236 ◾ Security Strategy: From Requirements to Reality
complacent about insider threat; that is, they do not associate malicious insiders with high-value
losses. But a privileged user (one with root or admin access) can cause irreparable damage to
company-owned information assets and cause huge downstream damages to company employ-
ees, customers, and other innocent victims—not to mention the hit the company’s brand image
and reputation will take. One incident reported by CERT involved a terminated employee who
launched a logic bomb that deleted over 10 billion records from his former employer’s servers.
e restoration costs exceeded $3 million, and many records were permanently lost. It’s amazing
to think that in most companies, people with this level of access receive less supervision than a
bank teller.
ere are a number of contributing factors to this dilemma. Management complacency (or lack
of awareness) is one; lack of proper training is another. e move away from command and control
structures to empowered employees and self-directed teams is another. Cost cutting, work from
home, and geographic dispersions are others. When cost-cutting measures are in place, managers
end up supervising an increasingly larger number of employees. While government ratios remain
in the 7 to 1 range, private industry ratios are double that and climbing! It’s not unusual to have
a “distant” manager in today’s connected and geographically diverse work environments. When
Bill worked at Predictive Systems’ California offi ce, the boss’s offi ce was in Reston, Virginia. He
never actually met the boss in person: Meetings were by telephone, and he was even laid off by
phone when the dot-com bust hit in 2000. Given the realities of today’s business environment, it’s
unlikely these things are going to change, and for many job functions that’s okay. But for high-
privileged positions, that’s not only dangerous but just plain stupid. Virtually every malicious
insider attack we reviewed was discernible, but how do you discern bad behaviors when you don’t
actively engage with your workforce? e lack of direct (face-to-face) interaction can also be one of
the causes for illicit behavior. People require care; we believe that fully one-third of a leader’s time
should be devoted to the people working for him or her. When mangers are swamped with duties
and overloaded with people, people are the ones who suff er. Requests go unanswered, one-on-one
meetings get canceled, and the attention and recognition people need get lost. Is it any wonder
that employees get stressed out, dissatisfi ed, and disgruntled?
Competent supervision is a combination of supervisor and supervisory control objectives.
Table 12.1 maps the attributes of these control objectives to specifi c user threat baselines. e
type (hard or soft) is used to denote how evidence is collected for each control. Soft indicates a
procedure-based control, while hard denotes a technology-based (i.e., automated) control.
Supervisor Attributes
Supervisor attributes apply to the managers and other personnel charged with the oversight of
other workers, including employees, contractors, vendors, and partners working within their
sphere of responsibility. is combination of workers is generally considered to be the organiza-
tion’s staff .
Trained
e “trained” control objective ensures that the supervisor has the proper knowledge, skills, and
abilities (KSAs) to hire trustworthy individuals for security-sensitive positions and to properly
monitor the activities of their staff against company requirements. Supervisors, especially those
responsible for personnel with highly privileged access to company assets (i.e., servers, data ware-
houses, etc.) or access to high-value assets (i.e., bank accounts, payroll, etc.), need to be trained in
TAF-K11348-10-0301-C012.indd 236TAF-K11348-10-0301-C012.indd 236 8/18/10 3:11:56 PM8/18/10 3:11:56 PM