Risk
9/27/2013
11:51 AM
50%
50%

Insider Threats Get More Difficult To Detect

User diversity and growth in network activity including cloud services are among reasons it's getting harder to guard against insider data breaches, says Fortune 1000 survey.

-- 27% say advanced persistent threats complicate detection and prevention of insider threats. There's the sense that insiders are also using sophisticated attack techniques that emulate "normal" behavior.

As a consequence, nearly half (46%) of the IT pros surveyed say they think their organization is vulnerable to a variety of insider attack methods, including: abuse of privileged employee access rights, theft of devices containing sensitive data, and abuse of access rights by non-privileged employees or contractors.

The risk that system administrators and other employees might abuse their access privileges, however, has gained wider senior management attention. Nearly half (45%) of those surveyed say that the Snowden affair has changed their organization's perspective on insider threats either substantially or somewhat.

The biggest threat, say 51% of survey respondents, is likely to come from non-technical employees with legitimate access to sensitive data and IT assets, followed by third-party contractors (48%); IT administrators (34%); business partners, customers or suppliers (24%); IT service providers (24%); or other IT employees or executives.

What can enterprises do? One tip comes from the NSA's director, Gen. Keith Alexander. After the Snowden leak, the NSA instituted "a two-person rule," requiring two authorized individuals to be present whenever specific kinds of information are to be transferred onto removable media. Enterprises also need to assess what data is most important, where it's located and how it's protected, said Sol Cates, Vormetric's chief security officer. "You can slice and dice who has privileges, but not enough goes into what they can do with those privileges" or the data they're handling, he said.

To further reduce the risk of insider threats, enterprises need to:

-- Limit the data IT administrators can access to only the data they need to do their jobs.

-- Use data encryption technology.

-- Continually monitor access to sensitive data for signs of abuse.

-- Implement automated alerts when suspicious/malicious behavior is suspected.

The challenge, Cates concedes, is that as the volume of data and activity continues to grow, it's not easy to distinguish malicious behavior from the norm. The goal, he says, is to remove people from the equation and automate data access so that the infrastructure is essentially "blind" to the data.

Previous
2 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
AndreG066
50%
50%
AndreG066,
User Rank: Apprentice
10/15/2013 | 7:03:49 PM
re: Insider Threats Get More Difficult To Detect
Dear Editor,

Great article and comment -- allow to please speak to both.

In your article, only one vendor is mentioned, Vormetric, a classic data security company. However, data security is not the correct control against insider threats using any information security management model, principle, or control set. The gap that exists is primarily due to 3 factors:

First is application security -- the Intranets of yesteryear require the same application security controls as everything "outside the firewalls". Second is threat intelligence -- Vormetric will not help if you are facing AVT (Advanced Volatile Threats, an APT that uses strictly in-memory techniques). Lastly, you must have enough staff to handle and respond to incidents at scale. If you want big data for your cyber security programs, you best use your best data to know when to hire, how many, what specific attributes/skills you need pre-/post- COE, and how you're going to be able to hire and train them in time to respond to all of your incidents (including insider threats) at scale.

The insightful comment you gave coincides with my last point -- that identity and authentication/authorization access controls should be modernized and integrated with people. Google, who has used big data to optimize their ID/AuthN systems, will be adding Universal 2-Factor (U2F) to defend their business and assets come January 2014. This is a bold move away from the hokey biometric systems we're seeing in the media. Google, clearly knowledgeable about technologically-advanced insider threats against sensitive operations, does employ role compartmentalization with separation/rotation of duties.
WKash
50%
50%
WKash,
User Rank: Apprentice
9/27/2013 | 9:39:19 PM
re: Insider Threats Get More Difficult To Detect
NSA's decision to go to "two-man rule" in handling sensitive data, following Edward Snowden incident, may give a new spin to the notion of two-factor authentication.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2382
Published: 2014-11-20
The DfDiskLo.sys driver in Faronics Deep Freeze Standard and Enterprise 8.10 and earlier allows local administrators to cause a denial of service (crash) and execute arbitrary code via a crafted IOCTL request that writes to arbitrary memory locations, related to the IofCallDriver function.

CVE-2014-3625
Published: 2014-11-20
Directory traversal vulnerability in Pivitol Spring Framework 3.0.4 through 3.2.x before 3.2.12, 4.0.x before 4.0.8, and 4.1.x before 4.1.2 allows remote attackers to read arbitrary files via unspecified vectors, related to static resource handling.

CVE-2014-8387
Published: 2014-11-20
cgi/utility.cgi in Advantech EKI-6340 2.05 Wi-Fi Mesh Access Point allows remote authenticated users to execute arbitrary commands via shell metacharacters in the pinghost parameter to ping.cgi.

CVE-2014-8493
Published: 2014-11-20
ZTE ZXHN H108L with firmware 4.0.0d_ZRQ_GR4 allows remote attackers to modify the CWMP configuration via a crafted request to Forms/access_cwmp_1.

CVE-2014-8767
Published: 2014-11-20
Integer underflow in the olsr_print function in tcpdump 3.9.6 through 4.6.2, when in verbose mode, allows remote attackers to cause a denial of service (crash) via a crafted length value in an OLSR frame.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?