Preparing for Insider Attacks

Good preparation is the key in responding to an insider attack. The most critical preparation step is the development and implementation of policies. These policies should spell out acceptable and unacceptable behavior by employees . They should explicitly address system administrators and others with elevated privileges. The policies should have senior management buy-in. They might, for example, be signed by either the CEO or a direct report.

The policies must be distributed to all employees, who should then acknowledge receipt of them. For example, the policies could be distributed during employee orientation, and employees could be required to sign a statement confirming that they have received, read, and understood the policies. These policies should cover the rights and authorities of the company with respect to monitoring and ownership of critical data. They should state that the company has the right to conduct electronic monitoring of network traffic and company-owned computer systems. They should not state that the company necessarily will monitor all traffic, but that it has the right to do so.

Appropriate prescreening of employees, including background and credit checks or contacting references and former employers , might be helpful in identifying potential attackers . Obviously, procedures for this must be in place beforehand, and appropriate input from the human resources and legal departments is critical in defining what screening is appropriate (and legal) in the context. Periodic rescreening is also helpful to identify employees who might have developed problems during their employment. This is not infallible, as in the cases of Aldrich Ames and Robert Hanssen, both of whom were able to circumvent or evade periodic rescreening over several years .

The appropriate hardware and software to conduct monitoring should be installed, and procedures to review the data should be implemented. If periodic reviews are a normal business practice, the data gathered by those reviews is much more likely to be admissible if the company chooses to prosecute or litigate later.

Physical access to critical systems should be controlled. Many serious vulnerabilities require some level of physical access. For example, a person with console access can use readily available hacker tools to change the administrator password on a Windows NT server. It is a fundamental principal of security that no system is secure if unrestricted physical access is allowed. Physical access to network hardware is also critical. An attacker could plug a laptop into a vacant network port and conceal it behind furniture to sniff network traffic.The wiring closet and switch room should be guarded as closely as the server rooms or data center.