Vulnerabilities / Threats

10/20/2014
11:15 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Insider Threats: Breaching The Human Barrier

A company can spend all the money it has on technical solutions to protect the perimeter and still not prevent the attack that comes from within.

Undoubtedly, every InfoSec professional has heard the argument that the perimeter was broken. That was so 1995. The new rage is to break the “human barrier.” You know, those things that run the companies. Increasingly, attackers are using social engineering to target a corporation’s most vulnerable asset: the human. From there attackers hack the systems and completely own the company from the inside out.

A while back, WHMCS, an online banking and bill paying company, was attacked by an outsider with real access credentials pretending to be an insider.  It turns out, the data base administrator for the organization was pretty active on social media. From basic profiling of his public information, attackers were able to garner the answers to his security questions. After a quick phone call and password reset, attackers were able to download 1.1 Gigabytes of credit card numbers and subsequently erased the servers just for kicks. A five-minute phone call opened the window of opportunity for a dox, which turned into total ownership.

That is just an outsider acting as an insider. What about an actual insider that has ill intent towards your company?  

According to the “CERT: Common Sense Guide to Prevention and Detection of Insider Threats,” 65% of all IT sabotage attacks are non technical and 84% of all attacks for financial gain were also non-technical. One call, that’s all. If organizations are unable to keep their own data safe, how can we as customers expect them to keep our data safe?

I see this highlighted daily in the work we do for clients. In a single 10-minute phone call to an enterprise chain store, a non-technical employee can provide my team with enough data to execute a virtual attack or onsite impersonation. The one vector that seems to always work is another insider, a fellow employee. Insiders are automatically trusted and automatically given answers to things that an outsider would never get. Therein lies the danger with insider attack. That trust can be exploited, that automatic authentication can be used to compromise.

Now that we’ve talked a bit about the scope of damage from insider threats it’s important for organizations to clearly understand how these threats manifest. AT&T recently disclosed that an employee was able to access and exfiltrate confidential and personal user information including social security and driver’s license numbers of thousands of customers. This is an example of a malicious insider attack, one in which the employees purposefully expose data.  

Angry and disgruntled
In situations with malicious insiders, employees are either angry, disgruntled, or rogue. They are either on the way out or have already been fired and still have access to corporate logins. These attackers are extremely dangerous because they already know their way around the network and can easily access copious amounts of information, without raising a brow. While it seems little can be done about this type of insider attack, the 2014 Verizon Data Breach Report indicates that 85% of insider privilege misuse attacks used the corporate LAN. With the implementation and enforcement of access controls, network behavioral analysis, and security awareness training that encourages employees to report suspicious activity, these types of attacks can be limited.

The second type of insider threat stems from accidental data uploads, failure to dispose of documents securely, and complex interactions with unintended consequences. Regardless of how it happens, negligent insider attacks occur when employees accidentally expose data.  

A negligent insider can also take the form of a partner or third-party that has been granted access and accidentally exposes data. How many breaches do we read about that were the results of a laptop, USB key, or file thrown away improperly, and that it contained thousands of records of sensitive data? These breaches are not malicious insiders, but an uneducated and thoughtless insider that causes harm to your company and to your clients.

I believe the only way for an organization to be successful in preventing insider attacks is to progress beyond the thought process that IT is responsible for all information security issues. In every case above, user education along with proper technical solutions can help reduce the results of insider threat.   

You can start by asking yourself the following questions:

  • Are policies in place?
  • Does legal and senior management support IT practices?
  • Do these type of programs reward employees instead of scare them?
  • Do we conduct regular audits?

While this approach may seem unrealistic at first, I’ve seen first hand how global organizations can reduce the number of malware related incidents and shut down both insider and outsider threat with simple modifications to process and employee awareness. Organizations are only as strong as the weakest link -- the humans. And as long as that simple fact remains true, attackers will always go after this low-hanging fruit. Make yourself, your employees, and your company not the easy pickings, and you might just have a chance of not being the next headline on Dark Reading.

Chris Hadnagy has over 16 years' experience as a practitioner and researcher in the security field. His efforts in training, education, and awareness have helped to expose social engineering as the top threat to the security of organizations today. He established the world's ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
10/24/2014 | 7:48:46 AM
Re: 'Zero trust' models are the way forward
Sounds llike you have awesome employees, @TMILLARSL4. But the cynic in me thinks that there is more to your strategy than kumbaya. What exactly do you do in your organization to educate and empower people  that makes them allies in the battle against malicious outsiders?  
TMILLARSL4
50%
50%
TMILLARSL4,
User Rank: Apprentice
10/24/2014 | 6:43:17 AM
Re: 'Zero trust' models are the way forward
Zero Trust can only fail.

