Vulnerabilities / Threats
5/26/2009
06:18 PM
Connect Directly
RSS
E-Mail
50%
50%

Security Experts Raise Alarm Over Insider Threats

Economic troubles raising the stakes on potential threats, FIRST members say

Security researchers and other experts are turning up the heat on insider threats, warning enterprises that the problem is growing and could prove devastating for many enterprises.

In preparation for its meeting in Japan next month, the Forum of Incident Response and Security Teams (FIRST) issued a press release in which its senior officers urge organizations to step up their efforts to protect themselves from insider attacks, saying that many are "ill-prepared for an onslaught which could prove calamitous."

"One of the greatest security threats of our times is from insiders, as organizations lay off tens of thousands of workers," said Scott McIntyre, a FIRST steering committee member and representative of the Netherlands-based KPN Computer Emergency Response Team (CERT). "People know the axe is coming, and the longer employers prolong the swing of that axe, the more danger they expose themselves to, either from sabotage or data theft. An employee who thinks he or she is [going to be laid off] can start fouling up systems which are critical to the organization, or decide to take an unauthorized pay-off by stealing a mass of data."

Yurie Ito, another FIRST steering committee member and director of Japan's JPCERT/CC, agreed. "Don't think you're safer once the employee is laid off and outside the wall," Ito warned. "A lot of these people know how the systems work -- they have the keys to the castle and they know where the secret doors are. Even when companies think they have taken the necessary steps by removing ID and changing passwords, these people have the knowledge and skill that means they still pose a threat. They are extremely dangerous."

Researchers and vendors outside of FIRST also say they are becoming concerned about the threats posed by those with knowledge of corporate systems, such as IT people and privileged users. "The most common insider threats are posed by everyday workers who might walk out with sensitive data on a USB drive," observes Eric Yoshizuru, evangelist at security vendor Symark. "But it's the privileged users who can do the most serious crimes against the organization."

A few years ago, most organizations "trusted their IT organizations to do the right thing," Yoshizuru says. But following a series of very public attacks involving IT people during the past few years, many organizations are beginning to implement tools and processes to protect themselves against threats posed both by employees and the IT people who support them, he notes.

"A lot of companies have been through the wringer with layoffs, and in many cases, the 'survivors' feel overworked, underpaid, and unappreciated," Yoshizuru says. "In some cases, these are people who understand the technical vulnerabilities of the company, but they are nervous -- if they see another layoff coming, they may be tempted to retaliate."

Tom Mullen, security chief for telco giant BT, says organizations must now regard some precautionary measures as a matter of urgency. Exit procedures should be scrutinized and rescrutinized, especially for employees whose severance was involuntary. "You simply must have thorough exit and monitoring plans in place, and these need to be very specific when you're dealing with employees who had any kind of access to critical systems or data," Mullen says. "You have to make sure that under no circumstances can a departing member of staff take any sensitive information out of the organization." Many organizations are approaching the insider threat in much the same way that they approach the external threat: "How is somebody going to get in, what might they steal, and in the worst circumstances, how to restore from backups if outsiders do break in and crash something," notes Derrick Scholl, chair of the FIRST steering committee.

But these methods don't address the real damage that a determined insider might do, Scholl says. "Sure, an insider is capable of stealing corporate secrets, or customer lists, or destroying computers, but their potential for harm is far worse," he states. "Imagine a software company where an insider has the ability to change code in the product without being detected. What if the insider altered design documents or tampered with customer orders? Or ripped out hard drives and corrupted systems just as a big corporation was about to issue its quarterly bills to hundreds of thousands of customers? It's a totally different order of threat, and it requires a different way of thinking."

Organizations today must begin the process of separating duties and building checks and balances into their IT and administrative access schemes, Yoshizuru says. "That extends to systems like Salesforce.com, where the administrator may be outside the IT organization," he notes.

Yoshizuru says steps to prevent insider attack may also extend beyond the employee base. "With tough economic times, a lot of companies are bringing in contractors and temporary employees, but they aren't extending the tools and training to those employees that they do to their full-time workers," he observes. "That's a set of issues that companies should be looking at as well."

The 21st Annual FIRST conference will take place June 28 to July 3, 2009, at the Hotel Granvia in Kyoto, Japan.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message. Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3409
Published: 2014-10-25
The Ethernet Connectivity Fault Management (CFM) handling feature in Cisco IOS 12.2(33)SRE9a and earlier and IOS XE 3.13S and earlier allows remote attackers to cause a denial of service (device reload) via malformed CFM packets, aka Bug ID CSCuq93406.

CVE-2014-4620
Published: 2014-10-25
The EMC NetWorker Module for MEDITECH (aka NMMEDI) 3.0 build 87 through 90, when EMC RecoverPoint and Plink are used, stores cleartext RecoverPoint Appliance credentials in nsrmedisv.raw log files, which allows local users to obtain sensitive information by reading these files.

CVE-2014-4623
Published: 2014-10-25
EMC Avamar 6.0.x, 6.1.x, and 7.0.x in Avamar Data Store (ADS) GEN4(S) and Avamar Virtual Edition (AVE), when Password Hardening before 2.0.0.4 is enabled, uses UNIX DES crypt for password hashing, which makes it easier for context-dependent attackers to obtain cleartext passwords via a brute-force a...

CVE-2014-4624
Published: 2014-10-25
EMC Avamar Data Store (ADS) and Avamar Virtual Edition (AVE) 6.x and 7.0.x through 7.0.2-43 do not require authentication for Java API calls, which allows remote attackers to discover grid MCUser and GSAN passwords via a crafted call.

CVE-2014-6151
Published: 2014-10-25
CRLF injection vulnerability in IBM Tivoli Integrated Portal (TIP) 2.2.x allows remote authenticated users to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.