Vulnerabilities / Threats
5/26/2009
06:18 PM
Connect Directly
RSS
E-Mail
50%
50%

Security Experts Raise Alarm Over Insider Threats

Economic troubles raising the stakes on potential threats, FIRST members say

Security researchers and other experts are turning up the heat on insider threats, warning enterprises that the problem is growing and could prove devastating for many enterprises.

In preparation for its meeting in Japan next month, the Forum of Incident Response and Security Teams (FIRST) issued a press release in which its senior officers urge organizations to step up their efforts to protect themselves from insider attacks, saying that many are "ill-prepared for an onslaught which could prove calamitous."

"One of the greatest security threats of our times is from insiders, as organizations lay off tens of thousands of workers," said Scott McIntyre, a FIRST steering committee member and representative of the Netherlands-based KPN Computer Emergency Response Team (CERT). "People know the axe is coming, and the longer employers prolong the swing of that axe, the more danger they expose themselves to, either from sabotage or data theft. An employee who thinks he or she is [going to be laid off] can start fouling up systems which are critical to the organization, or decide to take an unauthorized pay-off by stealing a mass of data."

Yurie Ito, another FIRST steering committee member and director of Japan's JPCERT/CC, agreed. "Don't think you're safer once the employee is laid off and outside the wall," Ito warned. "A lot of these people know how the systems work -- they have the keys to the castle and they know where the secret doors are. Even when companies think they have taken the necessary steps by removing ID and changing passwords, these people have the knowledge and skill that means they still pose a threat. They are extremely dangerous."

Researchers and vendors outside of FIRST also say they are becoming concerned about the threats posed by those with knowledge of corporate systems, such as IT people and privileged users. "The most common insider threats are posed by everyday workers who might walk out with sensitive data on a USB drive," observes Eric Yoshizuru, evangelist at security vendor Symark. "But it's the privileged users who can do the most serious crimes against the organization."

A few years ago, most organizations "trusted their IT organizations to do the right thing," Yoshizuru says. But following a series of very public attacks involving IT people during the past few years, many organizations are beginning to implement tools and processes to protect themselves against threats posed both by employees and the IT people who support them, he notes.

"A lot of companies have been through the wringer with layoffs, and in many cases, the 'survivors' feel overworked, underpaid, and unappreciated," Yoshizuru says. "In some cases, these are people who understand the technical vulnerabilities of the company, but they are nervous -- if they see another layoff coming, they may be tempted to retaliate."

Tom Mullen, security chief for telco giant BT, says organizations must now regard some precautionary measures as a matter of urgency. Exit procedures should be scrutinized and rescrutinized, especially for employees whose severance was involuntary. "You simply must have thorough exit and monitoring plans in place, and these need to be very specific when you're dealing with employees who had any kind of access to critical systems or data," Mullen says. "You have to make sure that under no circumstances can a departing member of staff take any sensitive information out of the organization." Many organizations are approaching the insider threat in much the same way that they approach the external threat: "How is somebody going to get in, what might they steal, and in the worst circumstances, how to restore from backups if outsiders do break in and crash something," notes Derrick Scholl, chair of the FIRST steering committee.

But these methods don't address the real damage that a determined insider might do, Scholl says. "Sure, an insider is capable of stealing corporate secrets, or customer lists, or destroying computers, but their potential for harm is far worse," he states. "Imagine a software company where an insider has the ability to change code in the product without being detected. What if the insider altered design documents or tampered with customer orders? Or ripped out hard drives and corrupted systems just as a big corporation was about to issue its quarterly bills to hundreds of thousands of customers? It's a totally different order of threat, and it requires a different way of thinking."

Organizations today must begin the process of separating duties and building checks and balances into their IT and administrative access schemes, Yoshizuru says. "That extends to systems like Salesforce.com, where the administrator may be outside the IT organization," he notes.

Yoshizuru says steps to prevent insider attack may also extend beyond the employee base. "With tough economic times, a lot of companies are bringing in contractors and temporary employees, but they aren't extending the tools and training to those employees that they do to their full-time workers," he observes. "That's a set of issues that companies should be looking at as well."

The 21st Annual FIRST conference will take place June 28 to July 3, 2009, at the Hotel Granvia in Kyoto, Japan.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message. Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0619
Published: 2014-10-23
Untrusted search path vulnerability in Hamster Free ZIP Archiver 2.0.1.7 allows local users to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse dwmapi.dll that is located in the current working directory.

CVE-2014-2230
Published: 2014-10-23
Open redirect vulnerability in the header function in adclick.php in OpenX 2.8.10 and earlier allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the (1) dest parameter to adclick.php or (2) _maxdest parameter to ck.php.

CVE-2014-7281
Published: 2014-10-23
Cross-site request forgery (CSRF) vulnerability in Shenzhen Tenda Technology Tenda A32 Router with firmware 5.07.53_CN allows remote attackers to hijack the authentication of administrators for requests that reboot the device via a request to goform/SysToolReboot.

CVE-2014-7292
Published: 2014-10-23
Open redirect vulnerability in the Click-Through feature in Newtelligence dasBlog 2.1 (2.1.8102.813), 2.2 (2.2.8279.16125), and 2.3 (2.3.9074.18820) allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the url parameter to ct.ashx.

CVE-2014-8071
Published: 2014-10-23
Multiple cross-site scripting (XSS) vulnerabilities in OpenMRS 2.1 Standalone Edition allow remote attackers to inject arbitrary web script or HTML via the (1) givenName, (2) familyName, (3) address1, or (4) address2 parameter to registrationapp/registerPatient.page; the (5) comment parameter to all...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.