Risk
9/27/2013
11:51 AM
50%
50%

Insider Threats Get More Difficult To Detect

User diversity and growth in network activity including cloud services are among reasons it's getting harder to guard against insider data breaches, says Fortune 1000 survey.

-- 27% say advanced persistent threats complicate detection and prevention of insider threats. There's the sense that insiders are also using sophisticated attack techniques that emulate "normal" behavior.

As a consequence, nearly half (46%) of the IT pros surveyed say they think their organization is vulnerable to a variety of insider attack methods, including: abuse of privileged employee access rights, theft of devices containing sensitive data, and abuse of access rights by non-privileged employees or contractors.

The risk that system administrators and other employees might abuse their access privileges, however, has gained wider senior management attention. Nearly half (45%) of those surveyed say that the Snowden affair has changed their organization's perspective on insider threats either substantially or somewhat.

The biggest threat, say 51% of survey respondents, is likely to come from non-technical employees with legitimate access to sensitive data and IT assets, followed by third-party contractors (48%); IT administrators (34%); business partners, customers or suppliers (24%); IT service providers (24%); or other IT employees or executives.

What can enterprises do? One tip comes from the NSA's director, Gen. Keith Alexander. After the Snowden leak, the NSA instituted "a two-person rule," requiring two authorized individuals to be present whenever specific kinds of information are to be transferred onto removable media. Enterprises also need to assess what data is most important, where it's located and how it's protected, said Sol Cates, Vormetric's chief security officer. "You can slice and dice who has privileges, but not enough goes into what they can do with those privileges" or the data they're handling, he said.

To further reduce the risk of insider threats, enterprises need to:

-- Limit the data IT administrators can access to only the data they need to do their jobs.

-- Use data encryption technology.

-- Continually monitor access to sensitive data for signs of abuse.

-- Implement automated alerts when suspicious/malicious behavior is suspected.

The challenge, Cates concedes, is that as the volume of data and activity continues to grow, it's not easy to distinguish malicious behavior from the norm. The goal, he says, is to remove people from the equation and automate data access so that the infrastructure is essentially "blind" to the data.

Previous
2 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Andre Gironda
50%
50%
Andre Gironda,
User Rank: Apprentice
10/15/2013 | 7:03:49 PM
re: Insider Threats Get More Difficult To Detect
Dear Editor,

Great article and comment -- allow to please speak to both.

In your article, only one vendor is mentioned, Vormetric, a classic data security company. However, data security is not the correct control against insider threats using any information security management model, principle, or control set. The gap that exists is primarily due to 3 factors:

First is application security -- the Intranets of yesteryear require the same application security controls as everything "outside the firewalls". Second is threat intelligence -- Vormetric will not help if you are facing AVT (Advanced Volatile Threats, an APT that uses strictly in-memory techniques). Lastly, you must have enough staff to handle and respond to incidents at scale. If you want big data for your cyber security programs, you best use your best data to know when to hire, how many, what specific attributes/skills you need pre-/post- COE, and how you're going to be able to hire and train them in time to respond to all of your incidents (including insider threats) at scale.

The insightful comment you gave coincides with my last point -- that identity and authentication/authorization access controls should be modernized and integrated with people. Google, who has used big data to optimize their ID/AuthN systems, will be adding Universal 2-Factor (U2F) to defend their business and assets come January 2014. This is a bold move away from the hokey biometric systems we're seeing in the media. Google, clearly knowledgeable about technologically-advanced insider threats against sensitive operations, does employ role compartmentalization with separation/rotation of duties.
WKash
50%
50%
WKash,
User Rank: Apprentice
9/27/2013 | 9:39:19 PM
re: Insider Threats Get More Difficult To Detect
NSA's decision to go to "two-man rule" in handling sensitive data, following Edward Snowden incident, may give a new spin to the notion of two-factor authentication.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-4293
Published: 2015-07-30
The packet-reassembly implementation in Cisco IOS XE 3.13S and earlier allows remote attackers to cause a denial of service (CPU consumption or packet loss) via fragmented (1) IPv4 or (2) IPv6 packets that trigger ATTN-3-SYNC_TIMEOUT errors after reassembly failures, aka Bug ID CSCuo37957.

CVE-2014-7912
Published: 2015-07-29
The get_option function in dhcp.c in dhcpcd before 6.2.0, as used in dhcpcd 5.x in Android before 5.1 and other products, does not validate the relationship between length fields and the amount of data, which allows remote DHCP servers to execute arbitrary code or cause a denial of service (memory c...

CVE-2014-7913
Published: 2015-07-29
The print_option function in dhcp-common.c in dhcpcd through 6.9.1, as used in dhcp.c in dhcpcd 5.x in Android before 5.1 and other products, misinterprets the return value of the snprintf function, which allows remote DHCP servers to execute arbitrary code or cause a denial of service (memory corru...

CVE-2015-2977
Published: 2015-07-29
Webservice-DIC yoyaku_v41 allows remote attackers to create arbitrary files, and consequently execute arbitrary code, via unspecified vectors.

CVE-2015-2978
Published: 2015-07-29
Webservice-DIC yoyaku_v41 allows remote attackers to bypass authentication and complete a conference-room reservation via unspecified vectors, as demonstrated by an "unintentional reservation."

Dark Reading Radio
Archived Dark Reading Radio
What’s the future of the venerable firewall? We’ve invited two security industry leaders to make their case: Join us and bring your questions and opinions!