Vulnerabilities / Threats //

Insider Threats

7/19/2018
12:20 PM
Jai Vijayan
Jai Vijayan
Slideshows
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

6 Ways to Tell an Insider Has Gone Rogue

Malicious activity by trusted users can be very hard to catch, so look for these red flags.
Previous
1 of 7
Next

Image Source: Mashka via Shutterstock

Image Source: Mashka via Shutterstock

Insiders with legitimate access to enterprise systems and data are responsible for far more data breaches than many might realize. Granted, very often the breaches are accidental or caused by an individual's negligence or failure to follow policy – but when a malicious insider is responsible, the results can be disastrous.

Edward Snowden's 2013 heist of some 1.5 million classified documents from the National Security Agency (NSA), where he worked as a contractor, remains one of the most spectacular examples of insider theft. But there have been countless other incidents in recent years where organizations have experienced serious data loss or damage to systems and data as the result of malicious activity by an insider.

While enterprises are generally cognizant of the threat, many have struggled to deal with it. One reason is that most security tools are not truly designed to spot dangerous or potentially malicious activity by someone with legitimate access to an enterprise system or data. In addition, many organizations have been cautious about implementing too many controls for monitoring insider activity for fear of being viewed as too big brotherly.

"Enterprises are ill-equipped to protect their trusted insiders because legacy systems like employee monitoring or keystroke logging are extremely heavy and invasive to user privacy," says Christy Wyatt, CEO of Dtex Systems. "This means that many organizations have been reluctant to deploy them."

The key to dealing with insider threats is to keep an eye on all those accessing your most sensitive data in a way that does not intrude on privacy. "There are many critical behavior red flags that you can look for in order to accurately and quickly pinpoint insider threats," Wyatt says. "Three of the major red flags we see are data exfiltration, obfuscation, and bypassing security measures."

Here, according to Wyatt and others, are six signs that an insider has gone rogue or is headed that way.

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Previous
1 of 7
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Larry Larsen
50%
50%
Larry Larsen,
User Rank: Apprentice
7/31/2018 | 1:49:45 PM
Great Reminders
Jai, these are all great reminders on monitoring priviledged users and other trusted insiders.  The biggest issue I've seen on this topic in my career is the lack of willingness to consider such a user as a potential threat.  Users with nefarious intent may count on that to enable their activities.
Mark Coates
50%
50%
Mark Coates,
User Rank: Author
7/25/2018 | 1:04:34 PM
Understanding the Rogue Threat is Key to Security
Excellent education piece on malicious insiders' motivations and behavior patterns. As a member of Christy Wyatt's team at Dtex, we are helping organizations detect behaviors daily that reveal when an insider threat is active. Any business with concerns can use this piece as a guidepost.
Veterans Find New Roles in Enterprise Cybersecurity
Kelly Sheridan, Staff Editor, Dark Reading,  11/12/2018
Empathy: The Next Killer App for Cybersecurity?
Shay Colson, CISSP, Senior Manager, CyberClarity360,  11/13/2018
Understanding Evil Twin AP Attacks and How to Prevent Them
Ryan Orsi, Director of Product Management for Wi-Fi at WatchGuard Technologies,  11/14/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-18955
PUBLISHED: 2018-11-16
In the Linux kernel 4.15.x through 4.19.x before 4.19.2, map_write() in kernel/user_namespace.c allows privilege escalation because it mishandles nested user namespaces with more than 5 UID or GID ranges. A user who has CAP_SYS_ADMIN in an affected user namespace can bypass access controls on resour...
CVE-2018-19311
PUBLISHED: 2018-11-16
Centreon 3.4.x allows XSS via the Service field to the main.php?p=20201 URI, as demonstrated by the "Monitoring > Status Details > Services" screen.
CVE-2018-19312
PUBLISHED: 2018-11-16
Centreon 3.4.x allows SQL Injection via the searchVM parameter to the main.php?p=20408 URI.
CVE-2018-19318
PUBLISHED: 2018-11-16
SRCMS 3.0.0 allows CSRF via admin.php?m=Admin&c=manager&a=update to change the username and password of the super administrator account.
CVE-2018-19319
PUBLISHED: 2018-11-16
SRCMS 3.0.0 allows CSRF via admin.php?m=Admin&c=gifts&a=update to change goods prices with the super administrator's privileges.