Enemy at the Water Cooler:Real-Life Stories of Insider Threats and Enterprise Security Management Countermeasures
reviewed by Harry {doc} Babad, Edited by Julie Willingham, November 2006
Author: Brian T. Contos, CISSP Publisher: Syngress Publishing Link: http://www.syngress.com/catalog/?pid=4240 Language: English Paperback: Dimensions 8.9 x 7.1 x 0.8 inches Released: August 23, 2006 Pages: 302 $50 USD, $65 CND, £26.87 GBP, 41,72 € Euro ISBN: 1597491292 Intended Audience — Corporate Senior Managers, Security Analysts, and Executives. Major Strengths — Insider threats warrant being among the top concerns of IT professionals and managers of middle- and large-sized businesses. This book addresses the issue in a generally well organized and usually easy-to-understand fashion. Weaknesses — The audience seems inappropriately identified. In addition, there is too much alphabet soup. Lastly, an incomplete bibliography of the references cited limits the book’s usefulness as a stepping-off point to further reading. Where appropriate the instructions in the book were tested on a 1 GHz dual processor PowerPC G4 Macintosh with 2 GB DDR SDRAM running under OS X 10.4.8 Product and company names and logos in this review may be registered trademarks of their respective companies. |
|
Publisher’s Overview
“Brian Contos has created what few security specialists can claim: a truly readable book about the threats to our businesses from insiders who know how to attack the critical components of modern business, the computers, applications, and networks that make it all work. During the last fifteen years, we have witnessed incredible strides in network centric business processes that have spawned the productivity of our workforce and the globalization of our supply chains. All of this progress is based on Information Technology advances that connect people and processes together to achieve more than our traditional approaches would have ever allowed…
“Enemy at the Water Cooler is a must read for Chief Intelligence Officers [CIOs] and security officers everywhere, but it is also part of the literature that Chief Executive Officer [CEOs] and government leaders should read to understand how their businesses can be threatened by lack of attention to the fundamental IT infrastructure and its vulnerabilities to the insider threat.”—William P. Crowell, former Deputy Director of the National Security Agency (NSA)
The book “covers over a decade of the author's work with some of the largest commercial and government agencies around the world in addressing cyber security related to malicious insiders. It explores organized crime, terrorist threats, hackers, and activist groups. It then addresses the steps that organizations must take to address insider threats at a people, process, and technology level. Contos' book provides a new perspective to the growing concern over insider threats. Insider threats warrant being among the top concerns of IT professionals and businesses alike, but to date, there have been no other books that talk about the threat to businesses from insiders who know how to attack the critical components of modern business, the computers, applications, and networks that make it all work.”
Review Introduction
“Insider threats are among the top concerns of IT professionals and businesses alike,” said Amit Yoran, information security expert and former National Cyber Security Director at the Department of Homeland Security. Even after reading only the introductory material, I agree.
In the last 30 years, employed by or consulting for Department of Energy contractors, I have been exposed to a great deal of formal and informal security training focused both on operating security (protecting physical property) and systems and information security (IT-related hardware, software, and data.) The range of training for folks like me, a senior scientist, covered preserving not only federally owned systems and information, but also the company’s confidential documents ranging from personnel records to proprietary technology, business strategy, and trade secrets.
Although insider threats were mentioned, with increasing frequency in our more recent training, the material seemed to focus more on deterring staff co-option and possible theft of both hardware and sensitive or classified information from outside or a combination of outside-inside activity.
Articles I came across in my everyday reading, like those below, further piqued my interest in learning more about this hot-button issue:
Top Execs Blind to Insider Threat, in IT Week, James Murray, 12 Sep 2006, http://www.itweek.co.uk/articles/print/2164251; Stolen Data's Black Market, Dark Reading Website, SEPTEMBER 7, 2006, http://www.darkreading.com/document.asp?doc_id=103198; ArcSight and Insider (or Inside?) Threat Management, Nigel Stanley, http://www.it-director.com/business/security/content.php?cid=8861; The Enemy's at the Water Cooler, Peter van der Merw, 24 July 2006, http://www.itweb.co.za/sections/quickprint/print.asp?StoryID=164620 |
With that background, although not in a position to contribute to security management efforts, I still jumped at the chance to review this book. I knew from the publisher’s PR that it focused on an area in which I had little or no experience, so here was my chance to learn more.
A Reviewer’s Dilemma — This is one of the most difficult books I’ve volunteered to review, and has nothing to with either the subject matter or the manner in which it is presented. Indeed, I’ve had a love-hate relationship with the book from its the first chapter.