I'm sorry to contradict you in such strong terms, but Zero trust can only fail. Unless you lock employees out of the network, there will always be scope for negligence, user error and access creep.

My favorite saying is there is no technical fix for the human problem. There are only human ones.

My view is, trust your employees, as adults and partners in creating value. Most insider attacks (if they are not actual infiltration (Deliberately getting hired to be on the inside) are motivated by feeling of being disempowered and disillusioned.

If you don't trust your employees, why should they protect your business. Educate and empower them, recruit them as allies against malicious outsider action, and you will be far more successful. Reward them for highlighting vulnerable system and help them understand what they personally stand to loose from breaches.

Employees will be far more motivated to follow corporate policy if they understand the consequences to them personally (New job?)

And before you respond that this is idealistic or impractical, this is the reality. Every employee is the guardian of value within your business. The sooner businesses realise that the better.

Regards

Tom.
Franois Amigorena
0%
100%
Franois Amigorena,
User Rank: Author
10/24/2014 | 5:59:38 AM
'Zero trust' models are the way forward

Agree that all the technology solutions in the world cannot solve every problem, and that every organisation is only as strong as its weakest link. However technology does have a place in educating and moderating human behaviour, and our research findings have shown that even supposedly 'educated' users still make mistakes. 

Which is why there's a strong argument for a 'zero trust' model. Using technology like UserLock to funnel your users into working within your security policies, with little to no room for manoeuvre, can educate employees into following company policy. 

Rather than the traditional security model that views everything on the inside of the network as 'trusted', and everything off the network as 'not trusted', leaving it open to internal misuse, that distinction isn't made. With the zero trust model an organisation can benefit from a 'never trust, always verify' principle and therefore enable better access security for all authenticated users." 

davidneville
50%
50%
davidneville,
User Rank: Apprentice
10/21/2014 | 1:56:20 PM
Finding a purposefully buried needle in a haystack
The post reminds me of Jeff Williams 2009 BlackHat report on Enterprise Java Rootkits, "Hardly anyone watches the developers." According to SANS, "There is no quick and inexpensive method to ensure that malicious code is prevented." But there are some things to keep in mind when undertaking a malicious code review:


·Establish Your Scope. Your team can't possibly review all of the code in your organization. As it is, finding malicious code is like finding a needle in a haystack. Narrow the haystack and you improve your chances of finding the proverbial needle.

·Allow Ample Time. Injectors of malicious code didn't write it on a whim. Discovering it will take more than one pass through the code, so allow your team ample time to ensure their results.

·Train Your Team. Having the latest and greatest tools in application security is nice; knowing how to use them is even better. Encourage your team to learn the ins and outs of the technology so they can use it to its fullest potential.
Marilyn Cohodas
100%
0%
Marilyn Cohodas,
User Rank: Strategist
10/21/2014 | 11:26:24 AM
malicious insiders
Not surprising that disgruntled employees are a primary source of insider attacks. But what measures can organizations take to identify and prevent them from doing damage? Aren't there civil rights laws that protect them? How proactive can security teams really be? 
Government Shutdown Brings Certificate Lapse Woes
Curtis Franklin Jr., Senior Editor at Dark Reading,  1/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
The Year in Security 2018
This Dark Reading Tech Digest explores the biggest news stories of 2018 that shaped the cybersecurity landscape.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-6487
PUBLISHED: 2019-01-18
TP-Link WDR Series devices through firmware v3 (such as TL-WDR5620 V3.0) are affected by command injection (after login) leading to remote code execution, because shell metacharacters can be included in the weather get_weather_observe citycode field.
CVE-2018-20735
PUBLISHED: 2019-01-17
** DISPUTED ** An issue was discovered in BMC PATROL Agent through 11.3.01. It was found that the PatrolCli application can allow for lateral movement and escalation of privilege inside a Windows Active Directory environment. It was found that by default the PatrolCli / PATROL Agent application only...
CVE-2019-0624
PUBLISHED: 2019-01-17
A spoofing vulnerability exists when a Skype for Business 2015 server does not properly sanitize a specially crafted request, aka "Skype for Business 2015 Spoofing Vulnerability." This affects Skype.
CVE-2019-0646
PUBLISHED: 2019-01-17
A Cross-site Scripting (XSS) vulnerability exists when Team Foundation Server does not properly sanitize user provided input, aka "Team Foundation Server Cross-site Scripting Vulnerability." This affects Team.
CVE-2019-0647
PUBLISHED: 2019-01-17
An information disclosure vulnerability exists when Team Foundation Server does not properly handle variables marked as secret, aka "Team Foundation Server Information Disclosure Vulnerability." This affects Team.