People: The Real Persistent Threat

In 2002 the sys admin for a financial firm planted a logic bomb in his soon-to-be-ex-company's computer with the idea of shorting their stock and making a fortune when the bomb went off. Two years ago a rogue sys admin working for an intelligence agency contractor made off with a trove of classified documents, fleeing first to China, then to Russia. The stories go on and on, but the recurring theme is this: the biggest potential threat to your systems and the data therein is not outsiders, but insiders. You can’t change the fact that you will suffer some kind of compromise at some point, but there are steps you can take to reduce the threat posed by an insider whose trust may be wildly misplaced. I focus on sys admins, but the issues apply to anyone with a sufficient level of access and trust in your organization. Anyone who needs special levels of privilege in order to do their jobs. Depending on the size of the organization, they may have access to everything. They may not know how to use a given application as a user would, or the full significance of the data that flows through your systems, but they can make that application and its associated data disappear if they so choose.

As a business owner or executive you place a lot of trust in your people and most of the time that trust is well placed.

Until it isn’t.

A sys admin or privileged employee compromised by an adversary (rival business, adversary nation, etc.) is your worst nightmare because you have no idea they are robbing you blind until it is too late. Even if you begin to suspect one of your people is doing something unauthorized if not illegal, how do you investigate that without tipping off the person who knows more about your IT enterprise than you do?

You can’t.

Let me be a little more precise: most of you are not able or willing to conduct the kind of operation it takes to root out spy. That's what a rogue insider is: a spy. Such activities are effectively counterintelligence operations. They cost money, they are conducted in the utmost secrecy, and they come with massive amounts of overhead . . . you run a business, not a spy hunting outfit. Most of you, if faced with such a problem, will find a way to manage the suspected offender out of the company or into a position where they can’t do any more damage. Even then, you can’t be sure they didn’t leave behind a surprise that will allow them to maintain access even when they are not officially supposed to have it, or destroy evidence or data if they think you’re on to them and they have nothing to lose.

So what are your options?

From the world of accounting (and nuclear weapons) we have the “two man rule.” Anything one person does should be checked or logged or otherwise noted by another. Collusion is a risk, but it’s a much lower risk than one person going rogue.

Randomly bring in an outsider to conduct an audit. It should be done by someone who knows their stuff but doesn’t know the person under scrutiny. Ideally the audit should be done so that the admin is unwitting, or unaware it is happening until the day of, so that a potential rogue can't cover his tracks.

Talk to them. In the Army there is a saying, "Soldiers aren't happy unless they are b****ing." Everyone has complaints about something, but there is a difference between "I wish this thing we did wasn't so tedious or annoying," and "I hate you all!" You can't make everyone happy, and there is no accounting for crazy, but for most people knowing that someone with the power to make things happens is listening to their complaints - and maybe walking them back from the edge of a cliff - might be enough to stop them from doing something catastrophic.