I had two concerns. The first was in identifying the audience to which the book was directed. Although both Contos and his publisher mention a wide range of corporate management and professionals as the book’s audience, I was not convinced. If I pre-select a target audience from this large group, the book is either too detailed, or not detailed enough, to meet their needs. More about that later.
I ask myself when reviewing a book: (1) Who is the intended audience? (2) As presented, will the author’s information reach that audience? Criteria, mostly mental checklists, allow me to deal with a combination of a book’s organization, depth of subject coverage, clarity of examples and graphics, and the author’s narrative style. Finally, sort of: (3) Are the provided references complete and does the index provide easy access to the detailed contents of the book? |
Without going into exhaustive details beyond those I mention in the section on discomforts, I must conclude that the book was really written for middle- to upper-, but not executive-level management. There is too much repetition that will try the patience of executive-level management. On the other hand, for more technically- and detail-aware middle and senior managers, there is a lack of specifics and detail.
The Book Itself
According to Brian Contos, “Today's headlines are littered with news of identity thieves, organized cyber criminals, corporate espionage, nation-state threats and even terrorists. They represent the next wave of security threats but still possess nowhere near the devastating potential of the most insidious threat: the insider. This is not the bored 16 year-old hacker. We are talking about insiders like you and I, who are trusted employees with access to information - consultants, contractors, partners, visitors, vendors, and cleaning crews.
“Anybody within an organization's building or networks who is given access possesses some level of trust. Some insiders are malicious to begin with, joining organizations with surreptitious motives from the onset. These malicious insiders may work for competitors, organized crime groups, activists, terrorist organizations, or even foreign governments. However, most insiders do not start with malicious intent, but become disgruntled or are motivated by financial gain. Other contributing factors can be fear, excitement, politics, or even general malice. Others simply make mistakes, having no malicious motive, but their actions nonetheless have serious consequences”.
In a 2005 International Data Corporation study cited by Contos, “It was discovered that about 40% of large organizations felt that the greatest security risks stem from internal threats as opposed to external attacks. Around 30% of respondents felt that the threats were about equal.
“Because of these threats, not taking steps to address insiders can ultimately yield regulatory fines, legal fees, litigation penalties associated with class actions, public relations fees, a decrease in shareholder faith, expenses related to placating customers and ultimately lost revenue.”
And there is an inherent bottom-line limitation to the actions management can take.
- “There is no security panacea.
- “There is no piece of software that one can install, no box that can be plugged in,
- No policy that can be written, and
- No guru who can be hired to make an organization 100% secure.
Insider threats are the hardest threats to prevent, most difficult to detect, and most politically-charged to manage. Security is a process that requires vigilance and awareness. It is a merger of people, processes, and technology. Finding the best combination of these variables to mitigate risk helps achieve a strong security posture. With vivid real-life cases, this book addresses the most difficult to manage and costly of all security threats: the insider.”
The table of contents illustrates that the book covers all aspects of the problem of threats in a reasonably organized fashion:
Part I Background on Cyber Crime, Insider Threats, and ESM Chapter 1 Cyber Crime and Cyber Criminals 101 Chapter 2 Insider Threats Chapter 3 Enterprise Security Management (ESM) Part II Real Life Case Studies (Chapters 4-11) Chapter 12 Insiders Abridged Part III The Extensibility of ESM Chapter 13 Establishing Chain-of-Custody Best Practices with ESM Chapter 14 Addressing Both Insider Threats and Sarbanes-Oxley with ESM Chapter 15 Incident Management with ESM Chapter 16 Insider Threat Questions and Answers. Appendix A Examples of Cyber Crime Prosecutions Bibliography and Index |
"Never before has so much of our sensitive information been so easily accessible to so many. Our personal and financial information resides on systems and networks we don't control. Our employers, government organizations, and others house sensitive information that can be exploited," said Contos in a recent podcast. As IT professionals, “we have to remember that the larger an organization gets, the more it should be concerned with insider threats.”
Kudos
The theme of this book, which concerns real world insider threats to our institutions, forms the backdrop to the case histories, which are narratives about the author’s experiences during his long consulting and management career. These are a compelling read and well worthy of treatment in novels or cinematic rendering.
Chapter 1 (Part I) — I found the detailed descriptions in Chapter 1, Cyber Crime and Cyber Criminals 101, compelling and enlightening. The author clearly identifies the perps who gain by taking advantage of insiders. These include solitary cyber criminals and exploit writers for hire, black market sellers of data, hackers for fun or profit, script kiddies (e.g., teenagers with downloaded software), organized crime, identity thieves (phishers), and, of course, business competitors. They work for, as is obvious from reading newspapers, are locals, activist groups, nation-state threats, and of course terrorists.
Contos’ description of Tools of the Trade blew me away. I’ve listed these below to illustrate the detail in chapter 1. [No, I’d not heard of some of these, but I’m a quick study.] If any of them intrigue you, buy and read the book.
Application-Layer Exploits |
Using Botnets |
Forcing Buffer Overflows36 |
Code Packing |
Denial-of-service (DoS) Attacks |
More Aggressive and Sophisticated Malware |
Non-wired Attacks and using Mobile Devices |
Password-cracking (show me the ways) |
Phishing |
Reconnaissance and Googledorks |
Installing Rootkits and Keyloggers |
Social Engineering Attacks |
Voice-over-IP (VoIP) Attacks |
Zero-Day Exploits (we’ve a panic situation here, Help) |
Chapter 2 (Part I)— Insider Threats, Chapter 2, is another compelling chapter. It deals with both recognizing the insider threat and establishing, within an organization, the means to deal with them. Although the material is provided in a chatty, narrative form, it nevertheless will catch your attention. I’ve annotated or modified Brian’s titles, to better share the sections’ themes— a reviewer’s privilege. Although the chapter is at times repetitive, the tell, and tell me again mode is effective. This is especially true if the audience is folks with short attention spans.
The first four sections of the chapter focus on whom. Contos then goes on to deal with enterprise tools that can be used to offset insider threats.
- Understanding Who the Insider Is (check the next cubicle out and the guy that wasn’t promoted)
- Psychology of insider identification (tick, tick, tick I’ve been wronged)
- Insider threat examples from the media (there wasn’t enough room for these)
- Insider threats from a human perspective
- A word on policies (good, bad and unused)
- Understanding insider threats from a business perspective
- Identifying and evaluating risk, including cost-benefit analysis
- Insider Threats from a Technical Perspective (the meat)
- Need-to-know (most folks, despite their rank, don’t)
- Implement a least privileges policy
- Separation of Duties (to assure ability to audit and test)
- Create Strong (IT system) Authentication
- Enhance and strengthen information access controls, and finally
- Implement balanced risk and cost sensitive incident detection and incident management systems.
The Rest of the Book — Although the other chapters were information rich, I found Chapter 3 on Information Security Management [ESM] both unfocused and confusing. More about that below.
The cases studies in Part II, Real Life Case Studies, were interesting, but were more of a synopsis than what business and law schools call case studies. They, in their diversity, held my attention, but little about them was compelling with respect to explicit and focused acknowledgment of specific insider threats.
Discomforts
I agree with the sentiments expressed by the author as well as with the details found in the book that support his thesis. However, as noted below, many aspects of the presentation, overall content, ESM system definition, and level of detail troubled me.
In a brief Internet search, I found an easier to understand treatment of the insider threat problems and their solutionsat http://www.arcsight.com/index.htm. The site contains many clearly written papers on the subject that I took the time to read. I especially noticed, not unsurprisingly, that this book’s author had written many of them. Alas, I wish there hadn’t been the logic disconnect in the book because Contos and his colleagues work is seriously important to the maintaining the safety of institutional information.
Audience Focus – I’m not convinced, having worked with executive management in a number of corporations, that this book is truly aimed at them. I’ll illustrate the point with a tale from my past. Forty years ago, I reported directly to a research VP for a Fortune 500 corporation. When I wanted time to share what I thought was a critical problem, he explained to me:
Harry, pretend you catch me in the hall when I’m getting ready to take a cab to the airport. If you capture my attention with the problem and I want to know more, I’ll have you ride with me. But if it’s really important (and a crisis) I’ll cancel my trip. [This, of course, was long before cell phones, but you get my point.] |
From my perspective, each chapter of the book should have had a page or two of highly focused facts to catch the attention of a busy executive.
ESM Internal Logic — Part III, The Extensibility of ESM, made me feel as if I were at a tennis match. The focus seemed to change not only between chapters but also between apparently related sections. Just when I thought I was beginning to understand how a portion of ESM fit, I got lost.
No ESM roadmap was provided, yet one would have helped. Folks, although I’m not a security analyst, I’ve done enough systems analysis in my career to feel comfortable with almost any system description and a listing of its functions, even if it is an IT system. This is the part of the book where I ran into the greatest problems with audience appropriateness and level of detail.
Assume I view ESM as a black box, with lots of interconnected black boxes inside. Some of these internal boxes have outside connections; others just take care of each other. Okay, I’ve described an ESM system; unfortunately the material in both Part III and Chapter 3 doesn’t seem to do so.
Without getting repetitious, I could not find a common link between or even trace a systematic link in the various sections on ESM to frame its concepts or integrated function. (See the next comment.) Not even the author’s figure, which I provide below, helped me frame the individual narratives on ESM into a coherent whole.
ESM Is a Unified System, Isn’t It? — In addition to becoming aware of the extent of the insider threat problem, the most interesting, yet disappointing, part of the book was the author’s treatment of Enterprise Security Management [ESM]. When dealing with slices of ESM, Contos’ discussions were generally very interesting. However, nowhere in the book could I find an integrated detailed definition of, or description of the bounds of or overall scope of ESM. No, not even in Chapter 3, in the one-page section of ESM in a nutshell. Indeed, from that section I got the impression that ESM was “generally enterprise-level software". See the figure below.
But the material in succeeding chapters, including the case histories, immediately contradicted that thought. Alas, the focus immediately switched to software and IT solutions, rapidly narrowing the focus for the ESM activities.
Level of Detail In the Case Studies – While I’m not looking for a primer on how to be a malicious insider, I’d really like to have had the level of detail found when reading about such events in business magazines, or even the better weeklies. Instead, Contos used the major part of these case studies as a platform for preventing or fixing the problem, something that could have been better integrated into a separate section of the book. Indeed, themes such as the explicit use of ESM should have been better detailed in part III of this book.
Incomplete References – The author does not provide references to the many external sources cited. One of many examples (page 29) is a paper entitled Espionage by the Numbers: Statistical Overview by Richard J. Heuer, Jr., (Defense Security Research Center), which I found by way of a Google search. And a reference (page 61) to The Puzzle Palace: Inside America's Most Secret Intelligence Organization by James Bamford, Penguin ISBN: 0140067485, although dated, would also have led me to some interesting future reading.
Acronym List Needed — Indeed, except where I could find a few of the acronyms accompanying their name in the index, I soon got lost in a sea of acronyms. More easily than going back and skimming pages in the book, I found some of them at the Acronyms and Abbreviations Dictionary site http://www.acronymfinder.com/.
Lack of Explanation for Some Illustrations — A few ArcSight ESM system images that serve as examples, see page 82, are not only hard to read, but difficult, if not impossible, to understand. This is troublesome in a book aimed at senior level personnel.
In Closing
An unidentified Amazon.com reviewer noted, “This book starts off nice and easy, giving a good introduction to cyber crime before getting into the more technical aspects of mitigating insider threats. I liked that very much, as opposed to the aggressive beginnings of most security books. I really enjoyed the real life scenarios that were described in this book. Sometimes the best way to learn is by looking at the mistakes of others. In the security world, it's often hard to predict what clever new method an attacker may use to get what he wants; by looking at examples of real world cases you can better equip yourself with the ability to prevent intrusions. Perhaps the part about this book that I liked the most was the writing style. It felt like a conversation. Very easy to read and follow.” Your reviewer does not agree.
Good News — I universally agree with the sentiments expressed by the author as well as with the details found in the book that support his thesis, and the detail in the book opened my eyes wider to the insider threat than they had been. However, as noted above, many aspects of the presentation, overall content, and level of detail troubled me.
I do agree that "Brian Contos has created, based on my limited reading, what few security specialists can claim: a truly readable book about the threats to our business from insiders.” As mentioned I the section on kudo, there is much to be admired in this book and myriads of lessons and narratives that heighten one’s awareness of the insider threat. The folks who are responsible for our institutions, whether private, public sector or government, who still have their heads in the sand, should read this book.
Bad News — However I’m not sure, as claimed by both the publisher and other reviewers, that Enemy at the Water Cooler is the definitive book for Chief Intelligence Officers, Chief Security Officers, and Chief Executive Officers looking to battle the rising tide of security threats posed by their own trusted employees, consultants, and partners. Enemy at the Water Cooler is a book that intelligence and security officers, as well as those in charge of information technology, everywhere should read.
In summary, a yin-yang sort of thing — I remain troubled by the book’s shortfalls. Much of the information is worthy of being understood and then acted upon, because the reality is that insider threats exist. Contos has provided readers with much food for thought about the enemy at the water cooler; but, alas, his poorly integrated treatment of the subject weakens its impact. Rating 3.5 macCs
Author BIO
Brian T. Contos has real-world security engineering and management expertise developed in over a decade of working in some of the most sensitive and mission-critical environments in the world. For four years as ArcSight's CSO, he has advised government organizations and major corporations on security strategies related to Enterprise Security Management solutions and has evangelized the technology. He has delivered speeches, interviews, performed webcasts and podcasts and published countless security articles for publications such as The London Times, Computerworld, SC Magazine, Tech News World, Financial Sector Technology, and the Sarbanes-Oxley Journal. Contos has held security management and engineering positions at Riptech (a Managed Security Services Provider acquired by Symantec), Lucent Bell Labs, Compaq Computers, and the Defense Information Systems Agency.