Lieberman Software and Core Security form strategi... » London, UK: Lieberman Software Corporation has announced a new strategic alliance with (Courion) Cor... Ness Tec helps secure the Torridon Hotel with MOBO... » UK: MOBOTIX AG has released details of a project for the Torridon Hotel that has upgraded its CCTV t... Norbain adds new Suprema and BioConnect biometric ... » Norbain has announced the addition of new BioConnect biometric products to the Norbain product portf... UK2 Group selects Opengear for global Smart Out-... » UK: Opengear has announced a successful project with UK2 Group, a growing hosting provider, to impro... Zinwave to demonstrate public safety DAS at Crit... » Zinwave has announced that it will showcase its UNItivity distributed wireless access solution (DAS)... Outdated systems placing maritime vessels at ris... » Maritime vessels are under significant threat of cyber-attack because many are carrying outdated sof... Blesma gears up for annual fundraising initiativ... » Fundraisers from all over the country are getting ready for Blesma Week – the fundraising initiative... Optex Systems announces $1.12 Million Purchase O... » RICHARDSON, TX: Optex Systems, Inc. has announced it has received a $1.1 million purchase order to s... Wargaming sponsors TANKFEST 2016 » Wargaming is once again partnering with The Tank Museum, Bovington, to sponsor TANKFEST, one of the ... Symetrica presents compact and ultra-light weara... » Berkeley, CA: Symetrica has introduced a prototype wearable detector system that provides high-sensi...

Our Guest Columnists

John Walker
Professor John Walker is the owner and MD of Secure-Bastion Ltd, a specialist Contracting/Consultancy in the arena of IT Security Research, Forensics, and Security Analytics. READ MORE >>

Yorgen Edholm is President and CEO of Accellion, a pioneer and leading provider of secure file transfer and collaboration solutions. READ MORE >>

Mr. Faitelson is responsible for leading the management, strategic direction and execution of the Varonis vision.


Mike Small


Mike Small has over 40 years experience in the IT industry. He is an honorary fellow analyst ....


Andy Cordial

Andy Cordial, managing director of secure storage systems specialist Origin Storage ...

Paul Steiner
Dr Paul Steiner joined Accellion in 2001 as Senior Vice President-Europe...


Steve Durbin is Global Vice President of the Information Security Forum (ISF). He has served as an ...

David Gibson

David Gibson has been in the IT industry for more than fifteen years, with a breadth of experience in data governance, network management, network security, ..


Jane Grafton

Jane Grafton has more than twenty years experience in domestic and international sales, marketing and business development.


Mr Dimitriadis

Christos K. Dimitriadis, CISA, CISM, is the chief information security officer of INTRALOT S.A, a multinational supplier of integrated gaming and transaction processing systems based in Greece, ...


Philip Lieberman

Philip Lieberman, the founder and president of Lieberman Software, has more than 30 years of experience in the software industry.


Jon Mills

Jon Mills is the managing director and general manager of SEPATON for Europe, Middle East and Africa (EMEA).


Dr Rustom Kanga

Dr Rustom Kanga is co-founder and CEO of iOmniscient, one of the pioneers in the field of Video Analysis.




The number of annual security incidents caused by insider threats continues to increase.  In The CERT Guide to Insider Threats, Capelli et al writes, “Insider threats are an intriguing and complex problem. Some assert that they are the most significant threat faced by organizations today.” Disgruntled system administrators damage data and systems, skilled professionals steal intellectual property, and inferior employees use information to achieve political or financial objectives for their self-gain.  Any of these can constitute a critical national defense breach or breach of public trust.

To defend against the damage or theft caused by insiders, an organization must hold every employee responsible for detecting and reporting both behavior and technical evidence indicating a possible employee defection from policy and compliance.  In addition, technical controls can help monitor suspected offenders and the overall network for evidence of criminal behavior.

Behavior Monitoring

In a 2008 article I wrote for CBS Interactive/TechRepublic, I listed employee characteristics that warn of potential defection from organizational and social policy and norms, including:

  • Appearing intoxicated at the office
  • Actual or threatened use of force or violence
  • Pattern of disregard for rules and regulations
  • Attempts to enlist others in illegal or questionable activity
  • Pattern of lying and deception of co-workers or supervisors
  • Argumentative or insulting behavior toward work associates
  • Attempts to circumvent or defeat security or auditing systems

In general, any negative change in an employee’s behavior is concerning.  Furthermore, actions taken by management can trigger a borderline defector to cross into criminal behavior.  For example, an already disgruntled employee might feel justified in stealing and selling intellectual property after being passed over for promotion.  Any potential-employees are candidates for additional monitoring.

Terminating an employee is one way to deal with a potential problem.  However, we often value employees who are simply going through rough personal times. If terminating an employee is your preferred choice, keep in mind that you need to have attempted to resolve the issues with the employee or have clear evidence of a violation in policy; otherwise the termination can result in a lawsuit. It is often better to remediate than to terminate an employee.

