Cloud
1/13/2015
10:30 AM
Kaushik Narayan
Kaushik Narayan
Commentary
100%
0%

Insider Threats in the Cloud: 6 Harrowing Tales

The cloud has vastly expanded the scope of rogue insiders. Read on to discover the latest threat actors and scenarios.

The most widely advertised risks to data in the cloud typically focus on vulnerability to external attackers, but in private conversations security teams frequently voice concern over threats from within their own organizations.

When you think of insider threats, you probably worry about headline-grabbing incidents in which whistle-blowers expose data to the media, as in the case of Edward Snowden. The reality is that these highly visible yet rare cases are only the tip of the iceberg. The bulk of insider threats are either well-intentioned but careless employees or rogue insiders in pursuit of personal gain. These cases fly under the radar: While only 17% of security professionals were aware of an insider threat within their organization in the past year, usage data from Skyhigh’s latest Cloud Adoption and Risk Report revealed anomalous activity highly indicative of insider threat in 85% of organizations.

The cloud has vastly expanded the scope of insider threat. The sheer number of cloud applications (over 8,000) and immature auditing and governance controls relative to on-premises applications result in lack of visibility and governance. Read on, if you dare, for harrowing tales of insider threats -- cloud edition.

The salesperson jumps ship
In one of the most common insider threat scenarios, a sales representative leaves the company for a competitor, taking sales leads with him. Concern over defectors leaving with data is prevalent in organizations of all industries and sizes, especially in competitive markets. Stealing leads is difficult to detect, not only because it occurs on sanctioned corporate services, but also because it adversely affects business.

Cloud services have made this type of event unrecognizable from the classic theft of a physical stack of leads, à la Glenngarry Glenn Ross. Salesforce makes a huge number of leads accessible to employees at the click of a button. The challenge for enterprises that can easily have thousands of Salesforce users logging in each day is identifying unusual, anomalous activity against a background of typical everyday activity.

When admins go rogue
Employees at all levels of an organization rely on cloud services to do their jobs, including the C-suite. Privileged users, however, have unique authority: administrative access to data housed in a cloud service.

A large technology company I spoke with voiced concern over internal administrators for their CRM software. These admins were responsible for managing users’ permissions and security policies. At the same time, they personally had access to business data stored in the cloud service, constituting a security liability. Another example: an administrator for a cloud-based storage service can access executive-only financial projections and conduct insider trading with the confidential information.

Danger from within 
Insider threat is typically discussed in the context of enterprise employees, but cloud-service-provider employees present another vector for the exfiltration of data from within. Take, for example, a cloud service used internally by Human Resources. An employee of the cloud service provider has access to sensitive corporate data hosted in that service. Depending on the user agreement, the cloud service provider may not even be liable for lost data. This scenario illustrates how enterprise cloud use must involve a level of protection in security controls against both external and internal threats.

The virtual globetrotter
Cloud services enable worldwide collaboration, but the same trait allows data to wander where it shouldn’t. In a famous episode of unprecedented audacity, a developer at an unnamed company outsourced his own job to a Chinese counterpart. He paid a worker in China to complete his assignments and kept the margin. Legality aside, the creatively devious workflow obviously exposed his employer to an array of security concerns, as corporate data was openly shared with a third-party.

Shady services stand out
Some cloud services flat-out mean trouble for businesses. Violating company cloud usage policies constitutes another type of insider threat, and can range in severity from illicit Facebook use to illegal file sharing. On the more drastic side of the spectrum is the employee who uploads data to a development site such as CodeHaus, which claims ownership of uploaded intellectual property in its user agreement terms. The infamous worst user in the world used 182 high-risk cloud services at work, uploading 9.3GB to code-sharing site SourceForge and 3GB to file-sharing site ZippyShare. Sending data to these services may have legal ramifications and may even hurt the business if sensitive intellectual property is leaked.

Paved with good intentions
Not all insider threats come from malicious perpetrators. The wealth of consumer applications in the enterprise makes it possible for employees to inadvertently leak data to outsiders with just one click. One hapless worker at a financial services organization accidentally uploaded sensitive customer data to Facebook -- definitely worse than your average case of “oversharing” on social media. Employees accidentally commit security missteps in the process of doing their jobs. At a hospital, one team set out to foster collaboration and improve patient outcomes by storing patient medical records in a consumer-grade file sharing service. When the service suffered a breach, HIPAA regulations forced the hospital to notify patients and exposed it to a lawsuit.

Kaushik Narayan is a Co-Founder and CTO at Skyhigh Networks, a cloud security company, where he is responsible for Skyhigh's technology vision and software architecture. He brings over 18 years of experience driving technology and architecture strategy for enterprise-class ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
1/16/2015 | 8:28:34 AM
Re: Talk about outsourcing
Yes, cloud services offer a new type of attack vertical. Especially when depending on the type of service, (IaaS, PaaS, SaaS), you have different constraints as to what safeguards you are allowed to place on the data as there are different data governance policies.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
1/14/2015 | 9:25:55 AM
Re: Talk about outsourcing
Some of these insider personas are definitely familiar-- or a version of a familiar rogue actor. Enterprise apps like Salesforce definitely expose companies to risks that were not on the radar even a few years ago. It's scary. And the problem is not going to get easier.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
1/14/2015 | 9:15:21 AM
Tech Savvy
I think its important to note that many people are not technology savvy. Negligent employees are a more common risk and its because without any awareness training in security they are looking for the easiest way to perform their job function. However, easiest rarely coincides with most secure and this is why it is imperative that security policies are well communicated and enforced within an organization as well as regular security awareness training.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
1/14/2015 | 9:09:01 AM
Re: Talk about outsourcing
@Marilyn.

Yes it's wild how a security short coming that apparent can be overlooked! Or, even worse, acknowledged and simply did it anyway. I would be interested to see how prevalent this is as this is not the first time I've heard of this occurence. India is another area that unknown outsourcing is common.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
1/13/2015 | 1:09:07 PM
Talk about outsourcing
What a sweet deal for the virtual globetrotter. Well at least until he got caught. Details are quite revealing. According to ABCNews, the developer sent his company login key through Fedex to a third-part contractor in China, who did the work while globetrotter spent the day on social media and ebay. All the while getting "excellent remarks" in performance reviews.
3 Ways to Retain Security Operations Staff
Oliver Rochford, Vice President of Security Evangelism at DFLabs,  11/20/2017
A Call for Greater Regulation of Digital Currencies
Kelly Sheridan, Associate Editor, Dark Reading,  11/21/2017
New OWASP Top 10 List Includes Three New Web Vulns
Jai Vijayan, Freelance writer,  11/21/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Managing Cyber-Risk
An online breach could have a huge impact on your organization. Here are some strategies for measuring and managing that risk.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.