In the world of audit the term “fraud or error” is widely used to refer to the misuse an authorized user may do to an enterprise’s information resources. The term “fraud or error” avoids prejudging suspicious behavior by the enterprise’s own users.
Security today is mainly focused on preventing access to an enterprise’s resources by an external attacker, placing firewall, intrusion prevention systems or content gateways, with the aim to control and forbid the use of the enterprise’s information. However, more than 60 percent of security incidents are originated by an employee or someone internal to the organization.1 CERT (Carnegie Mellon University’s Computer Emergency Response Team) has created a group that specializes in internal threats2 to generate knowledge, best practices and awareness of this problem.
The traditional organization is a closed entity in which only a controlled number of users, mainly employees, interact with information systems. Today this scheme is changing and there are more external users who have legitimate access to computer systems of an enterprise, e.g., customers, citizens, partners and suppliers. Every organization is related to a growing ecosystem of stakeholders in the developing business. Customer relationship management (CRM) systems advocate a comprehensive relationship with a client, allowing direct access to information the company has about that client. If the enterprise implements supply chain management (SCM), it must also integrate its computer systems, and possibly its logistical systems, with its suppliers. Therefore, the new management techniques widely used today involve a larger number of actors interacting with an enterprise’s information.
And in this time of change in the management model, which in turn affects an enterprise’s information systems, the law requires ever greater controls on access and care about the information handled by each enterprise. This can be seen in regulations such as Spain’s Organic Law on the Protection of Personal Data (LOPD), the US Sarbanes-Oxley Act, Basel II and the Payment Card Industry (PCI) Data Security Standard (DSS). Enterprises must adapt their information technology to carry out these legal and policy requirements with minimal impact on their operations.
For all this, the enterprise must implement a strong control over the access to its information— from a reactive point of view, in the worst case, and preventive whenever possible.
The first solution is to develop identity and access management (IAM) to control the access to information resources from a policy of “least privilege” and “need to know,” so users can access the enterprise’s systems and obtain the minimum information needed to conduct their task. However, this approach does not prevent the acts of misuse that users may do on the information to which their access is allowed. Complementary to IAM is information leakage detection and prevention (ILDP). Thanks to ILDP, enterprises can detect and prevent the leakage of information. With ILDP, network sniffers and desktop agents are used to detect and halt any possible improper transfer of information and implement security policies that minimize the likelihood of this happening.
These security technologies enable enterprises to control access to information and prevent theft of the same. However, there is still a risk to consider: the possibility of an authorized user conducting fraudulent transactions. There are countless examples of such cases around the world. The user has access to only the information resources and operations necessary to fulfill his/her tasks and is not doing any improper transfer of information. The solutions described so far do not protect against this scenario. For such a scenario, a leap must be taken toward user-tracking behavior. Applying developments related to artificial intelligence, an enterprise can monitor user behavior beyond operations to build a complete profile of both permitted and forbidden activities. With this approach to risk, enterprises can monitor the actions of individual users to identify and justify anomalous behavior and thoroughly manage access to its information resources.
Enterprises are constantly improving their protection of their systems from external assault by malicious agents, but forget or overlook the potential of internal and unprotected systems from their own internal users, relying on a certain unsubstantiated confidence in their internal agents. Unfortunately, statistics show that such confidence is not always justified.
1 Yachin, Dan; Combating Insider Threats: The Applicationlevel User Behavior Tracking Approach, IDC, April 2006
2 CERT, Insider Threat Research web page, Carnegie Mellon University, www.cert.org/insider_threat/
Fidel Santiago, CISA
is security product manager at Bahía IT.
ISACA Journal, formerly Information Systems Control Journal, is published by ISACA, a nonprofit organization created for the public in 1969. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.
Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute and their committees, and from opinions endorsed by authors, employers or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, Mass. 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.
US: one year (6 issues) $75.00
All international orders: one year (6 issues) $90.00
Remittance must be made in US funds.