I old, and your task is to defend

Imagine you live in the days of

Beware The Insider eyber-Threat

By David Gewirtz
ith all of the discussions recently about cy ber-attac ks and cyber-defense, most of the attention has been paid to an external force attempting to attack, infiltrate, or exfiltrate d t f m a computer network. a a ro Very little mention has been made of the threats coming from inside the firewall.
. .

your walled city. You put soldiers on the walls to look for external threats. Perhaps you have a moat, to provide an added barrier to entry. Your city can be entered only through heavily armored portals that can be raised as part of the city defe nse.
This is a good analogy for your computer network. The moat, the walls, and the city gate are all part of your perimeter defenses, with your network's firewall as the primary barrier to outside threats.

l One way attackers havc gotten through suoh barriers is through brute foree.This is wbat a distributed demal of servIce (DDoS) attack is. Imagine you' re in your

wa lled city and the opposing force conceillraies all Its attenti on to one point on the wa ll . They firc ballista after ball is ta, treb uchet after trebuchet, ram after ram -- all at that one point. No matter how well-bui lt the wall may be, craoks wi ll cvcntuall y fonn , the

iacsp .com
wa ll wi ll weake n, and it might even be penetrated. T his, however, is a lot of work, and even in laday 's digita l world, takes a lot of reso urces. Eve n morc to the poin t, it's not subtl e. If
you're eve r attacked by a DDcS, you' ll know it. Oh, boy, wi ll you know it !

network. At that point, often wi thout any awa reness of the carrier indi vidual, spywa re and ma lware programs set up shop and ofte n, very qui etl y be hind the scenes, begin to tunn el undernea th th e di g ital wa ll s, ex fiitrat ing data and prov idi ng a command and control interfacc to their distant and unsee n controllers. I wrote abo ut th is in "US B: the Trojan Horse of dig ita l tec hn ology," he re in thi s magaz in e, back in 2009. The threat of fre e a nd easy transit of pe rso nal elec tron ics in si de pro tec ted peri meters has bec n a particu lar wo rry of mine. What I want YOll to beco me aware of, today, is how th atlh reat multipl ies when you add a tnlsted, yet malicious actor to the equation. This becomes parti cularl y worri some if your tra itorous insider is a member o f the netwo rk engineering tea m. ab le to engineer holes and back doors into the very fab ri c of the netw ork sec urity infrastructure. Give n th e disturb ing nature of this threat, what can you do abou t it? It turn s out, than kfull y, that there arc some defen sive tactics you ca n deploy. First, install additi onal automated defe nsive systems in side your

Another \v<ly attac kers ha ve gOIten through barriers is throug h subterfuge. They sneak in. The who le Trojan !-I orse sto ry is a reflection of subterfuge, al though
that, too, was a lot of work.

netwo rk. Most major ent erp rise computing suppliers will sell you int rus ion detect ion and prevellti on "appl ia nces" that plug into your ne two rk and active ly watch, report 0 11 , and intercede aga inst damaging be hav ior inside yo ur network. There are also a wide ra nge of frce and open so urce progra ms that ca n be pu t on a simple PC that wi ll do the sa me thi ng (a lbeit with more co mpl exity and lillie hand- holding). Second, regu larl y change yo ur access proced ures and pa ss words. Be sure to use different passwo rd s for differe nt systems, and make sure that if yo u tefill inate a team member, yo u elim inate all passwords and acco un ts used by that member. Pay special attcnti on to password " federatio n" sys tems, systems th at let you use one password to access mu ltiple systems. Ve ry often, a fired employee's federated centra l password will be changed or removed, but a ll the anci llary accounts and passwo rds wi ll remain accessible. If you use federa ted auth entication systems, you must be sure to wo rk all the way down th e chain and rcmove all access. Third, imp lement multi -factor auth en tication. Esse nt iall y, thi s involves using one-time codes,

oilen gene rated by a sma ll hardwa re device, as an add itio nal authentication mechanism. With multi- facio r auth e ntication, it becomes substantia ll y harder to ga in access to a network without th e authenti ca tor. Fourt h, log a nd study traffic patterns on yo ur netwo rk. Look fo r unex pec ted surges of data tra nsmissio n (o r, co nversely, for th ose I P addresses that appea r to be dormant -- they could be quietl y wa iting for so mething to wake them up). Fi nall y, although this is always an noying and o ften di srupti ve, co nsider bringi ng outs ide auditors into your netwo rk to eva luate its scc urity and beha vior. If you've got a mo le inside, the audit or mig ht he lp Spot it. On the other hand , bri nging in an aud itor adds new eyes and hands to the network , which is also a security ri sk.

Yet another way through the barriers, though, is when someone already inside turn s agai nst you.
In our imnginal)' medieva l city, that could be a member of th e

city guards who opens a criti ca l gate from the inside, or a king 's bodygua rd who sticks a knife in
the king's back.

In the digital worl d, the eq ui valent would be a trusted empl oyee, law enforce ment professio nal, fel low member of the mi litary, or ot her member of your organ izati on's co mm unity. Almost two years ago, Verizon published its 20 I0 Data Breach In ves ti gatio ns Report. To put together their ana lys is, Verizon's network security tea m used da ta frol11 the ir ow n networks, as we ll as data provided to them by the U.S. Secret Service. They took a look at the nu mber of confirmed data breaches and di scovered th ata fu ll 46% of data breac hes came fro m an internal (i.e. , ins ide th e wa ll ) so urce. That's an extraordin ary statisti c, and it goes to the point that simpl y protecting your perim eter wo n' t protec t your network. To be fair, not all of these internal breac hes we re ini tiated by tra itors in the rank s. Instead, many of these breaches were caused because some unwitting staffer bro ught a n in fected pe rso na l electro ni cs dev ice (a lapto p, a tab let, a phone, a ca mera) inside and connected it to the sec ured

Ah. di gital tec hn o logy. It ca n so metimes almos t make you wish fo r stone wa lls and fc tid moats.

About the A uthor

David Gewirtz is 'he director of

'he U.S. Slrmegic Perspective Insfilut e and editor-in-chief of

the ZATZ tec/mica! magazines. ' -Ie regularly writes COmmel1llllJI and analysis/or CNNj Anderson

Cooper 360. and has wril/ e ll more tiran 700 articles about technology. David is a former

professor ojcomputer science. has

They took a look at the number of confirmed data breaches and discovered that a full 46 % of data breaches came from an internal (i .e., inside the wall) source.

leclUred at Princeton Berkeley. UCLA, alld SIC/lifoI'd. has beell awarded Ihe p restigious Sigma Xi Research Award in Engineering. ond was a candidate for 'he 2008 Pulitzer Prize ill Lellers. He is Ihe CyberterrorislI1 Advisor fo r lACS? Dovid'spersollal Web sife is at Davie/Gewirtz. com. Read his blog at CNN Anderson Cooper 360 Jar polilics. policy, lind analysis. Read his blDg Of CBS

Il1Ieracrive s ZDNet Government

where tech meel:-,' politics

Seeking the Edge Through Education. Training. and Technology

a ll d governmellf. Or Follow him 011 TWifler at @DavidGelvirtz

9
.

Tht:: Journal of Counterterrorism & Homeland Security Internatio'lal