To view our tutorial, click on a question then watch and listen to the answer
|
|
|
|
Ask the Tutor a Question
Got a question about insider threats? Click here to email it to the tutor. We'll publish the answer, so be sure to include your Internet Evolution Username so you get credit for the question.
Video Tutor Richard Stiennon
Video tutor Richard Stiennon is Founder and Chief Research Analyst at IT-Harvest. He maintains the popular security blog www.threatchaos.com. Previously, Stiennon was VP of Research at Gartner Inc., where he covered security topics including firewalls, intrusion detection, intrusion prevention, security consulting, and managed security services for the Security and Privacy group. He is a holder of Gartner's Thought Leadership award for 2003 and was named one of "The 50 Most Powerful People in Networking" by NetworkWorld Magazine. He is currently immersed in writing his first book, Surviving Cyber War.
Questions, and Answers from the Tutor
Question: As I develop "coarse-grained policies," then refine them further based upon roles and appropriate data access for my company, what's a reasonable number of levels to shoot for?
I recognize this will vary according to company, but there must be a benchmark number of levels determined by companies similar to mine in terms of size, roles, and industry. Too few levels, and I will frustrate users; too many levels, and my IT guys are gonna wring my neck.
Answer: You are right that every organization is different. My own suggestion is that there be three levels as a start.
First level: All authorized users
Second level: Insiders versus outsiders (contractors, vendors, auditors)
Third level: Departmental distinctions -- finance, IT, or executives, for example. This aligns nicely with your org chart and can be facilitated by departmental level admins.
Technology is catching up with the problem of rights administration. Some vendors are creating systems that learn "normal" access and allow you to enforce "normal" and manage exceptions.
Question: I did not see any discussion of the migration from traditional desktop-server, TCP-IP-based infrastructures to thin-client computing and diskless workstation architectures. Does this migration enhance security and reduce the monitoring overhead? Do you think that such an architecture would be better than the traditional desktop-server infrastructure in reducing the insider threat?
Answer: Transitioning to thin-client and away from traditional desktops would simplify overall security management. One image, no rogue software installs like BitTorrent, as you point out. But it does not solve the issue of trusted, authenticated users stealing information. You still need the controls in place.
Hosted services, à la cloud computing, SaaS, etc., are going to introduce new problems. As long as users are authenticated and monitored it should be containable. Watch out for the employees of the hosted service! Remember what happened when a Twitter sys-admin's account was hacked?
Question: Where can I find the sort of statistics that the boss wants to see in order to justify allocating X percent to the insider vs. traditional outsider threat?
Answer: There are two good resources for getting the boss to understand the need for concentrating on the insider threat. One is the Ponemon survey (sorry about the sign-up), and the recent Verizon survey.
Question: When one starts to talk about outsourcing that involves IT infrastructures that span geopolitical borders in a global economy, I personally think the problems you describe and the threats you so cogently highlight would be greatly exacerbated by externally managed clouds and outsourced IT support and infrastructures.
What are your thoughts on how you can protect your data when you rely on an external IT exoskeleton and support staff versus an internal equivalent? And how do you propose one would establish the same level of positive control to resources and support personnel that may represent and reside in competitive, and not necessarily the same or allied, geopolitical regions of the world?
Answer: Outsourcing is a special case of the insider threat, but I believe it should not be an issue. If every user of your networks, applications, and systems were treated as untrusted, then you would use the same levels of authentication, access controls, and activity monitoring with internal people as you do with outsourcers. If the World Bank had been monitoring the activity of its Satyam contractors, it would have caught on to the systematic theft that went on for over a year. Trusting employees is naive; trusting outsourcers is stupid.
Web Wise World Poll: Locking Down Enterprise Data
|
