Welcome Guest. | Log In | Register | Membership Benefits


Topics:   Insider Threat Tech Center : Security Views

Insider Threat Reality Check

Organizations tend to think once they hire an employee or a contractor, that person is now part of a trusted group of people. Although an organization might give an employee additional access that an ordinary person would not have, why should it trust that person?

Nov 09, 2009 | 09:39 AM | 

By Eric Cole
Dark Reading

Organizations tend to think once they hire an employee or a contractor, that person is now part of a trusted group of people. Although an organization might give an employee additional access that an ordinary person would not have, why should it trust that person?Many organizations don't perform background and/or reference checks, and as long as the hiring manager likes the candidates, they will hire them. But some people might not be who you think they are, and not properly validating them can be an expensive, if not fatal, mistake. Because many organizations hire complete strangers, who are really unknown entities, and give them access to sensitive data, the insider threat is something that all organizations must now worry about.

If a competitor or similar entity wants to cause damage to your organization, steal critical secrets, or put you out of business, then all it has to do is find a job opening, prep someone to ace the interview, have that person get hired -- and they are in.

The fact that this is easy to do should scare you. Many companies have jobs open for several weeks, and it could take a couple of weeks to set up an interview. That gives a competitor focused on your company a four-week period to prep someone to ace an interview. This is what foreign governments do when they plant a spy against another country. They know a key criterion for that person is passing the polygraph, so they will put that person through intensive training in order to do so.

This points out an organization's key disadvantage: The attacker knows what process you are going to follow to hire someone, and all it has to do is prep someone to ace that part of the process.

I often hear people say all of that is hype and cannot happen to them. This is synonymous to thinking bad things only happen to others -- until they happen to you, of course, and then you have a different view of the world.

Public attacks, like defacing a Web site, are hard for a company to deny. On the other hand, insider threats are occurring all the time, but since they are happening within a company, they are a private attack and are easier to conceal.

Because these attacks are perpetrated by trusted insiders, you need to understand the damage they can cause, how to build proper measures to prevent the attack, how to minimize the damage, and, at a minimum, how to detect the attacks in a timely manner.

Many of the measures companies deploy today are ineffective against the insider. When companies talk about security and securing their enterprises, they are concerned with the external attack, forgetting about the damage that an insider can cause. Many people debate about what percent of attacks come from insiders versus outsiders. But both can cause damage to your company and put you out of business, so who cares what the percent is?

Both have to be addressed and dealt with. I would argue that since the insider already has access, the amount of damage he can cause is much greater than an external attacker, while the chances of getting caught are much lower. If an attacker comes in from the outside, then he has access only to systems that are publicly accessible, and he has to break through security devices. If an attacker comes from the inside, then she has full access and minimal, if any, security devices to deal with. As our digital economy continues to grow and the stakes increase, anyone who wants serious access to an organization is not going to waste his time with an external attack -- he is going to go right for the trusted insider.

Meanwhile, everyone is jumping on the bandwagon. The U.S. Secret Service conducted a series of studies on the insider; conferences are popping up on the subject. Why? Because billions of dollars are being lost and something has to be done to stop the bleeding. You will never be able to completely remove the insider threat because companies need to be able to function. You can't fire all of your employees to prevent an insider attack. The key is to strike a balance between what access people need and what access people have.

Dr. Eric Cole, Ph.D., is a security expert with more than 15 years of hands-on experience. Cole has experience in information technology with a focus on perimeter defense, secure network design, vulnerability discovery, penetration testing, and intrusion detection systems. He is the author of several books, including Hackers Beware, Hiding in Plain Site, Network Security Bible, and Insider Threat. He is the inventor of more than 20 patents, and is a researcher, writer, and speaker. Cole is a member of the Commission on Cyber Security for the 44th President and several executive advisory boards, and is CTO of the Americas for McAfee. Cole is involved with the SANS Technology Institute (STI) and SANS working with students, teaching, and maintaining and developing courseware. He is a SANS fellow, instructor, and course author.



