“Implementing Insider Defenses”
Communications of the ACM, May 2021, Vol. 64 No. 5, Pages 60-65
By Eric Grosse, Fred B. Schneider, Lynette L. Millett
Classical approaches to cyber-security—isolation, monitoring, and the like—are a good starting point for defending against attacks, regardless of perpetrator. But implementations of those approaches in hardware and/or software can invariably be circumvented by insiders, individuals who abuse privileges and access their trusted status affords. An organizational culture in which people and procedures are part of the system’s defenses is thus necessary. Such a culture would instantiate classical approaches to cyber-security but implemented by people who follow administrative procedures. So, a careful look at a system’s defenses finds that many of the same classical approaches reappear at each level. But the implementation at the lowest layers—structures we might term insider defenses—involves people.
People do not slavishly follow administrative procedures the way a computing system executes its programs. In addition, people are more prone than computing systems to making errors, and people can be distracted or fooled. Finally, because they can be influenced by events both inside and outside of the workplace, people have very different kinds of vulnerabilities than computing systems. But people alter their behaviors in response to incentives and disincentives and, when empowered by organizational culture, they will (unlike computing systems) respond in reasonable ways to unusual or unanticipated circumstances. Thus, the use of people in a defense both offers benefits and brings different challenges than using hardware or software.
Those benefits and challenges are the focus of this article, which is informed by some recent discussions about best practices being employed at global IT companies and at the U.S. Department of Defense (DoD) for defense against insider attacks. The private sector and DoD are quite different in their willingness and ability to invest in defenses, in the consequences of successful attacks, and in the inclinations of their employees to tolerate strict workplace restrictions. Given those differences, two things we heard seemed striking and worth documenting for broader dissemination: How similar are the practices being used, and how these organizational structures and procedures to defend against insider threats can be seen as instantiating some classical approaches to cyber-security.
Assessing Risks from Insider Attacks
Risks from insider attacks will be part of any credible security assessment for an organization. In doing such an assessment, assets along with the protections they merit must be enumerated. That list is likely to include integrity and confidentiality of information about financial and customer data, confidentiality of intellectual property, integrity of system functionality, and availability of services. A risk assessment for insider attacks also requires determining which individuals and roles within the organization are being trusted and for what, as well as how those trust relationships are maintained and updated as roles change and as changes are made to the organizational structure itself. Part of this approach, articulated by Phil Veneables,9 then ‘a financial services CISO and Board Director at Goldman Sachs Bank, is to understand each role in the organization and the potential impact subverting that role could have; the aim would be to ensure no individual’s role has the potential for damage that exceeds the organization’s risk tolerance. Note that operational challenges of effective and comprehensive insider risk mitigation might delay deployment until other areas of an organization’s security program are mature but understanding and communicating the insider risk is nevertheless worthwhile.
Compromised insiders not only pose a threat to an organization’s assets but are a threat to organizational stability (for example, through personnel or organizational changes made in reaction to a compromise), mission success (for example, when critical products fail to perform as expected), and customer satisfaction. Insider attacks also are an obvious vehicle for perpetrating supply chain attacks on an organization’s immediate or downstream customers. Moreover, certain functions and activities within an organization might be sensitive enough to warrant protection from inadvertent mistakes or accidents by even trustworthy employees. Many defenses against insider attacks can serve here as well.
About the Authors:
Eric Grosse is a private consultant in Los Altos, CA, USA.
Fred B. Schneider is the Samuel B. Eckert Professor of Computer Science at Cornell University, Ithaca, NY, USA.
Lynette I. Millett is Senior Program Manager of the Computer Science and Telecommunications Board at the National Academies of Sciences, Engineering, and Medicine, Washington, D.C., USA.