Vulnerabilities / Threats
3/11/2013
11:07 PM
Connect Directly
RSS
E-Mail
50%
50%

Overprivileged, Well-Meaning, And Dangerous

Nonmalicious insiders add a lot of risk when IT gives them too much access and not enough education

Let's face it: Everybody makes dumb mistakes at work. But these days, employee ignorance about the impact of certain IT technologies, a lack of controls around critical infrastructure and data, and a legion of employees armed with way too many system privileges are drowning enterprises in a potent cocktail of risk factors.

According to security experts, the only way that organizations can reduce the risk of that combination is to be pragmatic. Rather than trying to completely eradicate stupid behavior -- an impossible feat -- enterprises need to find ways to minimize the risk around the mistakes nonmalicious insiders make.

"It's not realistic to eliminate the user behavior nor identify all the vulnerabilities or attacks in advance," says Brian Hanrahan, senior systems consultant at Avecto. "You have to start from the assumption that any user through willing, or unwilling, involvement may become the nexus of your next infiltration."

Whether it's digging spearphishing messages out of the junk mailbox to click infected links, sending out inappropriate email messages on powerful communications systems they shouldn't have access to, or fat-fingering configuration files to bring down broad swaths of IT infrastructure, well-meaning users can wreak plenty of havoc within IT operations. In some cases, purely dumb behavior can directly result in embarrassment to the organization, breached data, or information assurance problems.

[What about malicious insiders? See 5 Lessons From The FBI Insider Threat Program.]

Mike Murray, managing partner for consulting firm MAD Security, says he has seen his fair share of insider incidents that were "more than a little boneheaded." For example, earlier in his career, he came across an incident where an employee accidentally sent pornographic images to an entire 5,000-person organization.

"It wasn't an 'internal attack,' but it was definitely stupid," he says. "I had another one more recently [where] one of the developers working on one of our systems made a stupid Unix mistake and caused our system to be down for almost a week. I've seen something like that happen more times than I can even count."

Not only are there direct security ramifications from that class of scatterbrained mistake, but they also can eat up valuable incident response time that could be better used elsewhere.

"At the bureau, about 24 percent of our incidents that we track on a yearly basis have to do with just accidental insiders -- people being a knucklehead -- and we do spend about 35 percent of our incident response time [on them]," says Patrick Reidy, CISO for the FBI.

Plus, the reputation damage factor can't be underestimated -- particularly when some simple controls could have mitigated the situation. Take, for instance, a recent case in the city of Washington, Pa., where a city councilman used a citywide email emergency system to add the offensively prankish term 'Brian is gay' to a test email sent out to city denizens.

"[That] is a great example of why organizations implement approval processes for privileged operations," Hanrahan says. "It's important that privileged access is dispensed after review and monitored carefully to detect risky behavior."

However, he says that while lapses in judgments and silly errors can certainly cause harm, nonmalicious insiders pose other more latent risks for organizations. More commonly, these insiders act as an unwitting lever for malicious actors who take advantage of the insider's normal behavior to compromise that user's endpoint and take advantage of that insider's wide-reaching access to other systems on the network, Hanrahan says.

"The reality is that most attacks result not from boneheaded moves, but normal activity plus privileged access," Hanrahan says. "The vulnerabilities used to infiltrate corporate environments today rely on normal user behavior to gain a foothold. Web browsers, media plug-ins, Java exploits, and removable media are the common vectors of introduction."

As he puts it, the name of the game is in effective containment.

"Containment requires limiting the resources immediately available to the attacker and thwarting propagation within the organization, both of which are nearly impossible when the attack runs with elevated privileges," he says.

Murray agrees, saying that the reason why phishing and advanced persistent threats succeed is that at most organizations, once the attacker has compromised an employee's system inside, that person has free rein in the environment. Murray says that organizations need to address the nonmalicious insider problem by looking more closely at their control architecture.

"The key is actually in the control architecture. I still see organizations that take the philosophy of 'hard external, soft chewy inside' when designing their security strategy," he says. "The control around assets needs to be close to the assets in order to detect threats from both outside and inside."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2963
Published: 2014-07-10
Multiple cross-site scripting (XSS) vulnerabilities in group/control_panel/manage in Liferay Portal 6.1.2 CE GA3, 6.1.X EE, and 6.2.X EE allow remote attackers to inject arbitrary web script or HTML via the (1) _2_firstName, (2) _2_lastName, or (3) _2_middleName parameter.

CVE-2014-3310
Published: 2014-07-10
The File Transfer feature in WebEx Meetings Client in Cisco WebEx Meetings Server and WebEx Meeting Center does not verify that a requested file was an offered file, which allows remote attackers to read arbitrary files via a modified request, aka Bug IDs CSCup62442 and CSCup58463.

CVE-2014-3311
Published: 2014-07-10
Heap-based buffer overflow in the file-sharing feature in WebEx Meetings Client in Cisco WebEx Meetings Server and WebEx Meeting Center allows remote attackers to execute arbitrary code via crafted data, aka Bug IDs CSCup62463 and CSCup58467.

CVE-2014-3315
Published: 2014-07-10
Cross-site scripting (XSS) vulnerability in viewfilecontents.do in the Dialed Number Analyzer (DNA) component in Cisco Unified Communications Manager allows remote attackers to inject arbitrary web script or HTML via an unspecified parameter, aka Bug ID CSCup76308.

CVE-2014-3316
Published: 2014-07-10
The Multiple Analyzer in the Dialed Number Analyzer (DNA) component in Cisco Unified Communications Manager allows remote authenticated users to bypass intended upload restrictions via a crafted parameter, aka Bug ID CSCup76297.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Marilyn Cohodas and her guests look at the evolving nature of the relationship between CIO and CSO.