Endpoint
7/17/2013
00:03 AM
Doug Landoll
Doug Landoll
Commentary
Connect Directly
RSS
E-Mail
50%
50%

SMB Insider Threat: Don't Hire A Hacker

Security advice to address the insider threat at a small to midsize business

Part 1 in a series

Last month, Edward Snowden reminded us that the greatest threat to our critical systems and sensitive data is not the external hacker, but the trusted insider. While leaks pertaining to large government agencies capture the headlines, the SMB insider silently threatens our organizations with devastating impact.

Employees and contractors with trusted access to SMB systems and data are considered insiders and are typically afforded a high level of trust. Although we like to trust that our employees have our best interest in mind, we need to recognize that they pose a significant threat, and we should protect our businesses from the potential damage they may cause. In others words, trust but verify.

Of course, the insider threat is nothing new, and a great many process and controls have been developed to reduce the risk. Many of these controls rely on a complex organizational structures, audit departments, and other elaborate processes that don't always play well in the SMB space. This three-part blog will discuss a measured approach to addressing the insider threat based on the needs of the SMB.

Part 1: Employment Screening
The single best way to address the insider threat is to limit the hiring of a threat in the first place. While certainly not a foolproof method, pre-employment screening is the best control available. Employment screening consists of various verification checks (e.g., criminal history, employment verification, supervisor and salary checks, and education verification).

There are a lot of untrustworthy people out there looking for jobs. Employment screening helps to sort them out. Industry estimates range from 30 to 35 percent of employment applications contain a lie about employment dates, positions held, salaries earned, and even degrees obtained. Lying on an application about these fundamental attributes of work history is a clear indicator or someone who is not trustworthy.

SMBs have two unique characteristics that make employment screening a must. First, SMBs attract a larger share of untrustworthy applicants. Larger corporations have adopted the pre-employment screening process; some 80 to 85 percent of large corporations utilize employment screening. This fact is well-known and affects the behavior of those candidates who are bound to be flagged by such a process -- they flock to SMBs that are less likely to perform these screenings.

While I was at a hacker conference several years ago, I overheard the following conversation:

Hacker 1: "I heard you got a steady job at XXX corporation. How'd you pass the employment checks?"

Hacker 2: "Oh, they don't do them there. I've let a couple of guys know about it already -- you should apply."

By not performing employment screening, not only are you not screening out potentially untrustworthy candidates, but as word gets around, you are actually attracting them.

The second unique characteristic of SMBs that makes employment screening a must is the reduced organizational structure of the SMB. In larger corporations, controls such as least privilege and separation of duty can be more easily applied based on the number of positions and organizational departments. In an SMB, many of these roles are consolidated into a single position. In places where these positions have been collapsed, careful consideration must be given to the placement of an individual -- this is a very trust-needy position.

In the next blog I will address policy controls to address the SMB insider threat.

Doug Landoll CEO of Assero Security Doug Landoll is an expert in information security for the SMB market with over 20 years experience securing businesses and government agencies. He has written several information security books and dozens of articles for national publications. He has founded and ran four ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Ctendellceh
50%
50%
Ctendellceh,
User Rank: Apprentice
8/19/2013 | 11:44:58 PM
re: SMB Insider Threat: Don't Hire A Hacker
I am a Certified Ethical Hacker charlestendell.com and I honestly think that any organization that is going to hire a true hacker should have strong controls in place to protect against anything they may encounter. I also think that organizations who hire an actual hacker are going to be better protected from malicious hackers in the long run. You have to be a hacker to catch a hacker.

Being afraid of the trusted insider shouldn't be solely focused on the hacker. What about the accountant? The marketing manager or the under paid security guard?
Business have to do business and that means hiring employees. Screenings are irrelevant, a good measure, but no amount of screening is going to protect you from an insider threat. Lets look at Snowden, to work for the NSA in any capacity you have to go through months and several different levels of screening. Polygraph, Multi spectrum background and criminal investigation. They will go and talk to your 3rd grade teacher if necessary. The bottom line, screenings didn't help there and being a hacker should not disqualify anyone.

And personally, he is not a traitor. He may not have responsibly disclosed the information he had but it is a good thing that he released it. People should not fear their government, governments should fear its people.
Landoll
50%
50%
Landoll,
User Rank: Apprentice
7/26/2013 | 12:15:46 AM
re: SMB Insider Threat: Don't Hire A Hacker
Agreed - Snowden is not a hacker. I did not call Snowden a hacker; I called Snowden a 'trusted insider' - we should be able to agree on that.

Regarding the use of the term 'hacker' in the headline and in the article, I realize my use of the term (e.g., skilled but untrustworthy) does not agree with the technical communities use of the term (e.g.,skilled and clever tinkerer). While I appreciate the audience, the article is written for the management of SMBs and thus I use the term as they would likely interpret it.
edannert
50%
50%
edannert,
User Rank: Apprentice
7/22/2013 | 11:53:19 AM
re: SMB Insider Threat: Don't Hire A Hacker
I guess if you call Snowden a traitor and common thief I would call the NSA/US Government the obnoxious bully in the school yard... And yes, someone has to call out the antisocial behaviour of bullys. The question here is who violated what law, but despite that fact I agree that Snowden is definitely not a good example for an insider threat, because no ethical rules apply here anyway...
Jeffro Nunyas
50%
50%
Jeffro Nunyas,
User Rank: Apprentice
7/20/2013 | 4:41:52 AM
re: SMB Insider Threat: Don't Hire A Hacker
Ok Doug

I think we need to recognize one very important fact. Edward Snowden is NOT a hacker. He got a job that gave him easy access to some information. If he were a true hacker, he wouldn't have needed to get a job to get the information.

Stop glorifying that traitor just because he took a class or two for learning ethical hacking techniques. He is or was just a glorified analyst with specific tasks assigned to him per the job title he was hired as.

He stole the information, then he leaked it. He's nothing but a common thief.
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0619
Published: 2014-10-23
Untrusted search path vulnerability in Hamster Free ZIP Archiver 2.0.1.7 allows local users to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse dwmapi.dll that is located in the current working directory.

CVE-2014-2230
Published: 2014-10-23
Open redirect vulnerability in the header function in adclick.php in OpenX 2.8.10 and earlier allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the (1) dest parameter to adclick.php or (2) _maxdest parameter to ck.php.

CVE-2014-7281
Published: 2014-10-23
Cross-site request forgery (CSRF) vulnerability in Shenzhen Tenda Technology Tenda A32 Router with firmware 5.07.53_CN allows remote attackers to hijack the authentication of administrators for requests that reboot the device via a request to goform/SysToolReboot.

CVE-2014-7292
Published: 2014-10-23
Open redirect vulnerability in the Click-Through feature in Newtelligence dasBlog 2.1 (2.1.8102.813), 2.2 (2.2.8279.16125), and 2.3 (2.3.9074.18820) allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the url parameter to ct.ashx.

CVE-2014-8071
Published: 2014-10-23
Multiple cross-site scripting (XSS) vulnerabilities in OpenMRS 2.1 Standalone Edition allow remote attackers to inject arbitrary web script or HTML via the (1) givenName, (2) familyName, (3) address1, or (4) address2 parameter to registrationapp/registerPatient.page; the (5) comment parameter to all...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.