Who’s Watching Your Infosec Team?

The phrase, “Who watches the watcher,” has been around since about AD 100, taken from the Latin phrase, “Quis custodiet ipsos custodes,” found within the Satires of Juvenal. In the context of security, specifically corporate cybersecurity, it applies to those charged with keeping their corporate environment technologically safe, the information security (infosec) team. In your environment, are information security checks and balances in place? Could you detect a person with privileged access begin to harvest data instead of protecting data?

Targeting Information Security

The infosec team of any entity enjoy the ultimate level of trust, because they have the ultimate level of access to information. These insiders are the crown jewels of potential targets for the unscrupulous competitor, the criminal entity or the nation state. When adversaries think of security, they realize that the cooperation of an infosec insider can lower the risk of detection considerably for both cyber and human targeting and engagement.

The criminal world realizes the life span of their breach of an infrastructure is predicated upon how much they know about the infrastructure they are attempting to compromise and their end goal.

End Goals of Criminals

The criminal who is most interested in a snatch and grab of information is less likely to be concerned about leaving a digital footprint of their presence to be found at some future date. Verizon’s Data Breach Incident Report (DBIR) shows us that the time to discover averages months, and once discovered, remediation doesn’t begin for several days. The criminal is by then long gone. While the insider may be able to provide information of use, compromising individual users or vendors is a less problematic means to enter a corporate ecosystem for the quick grab activity.

Then we have those who want to go deep and stay long: nation states and unscrupulous competitors. Those conducting this type of operation to penetrate a company’s infrastructure invest in surveilling and reconnoitering their target of interest. And what better way to conduct that information gathering than from within the targeted organization, by recruiting the services of your most trusted employees, the infosec team? They are patient and careful to keep their ability to see and learn available; therefore, not being detected is of the utmost importance.

The Insider Threat

Once recruited, not only can they provide information on security protocols and procedures, but also they are in position to conduct the attack from within a trusted environment.

They may also be able to create opportunity for an external actor to exploit IT configurations—for example, making a database within the AWS cloud storage environment publicly available rather than private and restricted. Many companies have encountered configuration errors and seen their data exposed and exploited.

In a survey conducted by Imperva, 43% of IT professionals believed they could successfully conduct an attack on their own organizations. Interestingly, the same survey indicates that 22% believe that an insider attack would have a 50/50 chance of being detectable, with 66% believing it would not be difficult to conduct a successful insider theft.

The survey continues, with 79% of organizations confident they would detect an unauthorized employee accessing certain information. That level of confidence is diminished when coupled with the realization that it may be months to detect, according to 33% of the respondents.

Information Security Needs Process and Procedures

With 33% of the Imperva survey noting that it would take months to detect, what would the level of damage be when an insider with unencumbered access opts to purloin the intellectual property, marketing plans or financial reports of their employer?

For this reason, checks and balances need to be in place to protect data from those charged with the data protection. Additionally, IT teams need to run tests against their infrastructure from within, as well as externally, to test that the configurations encountered are those expected.

Infosec processes and protocols need transparency of the insider’s behavior to include their own infosec colleagues to instantantly trigger the unexpected exit from one’s expected swim lane as an exception to be investigated. When ultra-sensitive data is being accessed, then a requirement for a second individual’s engagement should be the norm. As banks count cash with two people, infosec teams also should have a two-person rule when dealing with sensitive data.

A company must trust its infosec team, and as the Russian proverb goes, “One must trust, but verify.” And thus, one’s process and procedures are how one watches the watchers. Because chasing your data via litigation once it is out the door will never be a successful security stratagem.

Christopher Burgess

Christopher Burgess

Christopher Burgess (@burgessct) is a writer, speaker and commentator on security issues. He is a former Senior Security Advisor to Cisco and served 30+ years within the CIA which awarded him the Distinguished Career Intelligence Medal upon his retirement. Christopher co-authored the book, “Secrets Stolen, Fortunes Lost, Preventing Intellectual Property Theft and Economic Espionage in the 21st Century”. He also founded the non-profit: Senior Online Safety.

burgesschristopher has 186 posts and counting.See all posts by burgesschristopher