Attacks/Breaches
4/13/2017
06:15 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

95% of Organizations Have Employees Seeking to Bypass Security Controls

Use of TOR, private VPNs on the rise in enterprises, Dtex report shows.

The insider threat issue is well-understood and something that countless surveys have shown poses almost as big a risk to enterprise data security as external attackers.

A report from Dtex this week offers a slightly different look at the problem by highlighting some of the clues that organizations should be looking for to detect and stop insiders engaged in malicious or negligent behaviors.

The Dtex report is based on an analysis of risk assessments conducted by a sample of its customer base. A stunning 95% of the assessments showed employees to be engaged in activities designed to bypass security and web-browsing restrictions at their organizations.

Examples included the use of anonymous web browsers such as TOR, anonymous VPN services, and vulnerability-testing tools such as Metasploit. The use of anonymous VPN services within organizations in fact doubled between 2015 and 2016, according to Dtex.

An overwhelming amount of data from customer assessments has shown that the use of such tools and services by employees is almost always a precursor to data theft or other malicious behavior. “Enterprises usually don’t expect to find such a high volume of employees actively trying to bypass security controls,” says Rajan Koo, senior vice president of customer engineering at Dtex.

Employees using private VPNs and Tor on an enterprise network are typically trying to hide their actions and do something that will not be detected by the organization’s security controls, he says. “Security bypass is the first step towards data theft or other destructive behavior,” Koo says.

For example, if a user threat assessment uncovers an employee using a TOR browser on the network, administrators should treat that as a red flag that the employee is engaging in prohibited or even potentially illegal behavior. Similarly, there’s a high chance that an employee who spends hours researching ways to get around security systems is trying to evade the controls within their own organizations.

“When an employee spends time researching how to bypass security controls, we often find that they are trying to exfiltrate data without being blocked by their DLP or without raising any flags on the network,” Koo says. Or they could be trying to save time by using their favorite tools that are being blocked by corporate security, he says.

Organizations should also not ignore the use of personal email accounts such as Gmail and Yahoo on corporate endpoint devices, Dtex noted in its report. About 87% of the companies, whose data Dtex analyzed, reported employees using personal web-based email on corporate devices though many of them had explicit measures in place to block such email use.

While the use of personal email by itself is not a red flag, organizations should not ignore the fact that personal email can be used to enable data theft, the report noted.

Ordinary emails, file attachments, and calendar entries are some of the more obvious ways that an employee with malicious intent can use to steal data. Users can also simply use email drafts to save and transfer corporate data out of the network without leaving an obvious trail, Dtex said.

More than half of the companies in the Dtex report also encountered potential data theft issues from people who were about to leave the organization. Leavers, for instance, tend to show higher than normal file aggregation activity in the two weeks before their scheduled departure. The kind of data at risk from such activity includes proprietary plans, client lists and even IP.

As numerous other surveys have shown, Dtex’s analysis of data too showed that malicious insiders are by far not the only insider threat. Fifty-nine percent of the organizations in the report, for instance, reported employees put them at risk via inappropriate Internet usage, such as viewing pornography or gambling at work.

“Insider breaches are a growing threat to virtually all organizations including mainframe users,” says John Crossno, product manager of Compuware’s security solutions group, which recently released a tool designed to mitigate the threat.

The increasing number of incidents where employees fall prey to phishing and other social engineering attacks and hand over authorized user credentials to attackers have made even otherwise secure mainframe environments vulnerable, he says. He points to the massive data breach at the U.S. Office of Personnel Management in 2015 as one example of how attackers are able to gain access to critical mainframe systems by acquiring the valid credentials to do it.

In the mainframe environment, “enterprises have traditionally relied on insufficient methods to identify threats including disparate logs and [system-level] data gathered by security products to piece together user behavior,” he says. What is needed is a much more comprehensive approach to monitor and analyze mainframe application user behavior to detect insider breaches.

“The best way to detect threats before they cause damage is by collecting and analyzing data from various sources which provide a baseline for behaviors and stressors most closely linked to insider threats,” says Thomas Read, vice president of security analytics at Haystax Technology, in recent comments to Dark Reading.

Often, organizations focus their insider threat mitigation efforts on the end point but do little to understand the likelihood of an insider going rogue or causing a data breach because of a lack of training.

Harold Martin – the contractor for the NSA found with stolen classified files – had a history of bad behaviors that were never flagged by insider threat controls,” he says as one example. “He also had access to the information as part of his job, and walked off the NSA site with the files. Network controls never would have detected this.”

Related stories:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
tarasazs
50%
50%
tarasazs,
User Rank: Apprentice
4/18/2017 | 4:43:32 PM
Is it really that easy?
I really liked the article and a round of applause for that, but as an employee myself, I have seen many of my colleagues using anonymous tools to hide their online activities and when inquired the same about their usage of these things in office even when they are restricted, they rationalised it by saying that we suspect that our online communications could be stored and that is why we do it. Not a very legit excuse, I think. 
OferA070
50%
50%
OferA070,
User Rank: Apprentice
4/16/2017 | 10:49:16 AM
BYoD trend
Very intresting article!

I believe that part of this is the result of BYOD policies in enterprise networks and the inability to control them properly. Enterpirses should reach a balance between security and productivity, not by allowing people to use their own devices without any supervision. 
DonnaG556
100%
0%
DonnaG556,
User Rank: Apprentice
4/14/2017 | 5:15:55 AM
SEO Package Reviews
Great post.I agree with the statement The best way to detect threats before they cause damage is by collecting and analyzing data from various sources which provide a baseline for behaviors and stressors most closely linked to insider threats.Find out more details at SEO Package Reviews
1.9 Billion Data Records Exposed in First Half of 2017
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/20/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Jan, check this out! I found an unhackable PC.
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.