Risk
9/27/2013
11:51 AM
Connect Directly
RSS
E-Mail
50%
50%

Insider Threats Get More Difficult To Detect

User diversity and growth in network activity including cloud services are among reasons it's getting harder to guard against insider data breaches, says Fortune 1000 survey.

-- 27% say advanced persistent threats complicate detection and prevention of insider threats. There's the sense that insiders are also using sophisticated attack techniques that emulate "normal" behavior.

As a consequence, nearly half (46%) of the IT pros surveyed say they think their organization is vulnerable to a variety of insider attack methods, including: abuse of privileged employee access rights, theft of devices containing sensitive data, and abuse of access rights by non-privileged employees or contractors.

The risk that system administrators and other employees might abuse their access privileges, however, has gained wider senior management attention. Nearly half (45%) of those surveyed say that the Snowden affair has changed their organization's perspective on insider threats either substantially or somewhat.

The biggest threat, say 51% of survey respondents, is likely to come from non-technical employees with legitimate access to sensitive data and IT assets, followed by third-party contractors (48%); IT administrators (34%); business partners, customers or suppliers (24%); IT service providers (24%); or other IT employees or executives.

What can enterprises do? One tip comes from the NSA's director, Gen. Keith Alexander. After the Snowden leak, the NSA instituted "a two-person rule," requiring two authorized individuals to be present whenever specific kinds of information are to be transferred onto removable media. Enterprises also need to assess what data is most important, where it's located and how it's protected, said Sol Cates, Vormetric's chief security officer. "You can slice and dice who has privileges, but not enough goes into what they can do with those privileges" or the data they're handling, he said.

To further reduce the risk of insider threats, enterprises need to:

-- Limit the data IT administrators can access to only the data they need to do their jobs.

-- Use data encryption technology.

-- Continually monitor access to sensitive data for signs of abuse.

-- Implement automated alerts when suspicious/malicious behavior is suspected.

The challenge, Cates concedes, is that as the volume of data and activity continues to grow, it's not easy to distinguish malicious behavior from the norm. The goal, he says, is to remove people from the equation and automate data access so that the infrastructure is essentially "blind" to the data.

Previous
2 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
AndreG066
50%
50%
AndreG066,
User Rank: Apprentice
10/15/2013 | 7:03:49 PM
re: Insider Threats Get More Difficult To Detect
Dear Editor,

Great article and comment -- allow to please speak to both.

In your article, only one vendor is mentioned, Vormetric, a classic data security company. However, data security is not the correct control against insider threats using any information security management model, principle, or control set. The gap that exists is primarily due to 3 factors:

First is application security -- the Intranets of yesteryear require the same application security controls as everything "outside the firewalls". Second is threat intelligence -- Vormetric will not help if you are facing AVT (Advanced Volatile Threats, an APT that uses strictly in-memory techniques). Lastly, you must have enough staff to handle and respond to incidents at scale. If you want big data for your cyber security programs, you best use your best data to know when to hire, how many, what specific attributes/skills you need pre-/post- COE, and how you're going to be able to hire and train them in time to respond to all of your incidents (including insider threats) at scale.

The insightful comment you gave coincides with my last point -- that identity and authentication/authorization access controls should be modernized and integrated with people. Google, who has used big data to optimize their ID/AuthN systems, will be adding Universal 2-Factor (U2F) to defend their business and assets come January 2014. This is a bold move away from the hokey biometric systems we're seeing in the media. Google, clearly knowledgeable about technologically-advanced insider threats against sensitive operations, does employ role compartmentalization with separation/rotation of duties.
WKash
50%
50%
WKash,
User Rank: Apprentice
9/27/2013 | 9:39:19 PM
re: Insider Threats Get More Difficult To Detect
NSA's decision to go to "two-man rule" in handling sensitive data, following Edward Snowden incident, may give a new spin to the notion of two-factor authentication.
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0619
Published: 2014-10-23
Untrusted search path vulnerability in Hamster Free ZIP Archiver 2.0.1.7 allows local users to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse dwmapi.dll that is located in the current working directory.

CVE-2014-2230
Published: 2014-10-23
Open redirect vulnerability in the header function in adclick.php in OpenX 2.8.10 and earlier allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the (1) dest parameter to adclick.php or (2) _maxdest parameter to ck.php.

CVE-2014-7281
Published: 2014-10-23
Cross-site request forgery (CSRF) vulnerability in Shenzhen Tenda Technology Tenda A32 Router with firmware 5.07.53_CN allows remote attackers to hijack the authentication of administrators for requests that reboot the device via a request to goform/SysToolReboot.

CVE-2014-7292
Published: 2014-10-23
Open redirect vulnerability in the Click-Through feature in Newtelligence dasBlog 2.1 (2.1.8102.813), 2.2 (2.2.8279.16125), and 2.3 (2.3.9074.18820) allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the url parameter to ct.ashx.

CVE-2014-8071
Published: 2014-10-23
Multiple cross-site scripting (XSS) vulnerabilities in OpenMRS 2.1 Standalone Edition allow remote attackers to inject arbitrary web script or HTML via the (1) givenName, (2) familyName, (3) address1, or (4) address2 parameter to registrationapp/registerPatient.page; the (5) comment parameter to all...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.