Vulnerabilities / Threats
12/17/2012
09:44 PM
50%
50%

Five Significant Insider Attacks Of 2012

From the recent theft of counterterrorism data from Switzerland's intelligence agency to remotely wiretapping boardroom videoconferencing systems, a number of attacks had an inside component

Insider attacks continued to haunt government agencies and companies alike in 2012. From rogue PIN pads at Barnes & Noble to disgruntled employees walking out with a nation's secrets, organizations suffered a wide variety of attacks.

While studies have found that insiders typically account for a minority of incidents, they tend to cause more damage, especially when privileged users, who have access to a company's crown jewels, go rogue. In addition, negligent insiders cause nearly 40 percent of all data breaches, and malicious attacks account for a third of incidents, according to a March study.

"The difference with insiders is they can inflict measurable financial, measurable IP, measurable brand and reputation damage -- more so than an outsider can," says Jim Butterworth, chief security officer for HBGary, a subsidiary of ManTech International. "Make sure that your employees, especially those with access to the crown jewels, are held accountable."

While insiders are usually only marginally involved in the theft of many types of data, incidents involving intellectual property are the exception, according to a Verizon report. In two-thirds of cases, regular employees played some role in the loss of intellectual property, the report stated.

The definition of "insider threat" continues to broaden. Once used to describe any attack by a rogue employee, the term now encompasses attacks that use insider-like access to compromise systems and data, such as employees who bring infected devices inside the firewall or companies that allow Internet-facing resources -- such as remote-desktop applications and videoconferencing -- unfettered access to the inside of their networks.

"In those cases, the breach would have never occurred if not for the insider making a mistake," says Rob Sobers, technical marketing manager for data-protection firm Varonis.

[Protecting intellectual property against insiders is tough enough when the insiders are a company's own employees, but the problem becomes even more difficult when a third party has access to confidential information. See When Someone Else's Insider Is Your Threat.]

Here are five significant attacks involving insiders in 2012.

5. Infrastructure As An Insider: Barnes & Noble
In October, retail book chain Barnes & Noble announced that rogue PIN pad devices had been found at 63 of its 700 stores, allowing criminals to siphon off credit- and debit-card numbers as well as the PINs to victims' bank accounts. Because the affected stores were located in different geographic areas, the attack is thought to be the work of an organized group of criminals.

Less than 1 percent of the devices were compromised with hardware "bugs," making the attack unlikely to be a supply-chain issue, Barnes & Noble stated. The incident showed that compromised infrastructure -- whether corrupted somewhere in the supply chain or later on-site -- is a major insider issue, said Gunter Ollmann, then vice president of research at Damballa, at the time.

"There is very little that can be done to protect these devices than what is already being done today," he said. "In essence, an insider threat is the most insidious."

4. Bug In The Boardroom: Rapid7 Videoconferencing Research
In January, researchers at vulnerability management firm Rapid7 published research showing that many videoconferencing systems were directly accessible from the Internet, essentially giving attackers a direct line into conference and meeting rooms.

The company's researchers scanned about 3 percent of the Internet's address space, finding that some 5,000 systems were set to automatically answer calls from the Internet. Statistically, that indicates a total of 150,000 systems are likely accessible from outside corporate networks. In lab tests with similar equipment, the researchers found that they could listen in on nearby conversations and even read information on whiteboards and sticky notes.

"People definitely want to be familiar with the products they are deploying," said Joshua Talbot, security intelligence manager at Symantec, at the time. "Companies that adopt a new technology should become aware of the security risks that they are bringing into the environment."

Later research found that remote-access software, used to administer a client's systems, could be a major security issue for companies that did not configure the software correctly, giving attackers a backdoor into the enterprise.

3. Data Walk Out: From Cityville To Kixeye
In August, Alan Patmore left Zinga and moved over to a small San Francisco startup, Kixeye. Just before leaving, he created a Dropbox folder and used it to transfer 760 files to the cloud, Zynga claimed in an October lawsuit. The data included a description of Zynga's methods for measuring success of game features, an initial assessment of Cityville, and design documents for nearly a dozen unreleased games, Zynga stated in its complaint. "Patmore transferred this data from Zynga in violation of his obligation and without Zynga's knowledge or consent," the company stated.

