Enemy at the Water Cooler:

Real-life Stories of Insider Threats and Enterprise Security Management Countermeasures

Author: Brian T Contos

ISBN: 1597491292 / 978-1597491297

Published by Syngress Publishing Inc. (2006)

262 pages

Price: ~^US$33 from Amazon

Executive summary

Ignore the main title – look at the subtitle. This book is little more than a sales pitch for Enterprise Security Management systems, or more specifically the ESM sold by the author’s company, with a random assortment of largely unattributed and barely analyzed anecdotes on information security incidents mostly relating to ESM. The link to “insider threats’ is tenuous at best and in the most part is merely used as an excuse to hype the wonders of ESM.

“If the only tool you have is a hammer, then every problem is a nail.”

Coverage

If, like me, you expected the book to start with introduction to the “insider threat”, you may find chapter one somewhat disconcerting. Its 43 pages contain brief summaries of a broad range of “outsider” security threats. These are presented with little commentary – it’s a bit like a fireworks display. The reader goes “ooh” and “aaah” but comes away none the wiser about how outsider threats relate to the supposed subject of the book. Other reviewers with little prior experience in information security say they like the first chapter – conceivably it has some value as an introduction to the nature of information security risks but I must say I have read much better introductions elsewhere.

“Insider threats” are given a rather cursory treatment in chapter 2 (of which, much more below) then we’re dropped straight into a chapter extolling the virtues of the ESM system sold by the author’s employer. To make things even worse, the author emphasizes the bells and whistles of their particular ‘solution’ rather than describing the benefits from the customers’ perspective, making it a rather poor sales pitch at that.

The central part of the book consists of the ‘real life stories’ we are promised in the subtitle. Although part II is titled “Real life case studies”, ‘stories’ is more appropriate in fact since there is hardly any insightful analysis , merely scenario descriptions of a bunch of security incidents conveniently involving ESM.

Chapter 11 somehow manages to weave a story about bugging the US embassy in Moscow into a case about an unauthorized wireless access point installed by an employee of a consulting company in Spain. At the end of a case involving data theft at an Austrian retailer, Chapter 6 meanders into a rant about organizations not always prosecuting offenders along with a cranky page on “rehabilitation” (actually, about bail conditions) for offenders. The scenarios are not even particularly interesting or relevant. However, the worm outbreak covered in chapter 8 amused me since the junior network administrator evidently misinterpreted information from the ESM and pulled the plug on a senior management video conference. Strangely enough, risks associated with ESM are not exactly brought to the fore.

Part III, “The Extensibility of ESM” continues the (by this stage not even thinly-veiled) sales pitch, explaining amongst other things how ESM can help compliance with Sarbanes-Oxley, COSO, COBIT, ISO 17799, NIST [Special Publication] 800-53 and even ITIL. The author’s opening remarks are ironic: “There is no security panacea. There is no piece of software that one can install, no box that can be plugged in, no policy that can be written, and no guru whop can be hired to make an organization 100% secure.” How often are we told ‘there is no silver bullet’, followed immediately by an exposition on the wonders of the protagonist’s shiny projectile?

The appendix takes us back to the fireworks display with a summary of several US Department of Justice cases, once again described without much commentary. Such cases are better described on the DoJ and related websites. By the way, I gather one or two interesting information security incidents have happened outside the USA ...

Depth

On a notional ‘depth scale’ ranging from 0 (barely even skims the surface) to 10 (PhD material), the book gets to about 7 on ESM but only 3 on “insider threats” and 2 on information security risks in general. Thankfully, the author largely avoids technical jargon, albeit mostly by eschewing any in-depth technical description, but unfortunately he seldom goes beyond vague descriptive narrative leaving the whole work quite superficial.

I’ll elaborate my concerns by considering in some detail Chapter 2, “Insider threats”, which starts with a one page anecdote concerning an administrator working at a remote site being terminated over the telephone and damaging the email system before leaving site. The system was recovered by a colleague the same day but we are told that this apparently “shows the extent of the damage that a motivated, malicious insider can cause in a very short time”. This is a typical example of the minimal analysis of security incidents in the book. The lack of analysis unfortunately includes the later case study chapters which simply describe vaguely interesting security incidents (involving ESM, of course). For contrast, Ira Winkler’s book “Spies among us” presents and discusses a handful of case studies in some depth. Having described each scenario (much as Contos does), Ira goes on to deconstruct the incident from an information security perspective, detailing the specific control weaknesses, failures or omissions that failed to prevent each incident and explaining a range of countermeasures that would have minimized the risk. We learn a lot from Ira. Contos leaves almost all of this as an exercise for the experienced and competent reader (those new to information security presumably just watch the pretty lights and gasp at the bangs).

After the anecdote, chapter 2 continues with two paragraphs basically explaining that some people join an organization with malicious intent while others become malicious later. There are several interesting but unsupported claims in these two paragraphs (e.g. “Regardless of who [insiders] are, they share a common attribute: By design or accident, they have access beyond that of the average person.”). I’d like to know what he means by that and consider the evidence (if any) on which he bases the claim. Contos misses a golden opportunity to examine what leads non-malicious employees to become malicious, apart from a single obtuse reference to them being “persuaded by external forces”. There’s barely a word about the classic ‘motivation, opportunity and means’. It is becoming clear that the author has simply not done even basic research on the topic. The later three page “bibliography” is a bit of a clue.

There follows a confusing and selective summary of an insider threat study by the US Secret Service and SEI’s CERT Coordination Center published in 2005. Contos first warns about a statistical bias in the study due to its selection of certain types of incident but then goes on to quote a few statistics, interpreting them narrowly as facts that suit his own thesis. For example, “Another statistic from the survey that is interesting is that 96% of the insiders were male. Since the other statistics demonstrated that almost all of the insiders who were caught doing malicious things were in a more technical field, this does seem logical since there are generally more men than women in technical fields. Or, perhaps the insiders who were women were simply clever enough not to get caught.” So, should we be more concerned about men or women? We are left nonplussed.

Next we are treated to a section on “Psychology of insider identification”. This starts with a paragraph simply listing the types of pre-employment checks that can be performed on prospective employees (which gets repeated in chapter 16), then a warning that “no two organizations ever agree on what [‘disqualifying issues’ meaning adverse references etc.] can prevent an applicant from being hired”. There is no hint of advice from the author on how we might address the implied issue here. Finally, the section quotes from “an excellent paper called Exploring the Mind of the Spy” by Dr Mike Gelles, a page of “criteria that usually have to be met for a previously trustworthy and loyal employee to commit a serious crime”. The only meaningful commentary from Contos is that “weakness alone doesn’t mean that the person is a security risk. The entire person must be evaluated.” Once more, we are left with more questions than answers.

Chapter 2 continues with 2 pages of “Insider threat examples from the media” (more whooshes and bangs), and then yet another one-page anecdote in which a maintenance engineer was caught stealing servers from a computer room but was not sacked because the security investigator “couldn’t bring himself to fire his friend”. Reading between the lines that follow, I believe we are supposed to conclude that personal relationships are likely to interfere with investigations of employees but the only advice is to “Think of your role in keeping the person unaware of the investigation until the team determines it to be appropriate to let him or her know.” A few words about forensic investigation techniques, discretion, use of independent investigators etc. would not have gone amiss here, given the supposed subject of the book.

The chapter ends with an incomplete and superficial outline of selected security controls: policies, need-to-know, least privileges, separation of duties, strong authentication (in which we are informed, without anything to substantiate the claim, that authentication using location data from GPS is “becoming increasing popular”), access control and (surprise surprise) incident detection and incident management. The control outlines are interspersed with a few bullet points on “Insider threats from a business perspective” (by which we find Contos actually means business impacts of security incidents) and a curious short section on risk. Contos evidently believes ROI (used in the specific context of investment in security) is materially different from ROSI … although we learn next to nothing about information security risk analysis and risk management.

The strange ROSI vs ROI distinction is reprised in the middle of chapter 3. In the author’s mind, ROSI is concerned with risk reduction whereas ROI is about financial costs and benefits. This part of the text is incomplete, inaccurate, contradictory, misleading, facile and heavily biased towards ESM. Two ‘sources’ are quoted on ROSI/ROI, a webinar by Peter Lindstrom and a survey conducted by the author (presumably conducted on his ESM customers) – in neither case is a proper reference provided. As you can tell, I was not impressed.

Writing style and readability

The author’s writing style is rather verbose and conversational, making it ‘a nice read’ maybe but frustrating to those intending to glean useful information from the book. The language is loose and the editing/proofreading lax in a few places e.g. “Since this didn’t pass the “duh!” test, and something was obliviously [sic] wrong, the security team immediately began investigating.” (first sentence of a paragraph on page 114). Leaving the reader to figure out which “this” is, Contos never does explain “the “duh!” test”. He frequently refers to an employee ‘becoming an insider’ where I believe he means ‘becoming a threat’ since employees, by definition surely, are all insiders. Nowhere does he explain the terms threat, vulnerability and impact, implying again a lack of research and/or perhaps a misunderstanding of information security risk concepts. He knows all about ESM though. Oh yes.

Conclusion

If you are seriously interested in ESM, you probably wrote the gushing “review notes” on the cover or the foreword (written by Hugh Njemanze, CTO of – you guessed it – the same ESM company). I’m far from convinced that anyone else (except perhaps from the ESM company and its customers who may be happy with an extremely biased view of the value of ESM) would benefit from this book, even if it is “vendor neutral” (page xxii). If you are looking for some meaningful insight into and analysis of the “insider threat”, and perhaps some practical and worthwhile countermeasures apart from ESM, look elsewhere.

Home > Books > Enemy @ Water Cooler >