Stopping The Insider
Bruce Schneier on “The Insider Threat and it’s Mitigation”
1. Limit the number of trusted people. This one is obvious. The fewer people who have root access to the computer system, know the combination to the safe, or have the authority to sign checks, the more secure the system is.
2. Ensure that trusted people are also trustworthy. This is the idea behind background checks, lie detector tests, personality profiling, prohibiting convicted felons from getting certain jobs, limiting other jobs to citizens, the TSA’s no-fly list, and so on, as well as behind bonding employees, which means there are deep pockets standing behind them if they turn out not to be trustworthy.
3. Limit the amount of trust each person has. This is compartmentalization; the idea here is to limit the amount of damage a person can do if he ends up not being trustworthy. This is the concept behind giving people keys that only unlock their office or passwords that only unlock their account, as well as “need to know” and other levels of security clearance.
4. Give people overlapping spheres of trust. This is what security professionals call defense in depth. It’s why it takes two people with two separate keys to launch nuclear missiles, and two signatures on corporate checks over a certain value. It’s the idea behind bank tellers requiring management overrides for high-value transactions, double-entry bookkeeping, and all those guards and cameras at casinos. It’s why, when you go to a movie theater, one person sells you a ticket and another person standing a few yards away tears it in half: It makes it much harder for one employee to defraud the system. It’s why key bank employees need to take their two-week vacation all at once – so their replacements have a change to uncover any fraud.
5. Detect breaches of trust after the fact and prosecute the guilty. In the end, the four previous techniques can only do so well. Trusted people can subvert a system. Most of the time, we discover the security breach after the fact and then punish the perpetrator through the legal system: publicly, so as to provide a deterrence effect and increase the overall level of security in society. This is why audit is so vital.
The rest of the article can be found here
Much of this needs to be taught to corporate America still today. All too often they also think that by instituting all of these protocols and more, you can “stop” the internal threat. They would be wrong as Schneier points out later on, but, still the perception persists. Sure, you may cut down on this kind of thing, but you will never outright stop it.
Vigilance is key.
But here’s my thing. He starts off with the Makwana case. Ya know, the Indian guy who had all the access to plant the logic bombs in Fannie Mae? Well, here is where I get on my high horse. Why oh why did they give this guy, an Indian contractor, a guy from a country with a porous border with Pakistan, such access to ALL their important servers?
What were they thinking?
You have to take things like this to account you know, when you hire tech help from anywhere you must do background checks etc. Get a feel for who the person is and where they are in the head space. Of course this may not give you any idea at all that they are going to screw you, but, its better than not doing it at all.
Of course these folks at Fannie have never been so good at security. Surely their telling the guy he was fired but could work the rest of the day was EPICALLY stupid and a real recipe for FAIL… But, I have seen that before in other places. What are people thinking?
Anyway, Bruce has a point and I thought perhaps it should get some more sunlight than just the WSJ.