12:03 AM
Doug Landoll
Doug Landoll

SMB Insider Threat: Don't Hire A Hacker

Security advice to address the insider threat at a small to midsize business

Part 1 in a series

Last month, Edward Snowden reminded us that the greatest threat to our critical systems and sensitive data is not the external hacker, but the trusted insider. While leaks pertaining to large government agencies capture the headlines, the SMB insider silently threatens our organizations with devastating impact.

Employees and contractors with trusted access to SMB systems and data are considered insiders and are typically afforded a high level of trust. Although we like to trust that our employees have our best interest in mind, we need to recognize that they pose a significant threat, and we should protect our businesses from the potential damage they may cause. In others words, trust but verify.

Of course, the insider threat is nothing new, and a great many process and controls have been developed to reduce the risk. Many of these controls rely on a complex organizational structures, audit departments, and other elaborate processes that don't always play well in the SMB space. This three-part blog will discuss a measured approach to addressing the insider threat based on the needs of the SMB.

Part 1: Employment Screening
The single best way to address the insider threat is to limit the hiring of a threat in the first place. While certainly not a foolproof method, pre-employment screening is the best control available. Employment screening consists of various verification checks (e.g., criminal history, employment verification, supervisor and salary checks, and education verification).

There are a lot of untrustworthy people out there looking for jobs. Employment screening helps to sort them out. Industry estimates range from 30 to 35 percent of employment applications contain a lie about employment dates, positions held, salaries earned, and even degrees obtained. Lying on an application about these fundamental attributes of work history is a clear indicator or someone who is not trustworthy.

SMBs have two unique characteristics that make employment screening a must. First, SMBs attract a larger share of untrustworthy applicants. Larger corporations have adopted the pre-employment screening process; some 80 to 85 percent of large corporations utilize employment screening. This fact is well-known and affects the behavior of those candidates who are bound to be flagged by such a process -- they flock to SMBs that are less likely to perform these screenings.

While I was at a hacker conference several years ago, I overheard the following conversation:

Hacker 1: "I heard you got a steady job at XXX corporation. How'd you pass the employment checks?"

Hacker 2: "Oh, they don't do them there. I've let a couple of guys know about it already -- you should apply."

By not performing employment screening, not only are you not screening out potentially untrustworthy candidates, but as word gets around, you are actually attracting them.

The second unique characteristic of SMBs that makes employment screening a must is the reduced organizational structure of the SMB. In larger corporations, controls such as least privilege and separation of duty can be more easily applied based on the number of positions and organizational departments. In an SMB, many of these roles are consolidated into a single position. In places where these positions have been collapsed, careful consideration must be given to the placement of an individual -- this is a very trust-needy position.

In the next blog I will address policy controls to address the SMB insider threat.

Doug Landoll CEO of Assero Security Doug Landoll is an expert in information security for the SMB market with over 20 years experience securing businesses and government agencies. He has written several information security books and dozens of articles for national publications. He has founded and ran four ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
8/19/2013 | 11:44:58 PM
re: SMB Insider Threat: Don't Hire A Hacker
I am a Certified Ethical Hacker charlestendell.com and I honestly think that any organization that is going to hire a true hacker should have strong controls in place to protect against anything they may encounter. I also think that organizations who hire an actual hacker are going to be better protected from malicious hackers in the long run. You have to be a hacker to catch a hacker.

Being afraid of the trusted insider shouldn't be solely focused on the hacker. What about the accountant? The marketing manager or the under paid security guard?
Business have to do business and that means hiring employees. Screenings are irrelevant, a good measure, but no amount of screening is going to protect you from an insider threat. Lets look at Snowden, to work for the NSA in any capacity you have to go through months and several different levels of screening. Polygraph, Multi spectrum background and criminal investigation. They will go and talk to your 3rd grade teacher if necessary. The bottom line, screenings didn't help there and being a hacker should not disqualify anyone.

And personally, he is not a traitor. He may not have responsibly disclosed the information he had but it is a good thing that he released it. People should not fear their government, governments should fear its people.
User Rank: Apprentice
7/26/2013 | 12:15:46 AM
re: SMB Insider Threat: Don't Hire A Hacker
Agreed - Snowden is not a hacker. I did not call Snowden a hacker; I called Snowden a 'trusted insider' - we should be able to agree on that.

Regarding the use of the term 'hacker' in the headline and in the article, I realize my use of the term (e.g., skilled but untrustworthy) does not agree with the technical communities use of the term (e.g.,skilled and clever tinkerer). While I appreciate the audience, the article is written for the management of SMBs and thus I use the term as they would likely interpret it.
User Rank: Apprentice
7/22/2013 | 11:53:19 AM
re: SMB Insider Threat: Don't Hire A Hacker
I guess if you call Snowden a traitor and common thief I would call the NSA/US Government the obnoxious bully in the school yard... And yes, someone has to call out the antisocial behaviour of bullys. The question here is who violated what law, but despite that fact I agree that Snowden is definitely not a good example for an insider threat, because no ethical rules apply here anyway...
Jeffro Nunyas
Jeffro Nunyas,
User Rank: Apprentice
7/20/2013 | 4:41:52 AM
re: SMB Insider Threat: Don't Hire A Hacker
Ok Doug

I think we need to recognize one very important fact. Edward Snowden is NOT a hacker. He got a job that gave him easy access to some information. If he were a true hacker, he wouldn't have needed to get a job to get the information.

Stop glorifying that traitor just because he took a class or two for learning ethical hacking techniques. He is or was just a glorified analyst with specific tasks assigned to him per the job title he was hired as.

He stole the information, then he leaked it. He's nothing but a common thief.
Register for Dark Reading Newsletters
White Papers
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-06-30
Directory traversal vulnerability in the Slider Revolution (revslider) plugin before 4.2 for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the img parameter in a revslider_show_image action to wp-admin/admin-ajax.php.

Published: 2015-06-30
The ThemePunch Slider Revolution (revslider) plugin before 3.0.96 for WordPress and Showbiz Pro plugin 1.7.1 and earlier for Wordpress does not properly restrict access to administrator AJAX functionality, which allows remote attackers to (1) upload and execute arbitrary files via an update_plugin a...

Published: 2015-06-30
Rational Test Control Panel in IBM Rational Test Workbench and Rational Test Virtualization Server 8.0.0.x before, 8.0.1.x before, 8.5.0.x before, 8.5.1.x before, 8.6.0.x before, and 8.7.0.x before uses the MD5 algorithm for password hashing, which mak...

Published: 2015-06-30
Cross-site scripting (XSS) vulnerability in IBM Security QRadar Incident Forensics before 7.2.5 allows remote attackers to inject arbitrary web script or HTML via a crafted URL.

Published: 2015-06-30
Buffer overflow in the server in IBM Tivoli Storage Manager FastBack 6.1 before 6.1.12 allows remote attackers to cause a denial of service (daemon crash) via unspecified vectors.

Dark Reading Radio
Archived Dark Reading Radio
Marc Spitler, co-author of the Verizon DBIR will share some of the lesser-known but most intriguing tidbits from the massive report