How to recognise the cyber insider threat

If people start accessing systems or the data in them more often, you may have a problem

Losing business to a competitor because one of your trusted employees has walked out the door with sensitive information doesn’t need to happen if you look for the signs and put controls in place, according to a panel of cyber security experts.

Cisco Australia hosted a discussion on cyber security in Sydney this week.

According to Computer Emergency Response Team (CERT) Australia's technical director, Doctor Jason Smith, many organisations CERT Australia works with become victim to an insider because their network is misconfigured or not monitored.

“The ability for poorly trained or tired [IT] people to make mistakes can also have an impact,” he said.

“Once an adversary has code execution on your computer, they are essentially an insider. The controls you need to build need to take into account what an insider could do to your network.”

He added that the insider threat needs to be communicated to the company’s board so that they can have input into decisions that are made to deal with the problem, in conjunction with the IT department.

“Cyber security is a team sport and that team can consist of people in your organisation and service providers,” said Smith.

According to Cisco's information security global vice president, Steve Martino, companies need to put in place controls that can capture data and look for patterns or behavioural things that are out of the norm.

For example, if a trusted staff member starts accessing systems more often, looking at data in the system or working very long hours, this can be captured via logs and the security card reader the employee uses to swipe in and out of the building.

“I can look at how often a person accesses a system or data in that system. That’s not violating privacy because accessing that system is part of their job,” he said.

“If we see a pattern, we will sit down with the [Cisco] employee and discuss what is happening and how to deal with it.”

However, Martino warned employers that opening up a secure email account and looking inside it could be deemed a violation of privacy.

His advice when creating an insider threat plan was starting with 'who, what, why and how'. For example, who would want the data, why would they want it, what would they do with it and how would they get to the data?

Edwin Cowen University's security research institute adjunct professor, Gary Blair, who previously worked as a CISO at Westpac, said that Australian banks mainly look at external threats such as organised crime, nation states and terrorist groups.

“I sense that within Australia, we trust people in the work environment. That’s good because it leads to harmonious working relations,” he said.

However, Blair said that more companies need to recognise there is a potential for an insider threat.

“The Australian banking industry is starting to conduct extreme cyber scenario planning as part of their regulatory requirements. In doing so, banks are considering the worst case scenarios that could occur.”

For example, he said banks are conducting audit reports and risk assessments to see how secure their internal systems are.

Speaking to Computerworld Australia in July, cyber forensic investigator Nick Klein from Klein & Co warned that rogue employees will do anything to get sensitive information ranging from photocopying documents to copying information into their Google Mail email account.

“It’s tricky because companies are using Gmail or other [cloud] email services as part of their normal business operations. It’s getting harder to investigate [IP theft] because people are sending all of these services out to the cloud,” he said.

“The question we ask people is: If you have Google Drive, what kind of backups do you have? Executives look at their IT guys and say, `We’ve got backups, right?’ And the IT guys will reply that they haven’t implemented that yet.”

Follow Hamish Barwick on Twitter: @HamishBarwick

Follow CIO Australia on Twitter and Like us on Facebook… Twitter: @CIO_Australia, Facebook: CIO Australia, or take part in the CIO conversation on LinkedIn: CIO Australia

Read more: Woolworths sees future in hybrid cloud

Tags insider attackscert australiainsider threatsinsider threatciscoEdith Cowan University (ECU)

More about CERT AustraliaCERT AustraliaComputer Emergency Response TeamCSOFacebookGoogleWestpacWestpac

Comments

Comments are now closed

Symantec donates $260k towards cyberbullying prevention

READ THIS ARTICLE
DO NOT SHOW THIS BOX AGAIN [ x ]