Premier 100: Expert warns of insider threats

07.03.2006
Michael Theis, chief of cybercounterintelligence at the U.S. National Reconnaissance Office (NRO), sat down Tuesday with Computerworld to discuss why companies must protect themselves from insider threats to their networks. Theis, who spoke in Palm Desert, California earlier at the Computerworld Premier 100 IT Leaders conference, also talked about a new public-/private-sector study that will look at the use of profiling to try to identify insider security threats -- much as the FBI now creates profiles for criminals.

The NRO, which is responsible for designing, building and managing satellites used by the U.S. government to gather intelligence, began beefing up its focus on internal threats after determining that an IT attack from an outsider costs US$56,000 to repair, while an attack from an insider costs more than $2 million to fix. Excerpts from the interview with Theis follow:

You mentioned that most companies are naively secure because they have their perimeter security set up and are not paying enough attention to insider threats. What are some first steps companies can take to begin to address the threat from insiders? One of the first things they need to understand is what their crown jewels are. They need to find out what would other people be trying to get from [them]. Maybe they have this new business technique that other people haven't duplicated yet. Maybe it is a widget they have created. It doesn't have to be the classic espionage in that aspect, but other companies want to know what they are going to be doing in five years. Now they can start to understand if they need to put some kind of security around it. But security is kind of a bad word, because it is a tax. It always costs extra, and it doesn't give you anything. Maybe some of those employees in those crown-jewel areas need to be vetted a little bit differently, or they have to be monitored closely.

Other aspects are those simple aspects we give away all the time. One of the great ways we would penetrate a business is to come in and do an interview like you are doing right now. So I say, "Come in and let me show you my office," and you're taking pictures, and on the wall I have my five-year plan. That is an aspect of business intelligence. People talk to me about business intelligence all the time, and I say, "Yeah, we can get into any company and get anything." Not "we" as in the government -- but folks who have the skills that I do.

There are whole groups of people out there who make their money on business intelligence in just that way. It is something that has to be considered because a professional who does this job does not get caught. Company A does not pay somebody to steal Company B's information and have Company B ever find out about it.

You mentioned that for companies to have agile IT security, they really need to look at the online behavior of employees and possibly limit certain types of access for specific people. Why is that important? We want to limit behaviors at the time they need to be limited. If you and I are in different departments and we are talking over instant messaging, that is fine. But then someone else comes from the outside and tries to make an instant message connection, we might not allow that because you didn't know they were [on] the outside. Those are the kinds of things we would be trying to do from an agile aspect. Companies are going to partner with other companies, and the IT folks will be told to be able to connect the servers between the two. Internal employees don't realize that other companies are connected to them.