Kixeye countersued under California's business codes, claiming that the information is not proprietary and Zynga was attempting to stem an exodus of employees using legal tactics. The saga continues in the Superior Court of California.

Insiders walking out with proprietary data to which the workers believe they have some ownership rights is a common problem for companies. Educating employees about a company's intellectual-property concerns is a must. In addition to legal protections, companies should focus on limiting employees' access to data they do not need to do their work.

"Always make sure that people have access to only what they need," Varonis' Sobers says. "Just because they are an executive, they don't need to have access to everything in the company."

2. The Inadvertent Insider: South Carolina's Dept. Of Revenue Breach
In mid-August, attackers obtained the login credentials for an employee of the South Carolina Department of Revenue, essentially gaining insider access to the agency's systems. The attack, detected in October, resulted in the theft of some 3.6 million Social Security numbers belonging to state residents, as well as 387,000 credit- and debit-card numbers. Total cost: $14 million and growing.

Mandiant, the security firm that conducted the forensics investigation (PDF) into the breach, theorized that the attackers used spearphishing e-mails to compromise a worker's system and collected the credentials. Such a scenario is quite common, Varonis' Sobers says.

"Most of the time, the insider component of these attacks is not malicious," Sobers says.

Organizations should limit their workers' access to information that those employees need to know. The S.C. Department of Revenue did not do that, allowing the Social Security numbers to be stored unencrypted.

1. The Disgruntled Insider: Swiss Intel Leak
Rivaling the leak of U.S. State Department memos by a U.S. military serviceman, the Swiss intelligence agency, NDB, told its American and British counterparts that a disgruntled system administrator had reportedly taken terabytes of classified information from its systems. The employee reportedly had unrestricted rights to the intelligence service's systems and had carried out hard drives containing the stolen data, according to a Reuters report published earlier this month.

"Here is an administrator with root privileges, and there were no measures in place to restrict what that administrator could do," says Todd Thiemann, senior director of product marketing for data-protection provider Vormetric.

While authorities do not believe that the rogue employee sold or transferred the data, they have no way to be sure, sources told Reuters.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
kjhiggins
50%
50%
kjhiggins,
User Rank: Strategist
12/19/2012 | 7:57:53 PM
re: Five Significant Insider Attacks Of 2012
Great examples of how an "insider threat" isn't just a disgruntled employee.

Kelly Jackson Higgins, Senior Editor, Dark Reading-
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-5208
Published: 2014-12-22
BKBCopyD.exe in the Batch Management Packages in Yokogawa CENTUM CS 3000 through R3.09.50 and CENTUM VP through R4.03.00 and R5.x through R5.04.00, and Exaopc through R3.72.10, does not require authentication, which allows remote attackers to read arbitrary files via a RETR operation, write to arbit...

CVE-2014-7286
Published: 2014-12-22
Buffer overflow in AClient in Symantec Deployment Solution 6.9 and earlier on Windows XP and Server 2003 allows local users to gain privileges via unspecified vectors.

CVE-2014-8896
Published: 2014-12-22
The Collaboration Server in IBM InfoSphere Master Data Management Server for Product Information Management 9.x through 9.1 and InfoSphere Master Data Management - Collaborative Edition 10.x through 10.1, 11.0 before FP7, and 11.3 and 11.4 before 11.4 FP1 allows remote authenticated users to modify ...

CVE-2014-8897
Published: 2014-12-22
Cross-site scripting (XSS) vulnerability in the Collaboration Server in IBM InfoSphere Master Data Management Server for Product Information Management 9.x through 9.1 and InfoSphere Master Data Management - Collaborative Edition 10.x through 10.1, 11.0 before FP7, and 11.3 and 11.4 before 11.4 FP1 ...

CVE-2014-8898
Published: 2014-12-22
Cross-site scripting (XSS) vulnerability in the Collaboration Server in IBM InfoSphere Master Data Management Server for Product Information Management 9.x through 9.1 and InfoSphere Master Data Management - Collaborative Edition 10.x through 10.1, 11.0 before FP7, and 11.3 and 11.4 before 11.4 FP1 ...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.