Risk
9/27/2013
11:51 AM
Connect Directly
RSS
E-Mail
50%
50%

Insider Threats Get More Difficult To Detect

User diversity and growth in network activity including cloud services are among reasons it's getting harder to guard against insider data breaches, says Fortune 1000 survey.

-- 27% say advanced persistent threats complicate detection and prevention of insider threats. There's the sense that insiders are also using sophisticated attack techniques that emulate "normal" behavior.

As a consequence, nearly half (46%) of the IT pros surveyed say they think their organization is vulnerable to a variety of insider attack methods, including: abuse of privileged employee access rights, theft of devices containing sensitive data, and abuse of access rights by non-privileged employees or contractors.

The risk that system administrators and other employees might abuse their access privileges, however, has gained wider senior management attention. Nearly half (45%) of those surveyed say that the Snowden affair has changed their organization's perspective on insider threats either substantially or somewhat.

The biggest threat, say 51% of survey respondents, is likely to come from non-technical employees with legitimate access to sensitive data and IT assets, followed by third-party contractors (48%); IT administrators (34%); business partners, customers or suppliers (24%); IT service providers (24%); or other IT employees or executives.

What can enterprises do? One tip comes from the NSA's director, Gen. Keith Alexander. After the Snowden leak, the NSA instituted "a two-person rule," requiring two authorized individuals to be present whenever specific kinds of information are to be transferred onto removable media. Enterprises also need to assess what data is most important, where it's located and how it's protected, said Sol Cates, Vormetric's chief security officer. "You can slice and dice who has privileges, but not enough goes into what they can do with those privileges" or the data they're handling, he said.

To further reduce the risk of insider threats, enterprises need to:

-- Limit the data IT administrators can access to only the data they need to do their jobs.

-- Use data encryption technology.

-- Continually monitor access to sensitive data for signs of abuse.

-- Implement automated alerts when suspicious/malicious behavior is suspected.

The challenge, Cates concedes, is that as the volume of data and activity continues to grow, it's not easy to distinguish malicious behavior from the norm. The goal, he says, is to remove people from the equation and automate data access so that the infrastructure is essentially "blind" to the data.

Previous
2 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
AndreG066
50%
50%
AndreG066,
User Rank: Apprentice
10/15/2013 | 7:03:49 PM
re: Insider Threats Get More Difficult To Detect
Dear Editor,

Great article and comment -- allow to please speak to both.

In your article, only one vendor is mentioned, Vormetric, a classic data security company. However, data security is not the correct control against insider threats using any information security management model, principle, or control set. The gap that exists is primarily due to 3 factors:

First is application security -- the Intranets of yesteryear require the same application security controls as everything "outside the firewalls". Second is threat intelligence -- Vormetric will not help if you are facing AVT (Advanced Volatile Threats, an APT that uses strictly in-memory techniques). Lastly, you must have enough staff to handle and respond to incidents at scale. If you want big data for your cyber security programs, you best use your best data to know when to hire, how many, what specific attributes/skills you need pre-/post- COE, and how you're going to be able to hire and train them in time to respond to all of your incidents (including insider threats) at scale.

The insightful comment you gave coincides with my last point -- that identity and authentication/authorization access controls should be modernized and integrated with people. Google, who has used big data to optimize their ID/AuthN systems, will be adding Universal 2-Factor (U2F) to defend their business and assets come January 2014. This is a bold move away from the hokey biometric systems we're seeing in the media. Google, clearly knowledgeable about technologically-advanced insider threats against sensitive operations, does employ role compartmentalization with separation/rotation of duties.
WKash
50%
50%
WKash,
User Rank: Apprentice
9/27/2013 | 9:39:19 PM
re: Insider Threats Get More Difficult To Detect
NSA's decision to go to "two-man rule" in handling sensitive data, following Edward Snowden incident, may give a new spin to the notion of two-factor authentication.
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-6306
Published: 2014-08-22
Unspecified vulnerability on IBM Power 7 Systems 740 before 740.70 01Ax740_121, 760 before 760.40 Ax760_078, and 770 before 770.30 01Ax770_062 allows local users to gain Service Processor privileges via unknown vectors.

CVE-2014-0232
Published: 2014-08-22
Multiple cross-site scripting (XSS) vulnerabilities in framework/common/webcommon/includes/messages.ftl in Apache OFBiz 11.04.01 before 11.04.05 and 12.04.01 before 12.04.04 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, which are not properly handled in a (1)...

CVE-2014-3525
Published: 2014-08-22
Unspecified vulnerability in Apache Traffic Server 4.2.1.1 and 5.x before 5.0.1 has unknown impact and attack vectors, possibly related to health checks.

CVE-2014-3563
Published: 2014-08-22
Multiple unspecified vulnerabilities in Salt (aka SaltStack) before 2014.1.10 allow local users to have an unspecified impact via vectors related to temporary file creation in (1) seed.py, (2) salt-ssh, or (3) salt-cloud.

CVE-2014-3587
Published: 2014-08-22
Integer overflow in the cdf_read_property_info function in cdf.c in file through 5.19, as used in the Fileinfo component in PHP before 5.4.32 and 5.5.x before 5.5.16, allows remote attackers to cause a denial of service (application crash) via a crafted CDF file. NOTE: this vulnerability exists bec...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Three interviews on critical embedded systems and security, recorded at Black Hat 2014 in Las Vegas.