Vulnerabilities / Threats
3/11/2013
11:07 PM
Connect Directly
RSS
E-Mail
50%
50%
Repost This

Overprivileged, Well-Meaning, And Dangerous

Nonmalicious insiders add a lot of risk when IT gives them too much access and not enough education

Let's face it: Everybody makes dumb mistakes at work. But these days, employee ignorance about the impact of certain IT technologies, a lack of controls around critical infrastructure and data, and a legion of employees armed with way too many system privileges are drowning enterprises in a potent cocktail of risk factors.

According to security experts, the only way that organizations can reduce the risk of that combination is to be pragmatic. Rather than trying to completely eradicate stupid behavior -- an impossible feat -- enterprises need to find ways to minimize the risk around the mistakes nonmalicious insiders make.

"It's not realistic to eliminate the user behavior nor identify all the vulnerabilities or attacks in advance," says Brian Hanrahan, senior systems consultant at Avecto. "You have to start from the assumption that any user through willing, or unwilling, involvement may become the nexus of your next infiltration."

Whether it's digging spearphishing messages out of the junk mailbox to click infected links, sending out inappropriate email messages on powerful communications systems they shouldn't have access to, or fat-fingering configuration files to bring down broad swaths of IT infrastructure, well-meaning users can wreak plenty of havoc within IT operations. In some cases, purely dumb behavior can directly result in embarrassment to the organization, breached data, or information assurance problems.

[What about malicious insiders? See 5 Lessons From The FBI Insider Threat Program.]

Mike Murray, managing partner for consulting firm MAD Security, says he has seen his fair share of insider incidents that were "more than a little boneheaded." For example, earlier in his career, he came across an incident where an employee accidentally sent pornographic images to an entire 5,000-person organization.

"It wasn't an 'internal attack,' but it was definitely stupid," he says. "I had another one more recently [where] one of the developers working on one of our systems made a stupid Unix mistake and caused our system to be down for almost a week. I've seen something like that happen more times than I can even count."

Not only are there direct security ramifications from that class of scatterbrained mistake, but they also can eat up valuable incident response time that could be better used elsewhere.

"At the bureau, about 24 percent of our incidents that we track on a yearly basis have to do with just accidental insiders -- people being a knucklehead -- and we do spend about 35 percent of our incident response time [on them]," says Patrick Reidy, CISO for the FBI.

Plus, the reputation damage factor can't be underestimated -- particularly when some simple controls could have mitigated the situation. Take, for instance, a recent case in the city of Washington, Pa., where a city councilman used a citywide email emergency system to add the offensively prankish term 'Brian is gay' to a test email sent out to city denizens.

"[That] is a great example of why organizations implement approval processes for privileged operations," Hanrahan says. "It's important that privileged access is dispensed after review and monitored carefully to detect risky behavior."

However, he says that while lapses in judgments and silly errors can certainly cause harm, nonmalicious insiders pose other more latent risks for organizations. More commonly, these insiders act as an unwitting lever for malicious actors who take advantage of the insider's normal behavior to compromise that user's endpoint and take advantage of that insider's wide-reaching access to other systems on the network, Hanrahan says.

"The reality is that most attacks result not from boneheaded moves, but normal activity plus privileged access," Hanrahan says. "The vulnerabilities used to infiltrate corporate environments today rely on normal user behavior to gain a foothold. Web browsers, media plug-ins, Java exploits, and removable media are the common vectors of introduction."

As he puts it, the name of the game is in effective containment.

"Containment requires limiting the resources immediately available to the attacker and thwarting propagation within the organization, both of which are nearly impossible when the attack runs with elevated privileges," he says.

Murray agrees, saying that the reason why phishing and advanced persistent threats succeed is that at most organizations, once the attacker has compromised an employee's system inside, that person has free rein in the environment. Murray says that organizations need to address the nonmalicious insider problem by looking more closely at their control architecture.

"The key is actually in the control architecture. I still see organizations that take the philosophy of 'hard external, soft chewy inside' when designing their security strategy," he says. "The control around assets needs to be close to the assets in order to detect threats from both outside and inside."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-0360
Published: 2014-04-23
Memory leak in Cisco IOS before 15.1(1)SY, when IKEv2 debugging is enabled, allows remote attackers to cause a denial of service (memory consumption) via crafted packets, aka Bug ID CSCtn22376.

CVE-2012-1317
Published: 2014-04-23
The multicast implementation in Cisco IOS before 15.1(1)SY allows remote attackers to cause a denial of service (Route Processor crash) by sending packets at a high rate, aka Bug ID CSCts37717.

CVE-2012-1366
Published: 2014-04-23
Cisco IOS before 15.1(1)SY on ASR 1000 devices, when Multicast Listener Discovery (MLD) tracking is enabled for IPv6, allows remote attackers to cause a denial of service (device reload) via crafted MLD packets, aka Bug ID CSCtz28544.

CVE-2012-3062
Published: 2014-04-23
Cisco IOS before 15.1(1)SY, when Multicast Listener Discovery (MLD) snooping is enabled, allows remote attackers to cause a denial of service (CPU consumption or device crash) via MLD packets on a network that contains many IPv6 hosts, aka Bug ID CSCtr88193.

CVE-2012-3918
Published: 2014-04-23
Cisco IOS before 15.3(1)T on Cisco 2900 devices, when a VWIC2-2MFT-T1/E1 card is configured for TDM/HDLC mode, allows remote attackers to cause a denial of service (serial-interface outage) via certain Frame Relay traffic, aka Bug ID CSCub13317.

Best of the Web