Vulnerabilities / Threats
01:05 AM
Connect Directly
Repost This

Watch The Watchers: 'Trusted' Employees Can Do Damage

A study of insider attacks within financial firms offers lessons to other companies: identify important data, limit access, and scrutinize trusted users most closely

Many aspects of insider attacks have remained constant over nearly the past decade. Roughly half of all companies record an insider incident, about three-quarters do not report the event to law enforcement, and firms typically are split about whether their insider attacks are more damaging than their external compromises.

Yet a report on insider fraud in the financial industry published earlier this year marks a potential departure from the past: More than half of all fraud incidents involved a manager or other trusted employee, an increase over prior years, according to the Software Engineering Institute (SEI) at Carnegie Mellon University. Considering that incidents involving managers caused $200,106 in actual damage on average, nearly double that of incidents involving non-managers, companies should avoid giving managers carte blanche access to their systems.

"Organizations need to focus on managers who may be involved in a fraud event," says Randy Trzeciak, technical team lead for Insider Threat Research Team at SEI's Computer Emergency Response Team (CERT). "Is there anyone really watching the person who is supposed to be watching for fraud being committed in their particular organization?"

Rogue managers not only cause more damage, but they are able to get away with the crimes longer, according to the report. The average crime committed by a manager lasted nearly three years, almost double the 18 months that non-managers were able to conduct their crimes.

The report, funded by the Department of Homeland Security, studied 80 cases of insider fraud in the financial sector provided to CERT by the U.S. Secret Service. The researchers studied 67 insider fraud attacks and 13 external incidents, finding that most fraud was not very technically sophisticated, and while log files and monitoring appear to aid in detecting external breaches, most insider attacks were detected through an audit, customer complaint, or a suspicious co-worker.

[ While essentially a data security and data leak prevention problem, protecting against intellectual-property theft is also about improving a company's overall security posture. See Five Steps To Protecting Intellectual Property. ]

CERT researchers have classified insider attacks into three broad groups: IT sabotage destroys a valuable asset, intellectual property theft aims to steal information of business value, and fraud uses insider access for illicit, personal gain. The report focused on the last category.

In a previous report, CERT found that, while companies see three times more external incidents than internal incidents, that nearly half -- 46 percent -- considered attacks by insiders more damaging than those by outsiders.

"We do believe that organizations are becoming more aware of the insider threat problem," Trzeciak says. "Many organizations that we talked to do recognize insiders as a threat to their data and organizations."

Other reports have noted the same concern. In its 2012 Trust, Security & Passwords survey, security firm Cyber-Ark polled 820 IT managers and found that 71 percent considered insiders a more critical threat than external hackers.

In the past, insiders had most often made off with customer lists, says Adam Bosnian, executive vice president for corporate development at Cyber-Ark. Yet the firm's recent survey found that most IT managers believed that privileged user accounts were more likely to be targeted.

"We ascribe that to, if I get the customers lists, that's a one-and-done sort of thing. If I have the customer list, I can take it to my next company or sell it, and that's it," he says. "If I have the credentials list, that lets me do a lot more follow-on stuff."

Solutions are more about process and people, says Sam Curry, chief technology officer for identity and data protection at RSA. Technology has to keep the attackers guessing, whether they are in internal employees or external attackers.

"Simply staring at where the money went last time is not going to tell you where the money will go this time," Curry says. "The best way to defeat attackers is to keep the cost to break [your defenses] high. And keep the bad guys having to adapt to you, rather than trying to detect them based on last year's tactics."

Cyber-Ark's Bosnian sees the problem in terms of providing a better solution. Software that discovers and monitors privileged systems and privileged users can help keep a company aware of potential insider threats and even detect an attack when it occurs.

Companies need to determine what assets they have that are valuable and could be accessed or harmed by an insider. Then they need to find who has access to the systems and who really needs to have access. A good way to do that is to change the credentials on important accounts -- such as administer and root accounts, but also accounts used by services that could be co-opted -- and see who complains, Bosnian says.

"People come out of the woodwork, saying, 'What happened? I can't get into the database anymore,'" he says. "Take control of the credential, change the credential, and you will find out who still has access."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
9/26/2012 | 2:10:58 AM
re: Watch The Watchers: 'Trusted' Employees Can Do Damage

The fact that
rogue managers not only caused more damage but that they were able to get away
with their crimes for so long should give most organizations pause. The insider
threat not only impacts the financial sector, but every business that values
its IP, customer data and financial health. Your article presents some
excellent advice for keeping potential bad actors
guessing, whether they are internal or external. Database activity monitoring
and protecting data with encryption that applies fine grained access controls
are two other methods that enterprises should consider.

Register for Dark Reading Newsletters
White Papers
Current Issue
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-04-23
Memory leak in Cisco IOS before 15.1(1)SY, when IKEv2 debugging is enabled, allows remote attackers to cause a denial of service (memory consumption) via crafted packets, aka Bug ID CSCtn22376.

Published: 2014-04-23
The multicast implementation in Cisco IOS before 15.1(1)SY allows remote attackers to cause a denial of service (Route Processor crash) by sending packets at a high rate, aka Bug ID CSCts37717.

Published: 2014-04-23
Cisco IOS before 15.1(1)SY on ASR 1000 devices, when Multicast Listener Discovery (MLD) tracking is enabled for IPv6, allows remote attackers to cause a denial of service (device reload) via crafted MLD packets, aka Bug ID CSCtz28544.

Published: 2014-04-23
Cisco IOS before 15.1(1)SY, when Multicast Listener Discovery (MLD) snooping is enabled, allows remote attackers to cause a denial of service (CPU consumption or device crash) via MLD packets on a network that contains many IPv6 hosts, aka Bug ID CSCtr88193.

Published: 2014-04-23
Cisco IOS before 15.3(1)T on Cisco 2900 devices, when a VWIC2-2MFT-T1/E1 card is configured for TDM/HDLC mode, allows remote attackers to cause a denial of service (serial-interface outage) via certain Frame Relay traffic, aka Bug ID CSCub13317.

Best of the Web