Endpoint
7/17/2013
12:03 AM
Doug Landoll
Doug Landoll
Commentary
50%
50%

SMB Insider Threat: Don't Hire A Hacker

Security advice to address the insider threat at a small to midsize business

Part 1 in a series

Last month, Edward Snowden reminded us that the greatest threat to our critical systems and sensitive data is not the external hacker, but the trusted insider. While leaks pertaining to large government agencies capture the headlines, the SMB insider silently threatens our organizations with devastating impact.

Employees and contractors with trusted access to SMB systems and data are considered insiders and are typically afforded a high level of trust. Although we like to trust that our employees have our best interest in mind, we need to recognize that they pose a significant threat, and we should protect our businesses from the potential damage they may cause. In others words, trust but verify.

Of course, the insider threat is nothing new, and a great many process and controls have been developed to reduce the risk. Many of these controls rely on a complex organizational structures, audit departments, and other elaborate processes that don't always play well in the SMB space. This three-part blog will discuss a measured approach to addressing the insider threat based on the needs of the SMB.

Part 1: Employment Screening
The single best way to address the insider threat is to limit the hiring of a threat in the first place. While certainly not a foolproof method, pre-employment screening is the best control available. Employment screening consists of various verification checks (e.g., criminal history, employment verification, supervisor and salary checks, and education verification).

There are a lot of untrustworthy people out there looking for jobs. Employment screening helps to sort them out. Industry estimates range from 30 to 35 percent of employment applications contain a lie about employment dates, positions held, salaries earned, and even degrees obtained. Lying on an application about these fundamental attributes of work history is a clear indicator or someone who is not trustworthy.

SMBs have two unique characteristics that make employment screening a must. First, SMBs attract a larger share of untrustworthy applicants. Larger corporations have adopted the pre-employment screening process; some 80 to 85 percent of large corporations utilize employment screening. This fact is well-known and affects the behavior of those candidates who are bound to be flagged by such a process -- they flock to SMBs that are less likely to perform these screenings.

While I was at a hacker conference several years ago, I overheard the following conversation:

Hacker 1: "I heard you got a steady job at XXX corporation. How'd you pass the employment checks?"

Hacker 2: "Oh, they don't do them there. I've let a couple of guys know about it already -- you should apply."

By not performing employment screening, not only are you not screening out potentially untrustworthy candidates, but as word gets around, you are actually attracting them.

The second unique characteristic of SMBs that makes employment screening a must is the reduced organizational structure of the SMB. In larger corporations, controls such as least privilege and separation of duty can be more easily applied based on the number of positions and organizational departments. In an SMB, many of these roles are consolidated into a single position. In places where these positions have been collapsed, careful consideration must be given to the placement of an individual -- this is a very trust-needy position.

In the next blog I will address policy controls to address the SMB insider threat.

Doug Landoll CEO of Assero Security Doug Landoll is an expert in information security for the SMB market with over 20 years experience securing businesses and government agencies. He has written several information security books and dozens of articles for national publications. He has founded and ran four ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Ctendellceh
50%
50%
Ctendellceh,
User Rank: Apprentice
8/19/2013 | 11:44:58 PM
re: SMB Insider Threat: Don't Hire A Hacker
I am a Certified Ethical Hacker charlestendell.com and I honestly think that any organization that is going to hire a true hacker should have strong controls in place to protect against anything they may encounter. I also think that organizations who hire an actual hacker are going to be better protected from malicious hackers in the long run. You have to be a hacker to catch a hacker.

Being afraid of the trusted insider shouldn't be solely focused on the hacker. What about the accountant? The marketing manager or the under paid security guard?
Business have to do business and that means hiring employees. Screenings are irrelevant, a good measure, but no amount of screening is going to protect you from an insider threat. Lets look at Snowden, to work for the NSA in any capacity you have to go through months and several different levels of screening. Polygraph, Multi spectrum background and criminal investigation. They will go and talk to your 3rd grade teacher if necessary. The bottom line, screenings didn't help there and being a hacker should not disqualify anyone.

And personally, he is not a traitor. He may not have responsibly disclosed the information he had but it is a good thing that he released it. People should not fear their government, governments should fear its people.
Landoll
50%
50%
Landoll,
User Rank: Apprentice
7/26/2013 | 12:15:46 AM
re: SMB Insider Threat: Don't Hire A Hacker
Agreed - Snowden is not a hacker. I did not call Snowden a hacker; I called Snowden a 'trusted insider' - we should be able to agree on that.

Regarding the use of the term 'hacker' in the headline and in the article, I realize my use of the term (e.g., skilled but untrustworthy) does not agree with the technical communities use of the term (e.g.,skilled and clever tinkerer). While I appreciate the audience, the article is written for the management of SMBs and thus I use the term as they would likely interpret it.
edannert
50%
50%
edannert,
User Rank: Apprentice
7/22/2013 | 11:53:19 AM
re: SMB Insider Threat: Don't Hire A Hacker
I guess if you call Snowden a traitor and common thief I would call the NSA/US Government the obnoxious bully in the school yard... And yes, someone has to call out the antisocial behaviour of bullys. The question here is who violated what law, but despite that fact I agree that Snowden is definitely not a good example for an insider threat, because no ethical rules apply here anyway...
Jeffro Nunyas
50%
50%
Jeffro Nunyas,
User Rank: Apprentice
7/20/2013 | 4:41:52 AM
re: SMB Insider Threat: Don't Hire A Hacker
Ok Doug

I think we need to recognize one very important fact. Edward Snowden is NOT a hacker. He got a job that gave him easy access to some information. If he were a true hacker, he wouldn't have needed to get a job to get the information.

Stop glorifying that traitor just because he took a class or two for learning ethical hacking techniques. He is or was just a glorified analyst with specific tasks assigned to him per the job title he was hired as.

He stole the information, then he leaked it. He's nothing but a common thief.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-7286
Published: 2014-12-22
Buffer overflow in AClient in Symantec Deployment Solution 6.9 and earlier on Windows XP and Server 2003 allows local users to gain privileges via unspecified vectors.

CVE-2014-8896
Published: 2014-12-22
The Collaboration Server in IBM InfoSphere Master Data Management Server for Product Information Management 9.x through 9.1 and InfoSphere Master Data Management - Collaborative Edition 10.x through 10.1, 11.0 before FP7, and 11.3 and 11.4 before 11.4 FP1 allows remote authenticated users to modify ...

CVE-2014-8897
Published: 2014-12-22
Cross-site scripting (XSS) vulnerability in the Collaboration Server in IBM InfoSphere Master Data Management Server for Product Information Management 9.x through 9.1 and InfoSphere Master Data Management - Collaborative Edition 10.x through 10.1, 11.0 before FP7, and 11.3 and 11.4 before 11.4 FP1 ...

CVE-2014-8898
Published: 2014-12-22
Cross-site scripting (XSS) vulnerability in the Collaboration Server in IBM InfoSphere Master Data Management Server for Product Information Management 9.x through 9.1 and InfoSphere Master Data Management - Collaborative Edition 10.x through 10.1, 11.0 before FP7, and 11.3 and 11.4 before 11.4 FP1 ...

CVE-2014-8899
Published: 2014-12-22
Cross-site scripting (XSS) vulnerability in the Collaboration Server in IBM InfoSphere Master Data Management Server for Product Information Management 9.x through 9.1 and InfoSphere Master Data Management - Collaborative Edition 10.x through 10.1, 11.0 before FP7, and 11.3 and 11.4 before 11.4 FP1 ...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.