Securing your People

CS 463/480 Lecture, Dr. Lawlor

People are very complex, but important components in any organization.  Your own people can be your greatest asset, like the conscientious sysadmin who notices the weird patterns in the outgoing traffic from your SSL box, or your greatest weakness, like the "on premises armed guard" who on his last day of employment decides to test out his rifle on your new server rack.
Countermeasures are primarily about detection and "technical controls", meaning tools to enforce your policies.  For example, the standard UNIX root access tool sudo can log both attempted and failed accesses, and restrict user accounts and commands.
Depending on the organization, employees might be required to submit to intrusive screening.
One tricky fact is that even the best and most productive employees can have some very hard times in their lives, such as:
A one-man illustration of the insider threat is Edward Snowden, a capable sysadmin in the classified community who decided to flee a good-paying job in Hawaii with untold gigs of classified documents (estimates range from 50,000 documents to 1.7 million).  He first fled to Hong Kong and then to Russia, where he has been slowly releasing the documents to the press.  It is difficult for me to conceive of a more thorough or intrusive personnel management system than that used by the US government in the intelligence services, which include an impressive array of benefits including excellent pay, absolutely reliable employment, and a compelling mission of national importance; and a terrifying variety of punishments, ranging from felony charges resulting in a lifetime in federal prison, through extrajudicial torture and execution.  But crucially, Snowden was disgusted with what he saw as a pervasive and runaway surveillance system, and he was unable to change the system from the inside by working with his coworkers, his supervisor, or the office of general counsel, so he decided to accumulate classified documents and leave the country. 

Regardless of how you feel about his actions, the key organizational data security lesson is that all your people must agree with your mission, or your greatest assets can become your greatest threats.