Vulnerabilities / Threats
9/25/2012
01:05 AM
Connect Directly
RSS
E-Mail
50%
50%

Watch The Watchers: 'Trusted' Employees Can Do Damage

A study of insider attacks within financial firms offers lessons to other companies: identify important data, limit access, and scrutinize trusted users most closely

Many aspects of insider attacks have remained constant over nearly the past decade. Roughly half of all companies record an insider incident, about three-quarters do not report the event to law enforcement, and firms typically are split about whether their insider attacks are more damaging than their external compromises.

Yet a report on insider fraud in the financial industry published earlier this year marks a potential departure from the past: More than half of all fraud incidents involved a manager or other trusted employee, an increase over prior years, according to the Software Engineering Institute (SEI) at Carnegie Mellon University. Considering that incidents involving managers caused $200,106 in actual damage on average, nearly double that of incidents involving non-managers, companies should avoid giving managers carte blanche access to their systems.

"Organizations need to focus on managers who may be involved in a fraud event," says Randy Trzeciak, technical team lead for Insider Threat Research Team at SEI's Computer Emergency Response Team (CERT). "Is there anyone really watching the person who is supposed to be watching for fraud being committed in their particular organization?"

Rogue managers not only cause more damage, but they are able to get away with the crimes longer, according to the report. The average crime committed by a manager lasted nearly three years, almost double the 18 months that non-managers were able to conduct their crimes.

The report, funded by the Department of Homeland Security, studied 80 cases of insider fraud in the financial sector provided to CERT by the U.S. Secret Service. The researchers studied 67 insider fraud attacks and 13 external incidents, finding that most fraud was not very technically sophisticated, and while log files and monitoring appear to aid in detecting external breaches, most insider attacks were detected through an audit, customer complaint, or a suspicious co-worker.

[ While essentially a data security and data leak prevention problem, protecting against intellectual-property theft is also about improving a company's overall security posture. See Five Steps To Protecting Intellectual Property. ]

CERT researchers have classified insider attacks into three broad groups: IT sabotage destroys a valuable asset, intellectual property theft aims to steal information of business value, and fraud uses insider access for illicit, personal gain. The report focused on the last category.

In a previous report, CERT found that, while companies see three times more external incidents than internal incidents, that nearly half -- 46 percent -- considered attacks by insiders more damaging than those by outsiders.

"We do believe that organizations are becoming more aware of the insider threat problem," Trzeciak says. "Many organizations that we talked to do recognize insiders as a threat to their data and organizations."

Other reports have noted the same concern. In its 2012 Trust, Security & Passwords survey, security firm Cyber-Ark polled 820 IT managers and found that 71 percent considered insiders a more critical threat than external hackers.

In the past, insiders had most often made off with customer lists, says Adam Bosnian, executive vice president for corporate development at Cyber-Ark. Yet the firm's recent survey found that most IT managers believed that privileged user accounts were more likely to be targeted.

"We ascribe that to, if I get the customers lists, that's a one-and-done sort of thing. If I have the customer list, I can take it to my next company or sell it, and that's it," he says. "If I have the credentials list, that lets me do a lot more follow-on stuff."

Solutions are more about process and people, says Sam Curry, chief technology officer for identity and data protection at RSA. Technology has to keep the attackers guessing, whether they are in internal employees or external attackers.

"Simply staring at where the money went last time is not going to tell you where the money will go this time," Curry says. "The best way to defeat attackers is to keep the cost to break [your defenses] high. And keep the bad guys having to adapt to you, rather than trying to detect them based on last year's tactics."

Cyber-Ark's Bosnian sees the problem in terms of providing a better solution. Software that discovers and monitors privileged systems and privileged users can help keep a company aware of potential insider threats and even detect an attack when it occurs.

Companies need to determine what assets they have that are valuable and could be accessed or harmed by an insider. Then they need to find who has access to the systems and who really needs to have access. A good way to do that is to change the credentials on important accounts -- such as administer and root accounts, but also accounts used by services that could be co-opted -- and see who complains, Bosnian says.

"People come out of the woodwork, saying, 'What happened? I can't get into the database anymore,'" he says. "Take control of the credential, change the credential, and you will find out who still has access."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Cryptodd
50%
50%
Cryptodd,
User Rank: Apprentice
9/26/2012 | 2:10:58 AM
re: Watch The Watchers: 'Trusted' Employees Can Do Damage


The fact that
rogue managers not only caused more damage but that they were able to get away
with their crimes for so long should give most organizations pause. The insider
threat not only impacts the financial sector, but every business that values
its IP, customer data and financial health. Your article presents some
excellent advice for keeping potential bad actors
guessing, whether they are internal or external. Database activity monitoring
and protecting data with encryption that applies fine grained access controls
are two other methods that enterprises should consider.

Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-4988
Published: 2014-07-09
Heap-based buffer overflow in the xjpegls.dll (aka JLS, JPEG-LS, or JPEG lossless) format plugin in XnView 1.99 and 1.99.1 allows remote attackers to execute arbitrary code via a crafted JLS image file.

CVE-2014-0207
Published: 2014-07-09
The cdf_read_short_sector function in cdf.c in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14, allows remote attackers to cause a denial of service (assertion failure and application exit) via a crafted CDF file.

CVE-2014-0537
Published: 2014-07-09
Adobe Flash Player before 13.0.0.231 and 14.x before 14.0.0.145 on Windows and OS X and before 11.2.202.394 on Linux, Adobe AIR before 14.0.0.137 on Android, Adobe AIR SDK before 14.0.0.137, and Adobe AIR SDK & Compiler before 14.0.0.137 allow attackers to bypass intended access restrictions via uns...

CVE-2014-0539
Published: 2014-07-09
Adobe Flash Player before 13.0.0.231 and 14.x before 14.0.0.145 on Windows and OS X and before 11.2.202.394 on Linux, Adobe AIR before 14.0.0.137 on Android, Adobe AIR SDK before 14.0.0.137, and Adobe AIR SDK & Compiler before 14.0.0.137 allow attackers to bypass intended access restrictions via uns...

CVE-2014-3309
Published: 2014-07-09
The NTP implementation in Cisco IOS and IOS XE does not properly support use of the access-group command for a "deny all" configuration, which allows remote attackers to bypass intended restrictions on time synchronization via a standard query, aka Bug ID CSCuj66318.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Marilyn Cohodas and her guests look at the evolving nature of the relationship between CIO and CSO.