Keeping tabs on contractors, consultants and others

A newly updated report from the Insider Threat unit at CERT concerns the information security threats arising from Trusted Business Partners. Like all CERT's stuff, the report is well worth reading, not least because it incorporates case study materials from actual incidents - not a huge number I admit, but many more than I personally have investigated or analyzed.  

[In How To Measure Anything, Douglas Hubbard makes the valid point that even relatively poor/limited/dubious information is valuable if it advances our understanding, for instance if we have little or no prior knowledge in that area. I believe CERT is a reliable, trustworthy source, and their reports certainly advance my limited knowledge, no question. Look past the limitations to consider their advice. YMMV but it rings true and makes good sense to me.]

As described in the report, TBPs include lone consultants/contractors/temps (often working on-site) plus larger external service and outsourcing companies and other commercial partners who have privileged/trusted access to the organization's information, but not ordinary customers and goods suppliers.  

Although we didn't actually call them "TBPs", the complementary pair of security awareness modules 'Insidious insiders' and 'Orrible outsiders' both picked up on TBPs since they span the organization's boundary. They often have similar physical and logical access rights to full employees and yet have loyalties to their employers, not necessarily to the organization (although many who have been or intend to remain employed on contract for the long-term will have divided loyalties).  

Data in the CERT report indicates that both TBPs and insiders in their mid-20s to mid-40s are most likely to commit insider crime (meaning frauds, intellectual property theft or sabotage, according to CERT) - hardly surprising given that people in the age range often have young families, money pressures, boundless energy and opportunities, but lack the experience and moderation that comes with age.   [Speaking as someone with my fair share of grey hairs, I wouldn't be at all surprised to learn that older people are committing just as many insider crimes as their younger colleagues, but they are better at staying under the radar!]

Bitter revenge is a common motivation for attacks, for example where the organization suddenly decides (for whatever reason) to "let people go".  This presumably happens more to TBPs than employees, but either way it should of course be handled very carefully if there are substantial risks (e.g. if the TBP has previously exhibited or indicated disloyalty, clearly has personal/social issues, has privileged/trusted access to valuable resources, and works largely unsupervised).  [As far as I know, none of the companies I have worked for has a formalized approach to risk-assessing people who are about to be "let go", but informal processes are common.  It's a shame that risk and security people aren't more involved by HR, but then perhaps that's our fault for not making the effort to be team players?].

Paraphrasing slightly [and with my comments added], the report's 8 key recommendations are:

1. Understand the TBP's policies and procedures [which means finding out what they are, and in so doing confirming that they exist!];
   
   
2. Monitor intellectual property [and other assets] that TBPs [and employees!] access;
   
   
3. Manage access rights [that's universal for TBPs, insiders and outsiders!];
   
   
4. Understand the TBP's personnel policies and procedures [more specific than the first recommendation, presumably relates to the revenge issue noted above];
   
   
5. Anticipate and deal properly with HR issues that arise [universal, again, and as I suggested above, most of us could do more on this score];
   
   
6. Deactivate/remove access when TBPs [and employees!] leave;
   
   
7. Enforce separation of duties [which implies defining them to start with!];
   
   
8. Clarify ethical responsibilities towards the organization in contracts with TBPs [personally, I'm dubious that this recommendation will have much practical effect: surely it is better to integrate TBPs with employees in the associated awareness and training activities?  Oh, hang on, there I go again, blithely assuming that everyone has decent security awareness and training programs!]

To close, I'll also mention that the incidents summarized in many CERT reports are easily converted into realistic security awareness case studies using the approach I described recently on this blog, and the CERT blogs are well worth tracking to keep up with CERT's activities.