Michael C. Theis has more than 25 years of experience as a counterintelligence special agent and 30+ years of concurrent work in computer systems engineering. He directs cyber threat management strategies for detecting and combating trusted insider threats to the federal government and private sector. Identity Week recently spoke with Mr. Theis to get his insights on how to mitigate the insider threat.
1. According to industry research insiders are increasingly accounting for data breaches. Why is the “insider threat” growing as a security vulnerability?
There are several factors here: First, let’s consider the age before cyber technologies. Insiders were given tools to do their jobs that only performed one or two functions – a typewriter typed letters, a telephone made phone calls. It was fairly trivial to right-size permissions for these devices and effectively monitor their use. Today, however, insiders are given tools that perform many, many functions – a mobile phone is also a computer, Internet device, storage device, data transfer channel, etc. A computer can accomplish not only its intended business function but also a plethora of other functions that are often difficult to right-size permissions for and to effectively monitor.
The second factor is that insiders with opportunity have long been a significant security concern. For instance, in retail it is often the employees and trusted vendors and buying agents that are responsible for the most shrinkage of inventory. Computers have just enabled a wider range of employees to have opportunity to engage in the kinds of activities that benefit themselves, even at the company’s expense.
The third factor is that most of the security focus has been directed to threats originating from outside the network perimeter and companies just haven’t had enough visibility into insider activity to accurately measure the impact.
And finally, until recently there was some hesitance to report negative insider activity until new laws and industry best practices made the results of insider threats more reportable.
2. In your view, what single type of threat is corporate IT the least prepared to handle today and why?
If I had to choose only a “single” threat that corporate IT is not prepared to handle I would choose IT administrators (SysAdmins). These are the individuals that not only have the “keys to the kingdom” as it were, but are often responsible for installing, operating, and maintaining the cyber security we are counting on to identify and mitigate insider threats. It should be no surprise that SysAdmins are the major perpetrators of IT sabotage, but are at the very bottom of reporting for other negative cyber activity.
For sabotage to be successful, its effects must be observable, or by definition there really wasn’t any sabotage. However, the theft of IP, PII, corporate and economic espionage, etc. are just the opposite. To be truly effective, they should not be observed or discovered and SysAdmins are the most capable of accomplishing that. In addition, multiple system administrators are often found sharing privileged accounts in the domain (think of the root account for the mailserver, webserver, etc.) where they all share the same password. This makes attribution of activity to a specific SysAdmin even more challenging.
Now, if I could pick two threats, I think that insider susceptibility to social engineering is a challenge on an equal par. In my view, any stimulus that depends on an insider to take some kind of action is social engineering (so not just phone calls asking for your password). Expecting a user to open an attachment, attach a thumb drive, visit a website, insert a CD, etc., are all social engineering attacks. For both of the threats I have described, it would be useful to ensure that compromise of a SysAdmin’s or user’s credentials would never persist beyond a single session (i.e. no one would be able to log-in as them again to effect change).
3. When it comes to security, what’s the biggest misconception you’ve seen among corporate IT planners?
The biggest misconception I have encountered is the belief that malicious intent and activity is directed at the company only from outside the network perimeter. The thinking is that although insiders make mistakes or take inadvertent actions that cause problems, there really isn’t a “maliciousness” to their actions. This thought process often leads to the implementation of simplified DLP solutions, i.e. let’s just make sure people don’t inadvertently send out social security numbers (SSNs) in an email. This of course has absolutely no affect on a malicious insider who could print-out the SSNs, or take a picture of the computer screen with a cell-phone camera.
Because these other vectors seem difficult to effectively monitor and detect, there is a serious under-reporting of how much loss there really is from insiders. A truly effective insider threat strategy requires an enterprise program, not just the acquisition of a single tool. It includes education, awareness, reporting incentives and a corporate culture that permeates beyond the IT organization.
4. Looking ahead, what types of new IT security threats do you see on the horizon and how can these threats be countered?
I think that in the short-term it is the “consumerization of IT” that will be the most challenging. Users want to use their iPad, Smartphone, mobile hot-spot, favorite social networking software, etc. because they’re effective and productive in their work. How do we recognize these devices and applications to ensure we have right-sized permissions and can effectively monitor our critical data? What are the legal and governance liabilities for users manipulating our data using their own ad hoc IT constructs?
I believe we need to rethink how we approach this new generation of IT and start from a zero trust and zero knowledge model. Meaning, we will not allow devices, processes, people, and software to operate unless we have fully identified and managed the risk (zero trust); and that when users end a work session they have no useable information in their heads or on their person that would allow someone else to log back in as them (zero knowledge). Finding effective, agile ways to do that and also maximize IT’s potential will be a challenge. A good start might be true two-way communication with users that ensures visibility into their ideas of what they are using or want to use in the enterprise. Early identification allows security to be baked-in from the beginning, rather than sprinkled-on after we find out what was already being done with our data.
Michael C. Theis (CISSP) is President of Strategic Threat Solutions LLC, a privately held consulting company focused on creating strategies for difficult long-term problems affecting the United States Federal Government and the private sector. The Cyber-Insider Threat Solutions division partners with clients to create enterprise-wide strategies for detecting and mitigating insider threats in both physical and cyber space. Mr. Theis can be reached at MTheis@StrategicThreatSolutions.com.