Strong authentication and transactions tied to digital signatures are the way to discourage employees from becoming insider threats. This is according to Maeson Maherry, chief solutions officer at LAWtrust, who was speaking at the ITWeb Security Summit 2019.
“The way to secure your business against outside attack is by actually securing your business from inside attack, with the tools you probably have inside the environment already,” he said.
We all know the usual threats out there, he added, criminal hackers who are looking for money or insider information and even hacktivists, but it’s the business insider who we often overlook but who could do a lot of damage if given the chance.
“What is dangerous is a bored, pissed-off employee, an insider who probably hates the company.They see where the money is going and understand the business process. This business insider is a normal person, not a tech guru, necessarily. They have a business role like treasury, procurement or payroll. They are exposed to finances or sensitive business actions and they decide they're going to commit a crime.”
He said classical criminal psychology shows that if `there's an opportunity, people are confident that they can get away with it, and if they can stay anonymous, then you're in trouble’.
“A lot of inside business systems work like that, from banking mainframes, where a few trusted people can do treasury transactions, to payroll systems inside organisations, because it's inside and we trust all of the people.”
He explained how LAWtrust approaches these issues using technical tools, including strong authentication through biometrics, timestamps and digital signatures to seal evidence to help stop criminal thinking before it even starts.
“A lot of the security industry is like pregnancy testing. We’re testing to see if someone's pregnant, which could be good or bad news, depending on what you find. But the act has already happened. So what we're trying to do instead is use security measures to prevent the act from happening in the first place.”
He said you can do this by using the psychology behind criminality and removing the anonymity, promoting continuous awareness and ensuring tamper-proof evidence.
On the user side, three-factor authentication using biometrics is ideal, so employees `have to sign and seal the transactions at the source’, which `maintains data integrity right from the beginning’.
“We like biometrics because when people see their fingerprints, they are a little bit scared and think about behaving; when they authenticate with a fingerprint, they always behave; it’s human nature,” he said.
“With every transaction, instead of pressing `enter’, they are going to sign it off with their fingerprint. What they don’t know is the fingerprint is unlocking a private key and a hash is made of the whole transaction, a timestamp is reached from a server. We’ve added this digital signature into the payload that's going back up to the mainframe and we are keeping a copy in the evidence vault. What they see is their fingerprint on the screen and it's looking at them. They know that the fingerprint is them and they know it’s at the scene of the crime so you see behaviour change.”
But it’s not all about catching bad guys, he said. It’s also about protecting the good people in the organisation.
“We have had cases within some of the big government departments where police have come in and arrested somebody, but we could go to the evidence trail and prove that it was not them, that the fraud was elsewhere down the line and we saved them from a life in jail.”
“We’ve seen that good security can protect the good majority from being victimised or falsely accused. By doing this inside, you will also protect yourself from outside attack – our systems are now resilient because they will not process a transaction that does not have a digital signature or a strong authentication,” he concluded.