Watch The Watchers: 'Trusted' Employees Can Do Damage
A study of insider attacks within financial firms offers lessons to other companies: identify important data, limit access, and scrutinize trusted users most closely
Many aspects of insider attacks have remained constant over nearly the past decade. Roughly half of all companies record an insider incident, about three-quarters do not report the event to law enforcement, and firms typically are split about whether their insider attacks are more damaging than their external compromises.
Yet a report on insider fraud in the financial industry published earlier this year marks a potential departure from the past: More than half of all fraud incidents involved a manager or other trusted employee, an increase over prior years, according to the Software Engineering Institute (SEI) at Carnegie Mellon University. Considering that incidents involving managers caused $200,106 in actual damage on average, nearly double that of incidents involving non-managers, companies should avoid giving managers carte blanche access to their systems.
More Security Insights
- Forrester Study: The Total Economic Impact of VMware View
- Securing Executives and Highly Sensitive Documents of Corporations Globally
- Top Big Data Security Tips and Ultimate Protection for Enterprise Data
- Smarter Process: Five Ways to Make Your Day-to-Day Operations Better, Faster and More Measurable
"Organizations need to focus on managers who may be involved in a fraud event," says Randy Trzeciak, technical team lead for Insider Threat Research Team at SEI's Computer Emergency Response Team (CERT). "Is there anyone really watching the person who is supposed to be watching for fraud being committed in their particular organization?"
Rogue managers not only cause more damage, but they are able to get away with the crimes longer, according to the report. The average crime committed by a manager lasted nearly three years, almost double the 18 months that non-managers were able to conduct their crimes.
The report, funded by the Department of Homeland Security, studied 80 cases of insider fraud in the financial sector provided to CERT by the U.S. Secret Service. The researchers studied 67 insider fraud attacks and 13 external incidents, finding that most fraud was not very technically sophisticated, and while log files and monitoring appear to aid in detecting external breaches, most insider attacks were detected through an audit, customer complaint, or a suspicious co-worker.
[ While essentially a data security and data leak prevention problem, protecting against intellectual-property theft is also about improving a company's overall security posture. See Five Steps To Protecting Intellectual Property. ]
CERT researchers have classified insider attacks into three broad groups: IT sabotage destroys a valuable asset, intellectual property theft aims to steal information of business value, and fraud uses insider access for illicit, personal gain. The report focused on the last category.
In a previous report, CERT found that, while companies see three times more external incidents than internal incidents, that nearly half -- 46 percent -- considered attacks by insiders more damaging than those by outsiders.
"We do believe that organizations are becoming more aware of the insider threat problem," Trzeciak says. "Many organizations that we talked to do recognize insiders as a threat to their data and organizations."
Other reports have noted the same concern. In its 2012 Trust, Security & Passwords survey, security firm Cyber-Ark polled 820 IT managers and found that 71 percent considered insiders a more critical threat than external hackers.
In the past, insiders had most often made off with customer lists, says Adam Bosnian, executive vice president for corporate development at Cyber-Ark. Yet the firm's recent survey found that most IT managers believed that privileged user accounts were more likely to be targeted.
"We ascribe that to, if I get the customers lists, that's a one-and-done sort of thing. If I have the customer list, I can take it to my next company or sell it, and that's it," he says. "If I have the credentials list, that lets me do a lot more follow-on stuff."
Solutions are more about process and people, says Sam Curry, chief technology officer for identity and data protection at RSA. Technology has to keep the attackers guessing, whether they are in internal employees or external attackers.
"Simply staring at where the money went last time is not going to tell you where the money will go this time," Curry says. "The best way to defeat attackers is to keep the cost to break [your defenses] high. And keep the bad guys having to adapt to you, rather than trying to detect them based on last year's tactics."
Cyber-Ark's Bosnian sees the problem in terms of providing a better solution. Software that discovers and monitors privileged systems and privileged users can help keep a company aware of potential insider threats and even detect an attack when it occurs.
Companies need to determine what assets they have that are valuable and could be accessed or harmed by an insider. Then they need to find who has access to the systems and who really needs to have access. A good way to do that is to change the credentials on important accounts -- such as administer and root accounts, but also accounts used by services that could be co-opted -- and see who complains, Bosnian says.
"People come out of the woodwork, saying, 'What happened? I can't get into the database anymore,'" he says. "Take control of the credential, change the credential, and you will find out who still has access."
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.