From the recent theft of counterterrorism data from Switzerland's intelligence agency to remotely wiretapping boardroom videoconferencing systems, a number of attacks had an inside component

Dark Reading Staff, Dark Reading

December 17, 2012

6 Min Read

Insider attacks continued to haunt government agencies and companies alike in 2012. From rogue PIN pads at Barnes & Noble to disgruntled employees walking out with a nation's secrets, organizations suffered a wide variety of attacks.

While studies have found that insiders typically account for a minority of incidents, they tend to cause more damage, especially when privileged users, who have access to a company's crown jewels, go rogue. In addition, negligent insiders cause nearly 40 percent of all data breaches, and malicious attacks account for a third of incidents, according to a March study.

"The difference with insiders is they can inflict measurable financial, measurable IP, measurable brand and reputation damage -- more so than an outsider can," says Jim Butterworth, chief security officer for HBGary, a subsidiary of ManTech International. "Make sure that your employees, especially those with access to the crown jewels, are held accountable."

While insiders are usually only marginally involved in the theft of many types of data, incidents involving intellectual property are the exception, according to a Verizon report. In two-thirds of cases, regular employees played some role in the loss of intellectual property, the report stated.

The definition of "insider threat" continues to broaden. Once used to describe any attack by a rogue employee, the term now encompasses attacks that use insider-like access to compromise systems and data, such as employees who bring infected devices inside the firewall or companies that allow Internet-facing resources -- such as remote-desktop applications and videoconferencing -- unfettered access to the inside of their networks.

"In those cases, the breach would have never occurred if not for the insider making a mistake," says Rob Sobers, technical marketing manager for data-protection firm Varonis.

[Protecting intellectual property against insiders is tough enough when the insiders are a company's own employees, but the problem becomes even more difficult when a third party has access to confidential information. See When Someone Else's Insider Is Your Threat.]

Here are five significant attacks involving insiders in 2012.

5. Infrastructure As An Insider: Barnes & Noble
In October, retail book chain Barnes & Noble announced that rogue PIN pad devices had been found at 63 of its 700 stores, allowing criminals to siphon off credit- and debit-card numbers as well as the PINs to victims' bank accounts. Because the affected stores were located in different geographic areas, the attack is thought to be the work of an organized group of criminals.

Less than 1 percent of the devices were compromised with hardware "bugs," making the attack unlikely to be a supply-chain issue, Barnes & Noble stated. The incident showed that compromised infrastructure -- whether corrupted somewhere in the supply chain or later on-site -- is a major insider issue, said Gunter Ollmann, then vice president of research at Damballa, at the time.

"There is very little that can be done to protect these devices than what is already being done today," he said. "In essence, an insider threat is the most insidious."

4. Bug In The Boardroom: Rapid7 Videoconferencing Research
In January, researchers at vulnerability management firm Rapid7 published research showing that many videoconferencing systems were directly accessible from the Internet, essentially giving attackers a direct line into conference and meeting rooms.

The company's researchers scanned about 3 percent of the Internet's address space, finding that some 5,000 systems were set to automatically answer calls from the Internet. Statistically, that indicates a total of 150,000 systems are likely accessible from outside corporate networks. In lab tests with similar equipment, the researchers found that they could listen in on nearby conversations and even read information on whiteboards and sticky notes.

"People definitely want to be familiar with the products they are deploying," said Joshua Talbot, security intelligence manager at Symantec, at the time. "Companies that adopt a new technology should become aware of the security risks that they are bringing into the environment."

Later research found that remote-access software, used to administer a client's systems, could be a major security issue for companies that did not configure the software correctly, giving attackers a backdoor into the enterprise.

3. Data Walk Out: From Cityville To Kixeye
In August, Alan Patmore left Zinga and moved over to a small San Francisco startup, Kixeye. Just before leaving, he created a Dropbox folder and used it to transfer 760 files to the cloud, Zynga claimed in an October lawsuit. The data included a description of Zynga's methods for measuring success of game features, an initial assessment of Cityville, and design documents for nearly a dozen unreleased games, Zynga stated in its complaint. "Patmore transferred this data from Zynga in violation of his obligation and without Zynga's knowledge or consent," the company stated.

Kixeye countersued under California's business codes, claiming that the information is not proprietary and Zynga was attempting to stem an exodus of employees using legal tactics. The saga continues in the Superior Court of California.

Insiders walking out with proprietary data to which the workers believe they have some ownership rights is a common problem for companies. Educating employees about a company's intellectual-property concerns is a must. In addition to legal protections, companies should focus on limiting employees' access to data they do not need to do their work.

"Always make sure that people have access to only what they need," Varonis' Sobers says. "Just because they are an executive, they don't need to have access to everything in the company."

2. The Inadvertent Insider: South Carolina's Dept. Of Revenue Breach
In mid-August, attackers obtained the login credentials for an employee of the South Carolina Department of Revenue, essentially gaining insider access to the agency's systems. The attack, detected in October, resulted in the theft of some 3.6 million Social Security numbers belonging to state residents, as well as 387,000 credit- and debit-card numbers. Total cost: $14 million and growing.

Mandiant, the security firm that conducted the forensics investigation (PDF) into the breach, theorized that the attackers used spearphishing e-mails to compromise a worker's system and collected the credentials. Such a scenario is quite common, Varonis' Sobers says.

"Most of the time, the insider component of these attacks is not malicious," Sobers says.

Organizations should limit their workers' access to information that those employees need to know. The S.C. Department of Revenue did not do that, allowing the Social Security numbers to be stored unencrypted.

1. The Disgruntled Insider: Swiss Intel Leak
Rivaling the leak of U.S. State Department memos by a U.S. military serviceman, the Swiss intelligence agency, NDB, told its American and British counterparts that a disgruntled system administrator had reportedly taken terabytes of classified information from its systems. The employee reportedly had unrestricted rights to the intelligence service's systems and had carried out hard drives containing the stolen data, according to a Reuters report published earlier this month.

"Here is an administrator with root privileges, and there were no measures in place to restrict what that administrator could do," says Todd Thiemann, senior director of product marketing for data-protection provider Vormetric.

While authorities do not believe that the rogue employee sold or transferred the data, they have no way to be sure, sources told Reuters.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

About the Author(s)

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights