Hello, this is Jeremy Strozer, Senior Cyber Security Specialist for the CERT Program, with the eighth of 19 blog posts that describe the best practices fully documented in the fourth edition of the Common Sense Guide to Mitigating Insider Threats.

The CERT Program announced the public release of the fourth edition of the Common Sense Guide to Mitigating Insider Threats on December 12, 2012. The guide describes 19 practices that organizations should implement across the enterprise to mitigate (prevent, detect, and respond to) insider threats, as well as case studies of organizations that failed to do so. The eighth of the 19 best practices follows.

Practice 8: Enforce separation of duties and least privilege.

This practice is relevant to HR, Legal, Physical Security, and IT departments as well as data owners and software engineers in an organization. The goal of this practice is to limit the damage that malicious insiders can inflict by implementing separation of duties and least privilege in business processes, including Information Technology, by making technical modifications to critical systems and information.

Separation of duties requires dividing functions among multiple people to limit the possibility that one employee could harm an organization without the cooperation of others. In general, employees are less likely to engage in malicious acts if they must collaborate with other employees. Ideally, organizations should include separation of duties in the design of their business processes and enforce these processes through technical and nontechnical means.

Effective separation of duties also requires implementation of least privilege, which means authorizing people to use only the resources needed to do their job. Organizations must manage least privilege as an ongoing process, particularly when employees move through the organization as a result of promotions, transfers, relocations, and demotions.

These privileges can be controlled using physical, administrative, and technical means. Access control based on separation of duties and least privilege is crucial to mitigating the threat of an insider attack. These principles apply in both the physical and virtual worlds where organizations need to prevent employees from gaining physical or online access to resources not required by their work roles.

There are challenges to implementing separation of duties and least privileges. Small organizations find it more difficult to implement separation of duties and least privilege security models because they may not be staffed to accommodate these practices. Implementing these practices at a granular level may also interfere with business processes. Most organizations find it challenging to strike a balance between implementing these recommendations and accomplishing the organization's mission. Despite these hurdles, some quick wins and high-impact solutions are not only possible, but highly recommended.

Quick Wins and High-Impact Solutions

• Carefully audit user access permissions when an employee changes roles in the organization to avoid privilege creep. In addition, audit user access permissions at least annually, to remove permissions that are no longer needed.
• Establish account management policies and procedures and regularly audit account activity to ensure it reconciles with the documentation.
• Require privileged users to have both an administrative account with the minimum necessary privileges to perform their duties and a standard account that is used for every day, non-privileged activity.

Large organizations can also review positions in the organization that include responsibility for handling sensitive information or performing critical functions. Ensure that employees in these positions cannot perform these critical functions without oversight and approval. For example, backup and restore tasks are often overlooked. One person should not be permitted to perform both backup and restore functions. The organization should separate these roles and regularly test backup and recovery processes (including the media and equipment). In addition, someone other than the backup and restore employees should transport backup tapes off site.

Refer to the complete fourth edition of the Common Sense Guide to Mitigating Insider Threats for a comprehensive understanding of the issues and recommendations mentioned.

Check back in a few days to read about best practice 9, Define explicit security agreements for any cloud services, especially access restrictions and monitoring capabilities, or subscribe to a feed of CERT Program blogs to be alerted when a new post is available.

If you have questions or want to share experiences you've had with insider threats, send email to insider-threat-feedback@cert.org.