Reducing Risks of Insider Attacks
I especially like the SANS Institutes's Cybersecurity Awareness Tip today on insider threats for a couple of reasons. First, and probably most importantly, it emphasizes the human element along with technical measures. Second, it notes that insider threats are one of the most difficult kind to deal with, and in my opinion, don't get enough attention. I have my own suggestion to add to the list but first here are some of the key points.
1. It's a balancing act.
Frequently, fighting insider threats prevents people from doing work. Another problem is that too much restrictions and surveillance leads to distrust between employer and employee.
2. In terms of technical measures, Johannes B. Ullrich, the author of the post, suggests good logs and good backups. This way you'll known what is going on (assuming the logs are not tampered with) and you'll have a way to recover.
3. For organization management, he recommends avoiding "loners" and stick with teams instead. This isn't always practical, especially for small and mid-sized companies that don't have large, if any, IT staffs. For those companies, another suggestion is especially important: know your employees and care about them.
Make sure they are paid well and don't have a reason to be mad at you. If they are: make sure you are able to discover issues early. But treating your employees well goes a long way to mitigating insider threats.
To Ullrich's list I'd add take advantage of fine grained access controls when available. Oracle 10g and later support a concept called realms which allow us to group database objects and resources and apply access controls to this group. We no longer have to give the "keys to the kingdom" to every DBA that needs some, but not all, system level access. By the way, in Oracle parlance, realms are included in a product called Data Vault.
Email This!
Digg it!
Sphere it!
Del.icio.us
Reddit!
Newsvine