Currently we allow the following HTML tags in comments:

Single tags

These tags can be used alone and don't need an ending tag.

<br> Defines a single line break

<hr> Defines a horizontal line

Matching tags

These require an ending tag - e.g. <i>italic text</i>

<a> Defines an anchor

<b> Defines bold text

<big> Defines big text

<blockquote> Defines a long quotation

<caption> Defines a table caption

<cite> Defines a citation

<code> Defines computer code text

<em> Defines emphasized text

<fieldset> Defines a border around elements in a form

<h1> This is heading 1

<h2> This is heading 2

<h3> This is heading 3

<h4> This is heading 4

<h5> This is heading 5

<h6> This is heading 6

<i> Defines italic text

<p> Defines a paragraph

<pre> Defines preformatted text

<q> Defines a short quotation

<samp> Defines sample computer code text

<small> Defines small text

<span> Defines a section in a document

<s> Defines strikethrough text

<strike> Defines strikethrough text

<strong> Defines strong text

<sub> Defines subscripted text

<sup> Defines superscripted text

<u> Defines underlined text

Dark Reading encourages readers to engage in spirited, healthy debate, including taking us to task. However, Dark Reading moderates all comments posted to our site, and reserves the right to modify or remove any content that it determines to be derogatory, offensive, inflammatory, vulgar, irrelevant/off-topic, racist or obvious marketing/SPAM. Dark Reading further reserves the right to disable the profile of any commenter participating in said activities.

Disqus Tips To upload an avatar photo, first complete your Disqus profile. | View the list of supported HTML tags you can use to style comments. | Please read our commenting policy.
Subscribe to RSS



Insider Threat Reports

report How to Prevent an Illicit Data Dump
There are no silver bullets when it comes to protecting company and customer data from loss or theft, but there are technological and procedural systems that will go a long way toward preventing a WikiLeaks-like data dump. Here are some tips and tricks to help protect your organization's most sensitive information.

report Email and Data Loss
Email encryption, rights management, email gateways, and full-on data loss prevention systems can keep corporate data secure. Here's a look at the pros and cons of each, to help you determine what?s best for your business.

report An Insider Threat Reality check
Heightened concern that users could inadvertently expose or leak -- or purposely steal -- an organization's sensitive data has spurred debate over the proper technology and training to protect the crown jewels. In this special retrospective of recent news coverage, Dark Reading takes a look at how organizations are handling the threat -- and what users are really up to.

Other reports from the Insider Threat Tech Center:

Related Content

Protection from Insider Threats
Preventing data misuse by trusted users is the most difficult information protection challenge. Insiders already have full authorization to the data, making traditional IT secure methods in effective. Learn about a more powerful security approach and proven strategies to prevent insider misuse.

Strategies for Protecting Intellectual Property
A company's intellectual property (IP) represents a significant portion of assets and a critical component of competitive differentiation, but the potential value of any IP is directly linked to its limit of acceptable use. Learn how you can put your IP to work within collaborative environments without undue risk and maximize competitive advantages.

Protecting Against WikiLeaks Type Events and the Insider Threat
The sensitive information supplied to WikiLeaks and other social justice websites comes from trusted insiders. Get the answers to the open gaps left in the WikiLeaks story and learn how you can prevent insider threats that are just as detrimental in your organization.

Insider Threat: An Inside Look at a Fortune 100 Company's Prevention Program
The ways and means by which a privileged user can successfully steal proprietary data today is staggering. One venerable company that suffered a devastating incident decided to do something about it. Find out how it built one of the most productive insider threat prevention programs in the Fortune 100.

Protection of Intellectual Property and Trade Secrets across a Global Enterprise
As a designer and manufacturer of industrial technology, this Fortune 50 company knew that securing their intellectual property (IP) and trade secret data was essential. It created a program to identify risks to their IP and trade secrets and soon caught a privileged user attempting to compromise IP. Download this case study to see a real example of intellectual property protection at work.




Featured Webcasts
Featured Whitepapers
Featured Reports