Endpoint
7/17/2013
00:03 AM
Doug Landoll
Doug Landoll
Commentary
Connect Directly
RSS
E-Mail
50%
50%

SMB Insider Threat: Don't Hire A Hacker

Security advice to address the insider threat at a small to midsize business

Part 1 in a series

Last month, Edward Snowden reminded us that the greatest threat to our critical systems and sensitive data is not the external hacker, but the trusted insider. While leaks pertaining to large government agencies capture the headlines, the SMB insider silently threatens our organizations with devastating impact.

Employees and contractors with trusted access to SMB systems and data are considered insiders and are typically afforded a high level of trust. Although we like to trust that our employees have our best interest in mind, we need to recognize that they pose a significant threat, and we should protect our businesses from the potential damage they may cause. In others words, trust but verify.

Of course, the insider threat is nothing new, and a great many process and controls have been developed to reduce the risk. Many of these controls rely on a complex organizational structures, audit departments, and other elaborate processes that don't always play well in the SMB space. This three-part blog will discuss a measured approach to addressing the insider threat based on the needs of the SMB.

Part 1: Employment Screening
The single best way to address the insider threat is to limit the hiring of a threat in the first place. While certainly not a foolproof method, pre-employment screening is the best control available. Employment screening consists of various verification checks (e.g., criminal history, employment verification, supervisor and salary checks, and education verification).

There are a lot of untrustworthy people out there looking for jobs. Employment screening helps to sort them out. Industry estimates range from 30 to 35 percent of employment applications contain a lie about employment dates, positions held, salaries earned, and even degrees obtained. Lying on an application about these fundamental attributes of work history is a clear indicator or someone who is not trustworthy.

SMBs have two unique characteristics that make employment screening a must. First, SMBs attract a larger share of untrustworthy applicants. Larger corporations have adopted the pre-employment screening process; some 80 to 85 percent of large corporations utilize employment screening. This fact is well-known and affects the behavior of those candidates who are bound to be flagged by such a process -- they flock to SMBs that are less likely to perform these screenings.

While I was at a hacker conference several years ago, I overheard the following conversation:

Hacker 1: "I heard you got a steady job at XXX corporation. How'd you pass the employment checks?"

Hacker 2: "Oh, they don't do them there. I've let a couple of guys know about it already -- you should apply."

By not performing employment screening, not only are you not screening out potentially untrustworthy candidates, but as word gets around, you are actually attracting them.

The second unique characteristic of SMBs that makes employment screening a must is the reduced organizational structure of the SMB. In larger corporations, controls such as least privilege and separation of duty can be more easily applied based on the number of positions and organizational departments. In an SMB, many of these roles are consolidated into a single position. In places where these positions have been collapsed, careful consideration must be given to the placement of an individual -- this is a very trust-needy position.

In the next blog I will address policy controls to address the SMB insider threat.

Doug Landoll CEO of Assero Security Doug Landoll is an expert in information security for the SMB market with over 20 years experience securing businesses and government agencies. He has written several information security books and dozens of articles for national publications. He has founded and ran four ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Ctendellceh
50%
50%
Ctendellceh,
User Rank: Apprentice
8/19/2013 | 11:44:58 PM
re: SMB Insider Threat: Don't Hire A Hacker
I am a Certified Ethical Hacker charlestendell.com and I honestly think that any organization that is going to hire a true hacker should have strong controls in place to protect against anything they may encounter. I also think that organizations who hire an actual hacker are going to be better protected from malicious hackers in the long run. You have to be a hacker to catch a hacker.

Being afraid of the trusted insider shouldn't be solely focused on the hacker. What about the accountant? The marketing manager or the under paid security guard?
Business have to do business and that means hiring employees. Screenings are irrelevant, a good measure, but no amount of screening is going to protect you from an insider threat. Lets look at Snowden, to work for the NSA in any capacity you have to go through months and several different levels of screening. Polygraph, Multi spectrum background and criminal investigation. They will go and talk to your 3rd grade teacher if necessary. The bottom line, screenings didn't help there and being a hacker should not disqualify anyone.

And personally, he is not a traitor. He may not have responsibly disclosed the information he had but it is a good thing that he released it. People should not fear their government, governments should fear its people.
Landoll
50%
50%
Landoll,
User Rank: Apprentice
7/26/2013 | 12:15:46 AM
re: SMB Insider Threat: Don't Hire A Hacker
Agreed - Snowden is not a hacker. I did not call Snowden a hacker; I called Snowden a 'trusted insider' - we should be able to agree on that.

Regarding the use of the term 'hacker' in the headline and in the article, I realize my use of the term (e.g., skilled but untrustworthy) does not agree with the technical communities use of the term (e.g.,skilled and clever tinkerer). While I appreciate the audience, the article is written for the management of SMBs and thus I use the term as they would likely interpret it.
edannert
50%
50%
edannert,
User Rank: Apprentice
7/22/2013 | 11:53:19 AM
re: SMB Insider Threat: Don't Hire A Hacker
I guess if you call Snowden a traitor and common thief I would call the NSA/US Government the obnoxious bully in the school yard... And yes, someone has to call out the antisocial behaviour of bullys. The question here is who violated what law, but despite that fact I agree that Snowden is definitely not a good example for an insider threat, because no ethical rules apply here anyway...
Jeffro Nunyas
50%
50%
Jeffro Nunyas,
User Rank: Apprentice
7/20/2013 | 4:41:52 AM
re: SMB Insider Threat: Don't Hire A Hacker
Ok Doug

I think we need to recognize one very important fact. Edward Snowden is NOT a hacker. He got a job that gave him easy access to some information. If he were a true hacker, he wouldn't have needed to get a job to get the information.

Stop glorifying that traitor just because he took a class or two for learning ethical hacking techniques. He is or was just a glorified analyst with specific tasks assigned to him per the job title he was hired as.

He stole the information, then he leaked it. He's nothing but a common thief.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, September 16, 2014
Malicious software is morphing to be more targeted, stealthy, and destructive. Are you prepared to stop it?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2886
Published: 2014-09-18
GKSu 2.0.2, when sudo-mode is not enabled, uses " (double quote) characters in a gksu-run-helper argument, which allows attackers to execute arbitrary commands in certain situations involving an untrusted substring within this argument, as demonstrated by an untrusted filename encountered during ins...

CVE-2014-4352
Published: 2014-09-18
Address Book in Apple iOS before 8 relies on the hardware UID for its encryption key, which makes it easier for physically proximate attackers to obtain sensitive information by obtaining this UID.

CVE-2014-4353
Published: 2014-09-18
Race condition in iMessage in Apple iOS before 8 allows attackers to obtain sensitive information by leveraging the presence of an attachment after the deletion of its parent (1) iMessage or (2) MMS.

CVE-2014-4354
Published: 2014-09-18
Apple iOS before 8 enables Bluetooth during all upgrade actions, which makes it easier for remote attackers to bypass intended access restrictions via a Bluetooth session.

CVE-2014-4356
Published: 2014-09-18
Apple iOS before 8 does not follow the intended configuration setting for text-message preview on the lock screen, which allows physically proximate attackers to obtain sensitive information by reading this screen.

Best of the Web
Dark Reading Radio