is intended to establish an insider threat program within the department to focus on tasks such as: providing training and education for DHS personnel; the ability to investigate potential insider threats that may pose a risk to the DHS’s critical assets; and conduct risk mitigation activities for insider threats.
This step follows enactment of the National Industrial Security Program Operating Manual (NISPOM) Conforming Change 2, which requiresall federal contractors demonstrate the ability to gather and analyze data and information on potential and real insider threats.
These are important milestones along the path to mitigating the insider threat risk, but it remains extraordinarily difficult to predict human behavior and identify who may maliciously or accidentally damage an organization.
Therefore, it’s important to first understand the person who is employed by the organization – the human factor in identifying threats cannot be underestimated.
It’s also important to be able to use technology to dynamically monitor and change access being granted to insiders. This holistic approach provides a good foundation for an effective insider threat program.
Defining and defending against the insider threat
DHS defines the insider threat as the potential damage to the interests of an organization by a person or persons regarded, inaccurately, as loyally working for or on behalf of the organization, or who inadvertently commits security breaches.
This broad definition includes people from across multiple groups – internal employees, supply chain partners, vetted and trusted contractors, and more. At its core – this gets down to people abusing legitimate access to systems and information.
The Martin case should be a shock to NSA and other federal agencies that live in a post-Snowden world. From a personnel standpoint, there are basic procedures to protect against insider threats that NSA seems to have missed, including:
- Continual Evaluation: Vetting an employee or contractorat the point of employment is no longer enough. Agencies need to evaluate personnel with access to sensitive information to ensure that they are suited to hold security clearance. Based what we know in the Martin case, this level of evaluation may have flagged his behavior much earlier.
- Physical Security: This is access control at its most basic level – the fact that Martin could repeatedly leave the NSA with physical documents is inexcusable.
- Data Loss Prevention (DLP): This refers to controlling data at its most basic level, before even reaching the access points. DLP helps monitor the communication channels (including ports, protocols and storage locations) and can help prevent data from agency premises based on rules defined ahead of time.
- Contractor Screening: One issue that still needs light on it is whether NSA held Booze Allen Hamilton screening processes to the appropriate standards. Trust is no longer a valid security policy in today’s connected world.
Check your privilege
The insider problem grows exponentially from a technical standpoint in trying to control legitimate employee access – especially when this includes privileged accounts. Privileged accounts are the key target of exploit for insiders and are where most attacks on an organization starts – whether it comes from the inside or externally.
These accounts represent a significant attack surface and exist in every piece of technology connected to the network. They can provide absolute control over a company’s infrastructure – and can do so without leaving a trace.
To reduce the risk of insider threats and limit the exploitation of legitimate access, here are five steps federal government agencies should consider:
- Proactively Limit Insider Threat Exposure: By restricting standard user privileges based on role, organizations can minimize both intentional and accidental damage. This is also well known as the principle of least privilege, which comes down to restricting access and privileges on a need basis.
- Clean Up Your Credentials: Privileged credentials can function as a network skeleton key of sorts, providing legitimate access across IT infrastructure. A recent study my company conducted found that almost 40 percent of organizations keep their credentials in word files, excel sheets and other easy to access forms. Because these accounts can be used anonymously, this encourages potential abuse. Privileged credentials should always be stored in a secure, central repository that supports strong access controls, multi-factor authentication, and full auditability.
- Limit the Power of Any One Account: There is little-to-no reason why privileged accounts should all have the same power. Administrative duties should be segregated based on each privileged users’ specific roles. For example – the only time that someone should be provided with full admin or root access is when it’s necessary.
- Continue to Try and Deter Bad Behavior: Organizations need to track the individual use of privileged and shared accounts, and record activity to tie a specific “who” to each action taken with the access provided. Remember, it’s about the access, not the person. Users should know before accessing one of the accounts that their actions will be recorded. This is important, especially when it comes to shared or anonymous accounts.
- Reassess Who Gets Privilege: The number of privileged accounts in an organization is typically 3-4 times the number of employees. Most companies are unaware of how many privileged accounts exist in their organization, including those that may have belonged to employees no longer at the organization. These orphaned accounts are ripe for malicious use. Reviewing the list of privileged users regularly and removing any excess accounts is critical in protecting against privileged abuse.
Protecting against insider threats is incredibly difficult because predicting malicious or negligent human behavior is an inexact science. By focusing on the legitimate access being abused, organizations can proactively identify and mitigate insider attacks before they cause irreparable damage.
Kevin Corbett is Director, Federal at CyberArk, and has more than 20 years of experience working with federal government agencies.