Insider threats are back in the news in a big way. Bank of America revealed that an employee allegedly leaked a lot of accountholder information to a ring of criminals, which led to account hijacking and check fraud. And the goal of the RSA breach seemed to be emerging rather scarily with news of what looks like a series of highly orchestrated attacks against defense contractors Lockheed Martin, L-3 Communications and now Northrop Grumman (as security analyst Richard Stiennon said on twitter, this may be the most calculated attack since Stuxnet). While the RSA based attacks aren’t necessarily being perpetrated by insiders, the attackers are looking to leverage the access insiders have by posing as trusted users to do their dirty work.
Combating insider threats was the topic of the talk I gave at the recent European Identity Conference in Munich. The talk – When Trust is Not Enough – was based on the blog post with the same title I wrote a few months ago. In my talk I expanded on my post to describe how a multi-layered approach to identity management can help combat the risks of insider threats. I have adapted that talk as a slidecast which you can listen to and view below.
After my talk, Tim Cole grilled me on one of the key points I had made – the need to change the culture in IT of treating administrators with kid gloves and a lack of oversight. He questioned whether something like this could actually happen in enterprises. I contend that this is already happening today, and cases like the Bank of America breach offer us teaching moments about the need to bring accountability to everyone’s access, especially our most privileged users.
I fear that we are on the verge of finding out a lot more about insider attacks, as the ability to keep quiet about them is going to end in this era of Twitter, Wikileaks and greater transparency. But enterprises that are interested in making the effort to solidify their defenses against such threats need to know that there are things they can do today to help themselves.