Security – the Insider Threat

The military and intelligence communities are taking measures to keep a closer eye on their own employees in the wake of the massive loss of data taken by Private Bradley Manning and NSA contractor Edward Snowden.

You would think the NSA already had some kind of system to detect when someone plugs in a USB drive on a classified network. Apparently the NSA does not or they do and it did not work, as Edward Snowden was able to download data in an NSA office in Hawaii undetected.

Bradley Manning is the soldier who downloaded diplomatic cables and gave them to WikiLeaks who published them on their site. He too was able to download many gigabytes of data from a classified network onto a USB drive and no one saw that.

Some have said that the weakest link in any security system is people, because they are the most likely to download viruses, share passwords, be tricked over the telephone into given away data, or otherwise engage in practices that the security software and hardware cannot always catch. But the other threat are employees and contractors whose intent is to steal data or sabotage systems. Some employees have been arrested for stealing company secrets and then selling them to foreign governments who presumably would share them with competing companies operating there.

Courts have ruled, and the Freedom Foundation privacy organization has agreed, that employees have no right to privacy at work. So companies are free to closely monitor their employees in the office. In order to prevent employees who work with classified data, wire transfer payments systems, credit cards, and other company secrets and customer data from stealing this data, some companies and government agencies are installing software to record employee keystrokes and take screen shots of what employees are doing.

Ratheon Sureview is one such product to help with that. They say their software offers Insider Threat Management. They say “…technology itself is not the problem—human behavior is.” They say their product is, “The only integrated network and desktop solution covering all users [sic] activities.”

Securonix offers similar tools and says, “Using purpose-built data mining, correlation, enrichment and analytics, the Securonix solution detects not only users with high risk identity profiles but high-risk activity, access, and events in your organization that are associated with insider threats.” This suggests that their software includes statistical analysis to detect suspect behavior. Certainly some kind of intelligence is needed is if any such software could be actually be made to work.

CA ArcSight is another monitoring tool. It is designed to monitor intrusions from the outside, but it can be used to monitor insider threats. The problem with ArcSight is it must be programmed by the user, and that is not always easy. (Probably Sureview works the same way.) ArcSight has out-of-the box rules for detecting malware and denial-of-service attacks, but correlating what privileged users are doing with actual data loss or theft is not exactly easy to program into the system. (I have experience programming ArcSight, so I know about that.)

Among the activities that I did when I was programming ArcSight specific to monitoring employees was:

• Write rules to monitor users who have admin rights
• Write rules to monitor specific accounts at a bank

If you think about how an employee would go about stealing data, the obvious items to monitor would be: USB drive—it should be possible to monitor Windows and determine what service spins up when someone inserts a USB drive. If company policy prohibits that, the employee can be confronted right away, before the employee walks out the door. A cell phone can operate as a USB drive as well, so policy prohibiting connecting USB drives should include cameras as well.

FTP, HTML, email, and SFTP—You can monitor what data goes out of the network, sort of. Some firewall vendors say they can monitor encrypted data by using a man-in-the middle attack to decrypt that. If it is monitored correctly, this kind of monitoring would also uncover viruses installed by hackers that are sending out data. But trying to read each and every email and attachment and each and every HTML and SSL data packet would be difficult. Trying to read VPN would be impossible, because you cannot decrypt that with a main-in-the middle attack from the firewall. Perhaps some kind of complicated and expensive monitoring could be limited to only those subnets where classified or high-sensitive financial and corporate secrets are maintained. There the only choice might be to record all screen shots and keyboard activity to reconstruct theft after it has happened. That would probably not work for a crime in progress, as how could software sift through all of that at real time? Someone from Raytheon could answer that.

Not everything an employee does to lose data is criminal activity. Most of it would be lack of training or just mistakes. Such monitoring can help point out the need for increasing training and review of security policies. It also would be useful in after-the-fact forensics. In the ideal situation, it would prevent employees from stealing data or company secrets before they are able to do that. There is no doubt that NSA wishes it had had something to do that before Edward Snowden came along.