First, we should ensure all employees understand organizational policies regarding the use of information resources and workplace behavior.  Second, management should have a clear and fair process for a workplace infraction. The response should match the level of the offense.  Furthermore, every employee, without exception, should understand the consequences of defection.

Finally, problem employees will usually not commit an infraction in front of management.  This means we must train employees, as well as managers, to detect suspicious behavior and report it to someone higher-up.  Since many employees would rather not become personally involved, an anonymous tip line is a possible solution.  For example, a large organization for which I worked had a toll-free number any employee could call to report policy violations or any other concern or complaint.  In addition, if you don’t want to set up a phone line, you could set up an anonymous website where you achieve the same result. Weekly, a compliance committee met to go over all reports, and there were many. Anything that appeared critical did not wait for the weekly meeting but was handled immediately.


Technical Monitoring

While behavior monitoring can alert us to many possible incidents, it often fails when dealing with network and server administrators who go rogue. We can easily miss behavior signals when an employee does his or her best to hide them.  When behavior monitoring fails or is insufficient, technical monitoring should fill the gap.


For non-administrators, we can control how much information an employee can access (and what they can do with it) by enforcing need-to-know, least privilege, and separation of duties.  Organizations enforce all three by properly managed authorization policies and processes.

The first two are closely related.  Need-to-know restricts the information a user can access only to that required for daily task completion.  Least privilege controls what a person can do with the information accessed.  For example, need-to-know might allow me to see electronic information classified as top secret, but least privilege would prevent me from changing or deleting it unless my role in the organization requires it.  Together, they strictly limit insider threat damage.

Separation of duties, when properly implemented, prevents any one person from performing all tasks associated with a critical process.  To illustrate, separation of duties prevents a software developer from creating malware and placing it in a production environment.  In other words, developers should not be able to place their work into production systems.

Next, organizations must control the movement of sensitive information.  If not possible using direct means, such as data rights management, then you should use indirect means.  One of the most effective indirect monitoring methods is NetFlow analysis.  NetFlow, emerging as the IPFIX standard, collects network traffic flow information at various points across the network.  Information gathered and aggregated to an analysis and management server provides insight into anomalous traffic flow.  If, for example, an employee decides to copy a large number of documents to an Internet location, NetFlow statistics would alert security to unusual behavior at one or more points on the network.  This near-real-time identification of technological infractions happening on the network enables the possibility for a quick and effective response: stopping the employee or mitigating their effects on the organization.

In addition to NetFlow, security information and event management (SIEM) provides additional information about anomalous server or network behavior.  SIEM solutions gather logs from various devices and systems, aggregating them into a correlation server.  An event correlation application then mines unusual patterns or patterns known to be related to malicious behavior.  Questionable activity is reported to security via email, SMS, or a Web portal.

Finally, employment termination and job change processes must include immediate revocation of all rights and privileges to previously accessed information resources.  During a job change, removing all access and then granting access for the new role is a good approach.  Failure to adequately perform these tasks is a significant cause of many insider incidents, especially those caused by administrators.


While the previous controls also work for malicious activities by administrators, they tend to fall short.  Administrators can alter logs or create backdoor accounts for use after hours or post-termination.  Monitoring all employees and using separation of duties can help eliminate these vulnerabilities.

Administrator monitoring must extend to changes applied to special purpose files.  One example includes log changes.  Operating systems or other third-party solutions can track changes to logs, including who made the change and when.  Security teams can identify unplanned changes and respond appropriately. This also applies to other files that might contain critical system management information and applications in the production environment.

In addition to file changes, any creation of a privileged account should raise a warning.  For example, one security team ran a script every morning to determine if any accounts had been added to any Windows Active Directory administrator group.    If so, the addition was reviewed against change management documentation to ensure it was approved.  Any questionable account was removed and the offending employee was reported to his manager.  A periodic audit of all privileged accounts, whether disabled or active, is another good way of identifying possible rogue IDs.

Sharing of administrator passwords also requires special attention.  Each time a shared admin account is used, log it.  Each time an administrator leaves the organization, change all shared passwords.  If your budget allows it, consider implementing a privileged password management solution that logs who checks out shared account passwords and changes the passwords after use.

Finally, remember that every employee has the ability to be an insider threat. The most impactful threats are caused by those at the top – managers, administrators, programmers, and security experts. Insider threats are real, and they will eventually cause an incident in every organization.  Proper preparation, training, and vigilance can prevent or alleviate related consequences.

Tom Olzak is an IT professional with over 27 years of experience in programming, network engineering and security. He has an MBA as well as CISSP and MCSE certifications and is currently an online instructor for the University of Phoenix.

Tom Olzak is a security researcher for InfoSec Institute is a security certification company that provides popular cisco training.

Who can be our Guest Columnist?