Vulnerabilities / Threats
12/8/2011
11:56 AM
50%
50%

How To Spot Malicious Insiders Before Data Theft

Psychologists identify warning signs that could tip you off that corporate data may be stolen.

According to a new research study, the majority of insider attacks are conducted by 37-year-old Caucasian men. Now, forget that data point, on which too many organizations fixate, misguiding their internal investigations.

"The problem with that is that it's just a demographic statistic, not a psychological profile. What if she is a 57-year-old African-American female?" said Harley Stock, a board-certified forensic psychologist who's managing partner of the Incident Management Group, in an interview. That's why, instead of focusing on demographics, he said that examining a suspected inside-attacker's behavior--including previous rule violations--is a far better way to investigate such cases.

Stock's warning is backed by a new, empirical study of existing research into insider attacks that he conducted with Eric Shaw, a clinical psychologist who helps companies and government agencies investigate insider cases, as well as conduct employee and organizational risk assessments. "We've tried to summarize the best available empirical research--not expert opinion," Shaw said in an interview.

Their resulting report, sponsored by Symantec, found that if companies truly want to prevent or trace insider attacks, especially involving intellectual property (IP), then they should be watching for a handful of warning signs--both when they interview employees, as well as during their employment. If those warning signs should arise, then organizations must follow them up, preferably by already having a workplace response team ready to investigate. Such teams are typically composed of human resources and information security representatives, attorneys or legal representatives from HR, as well as a forensic psychologist.

[ Torrent of attacks has made it a busy year for cybercrime investigators. Check out the 8 Most Notorious Cybercrime Busts Of 2011. ]

Warning signs will vary, but often involve employees with a grudge who are about to change jobs. "Termination, resignation, any exit planning, or rumors [of that] are grounds for an IP insider risk assessment, because it's such a strong finding that people take this stuff when they leave, even with IP agreements," Shaw said.

Watching for suspicious behavior, of course, won't help spot or prevent all inside attacks. But Shaw and Stock's own experience, as well as reviews of research into past insider attacks, has found that organizations often failed to heed obvious warnings signs--not just job changes, but also people displaying escalating levels of rule-breaking or misbehavior, signs of extreme stress, or employees with a grudge who were preparing to change jobs.

Take the case of WikiLeaks suspect Bradley Manning, who's accused of the largest breach of government documents in history. Before that alleged leak, however, Manning had exhibited numerous signs that should have led to his being denied access to top-secret information. "Manning was getting into physical fights, violating the dress code, he was clearly on people's radar, and psychologists had said, 'Don't deploy this guy.' And he was deployed anyway," said Stock.

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-2184
Published: 2015-03-27
Movable Type before 5.2.6 does not properly use the Storable::thaw function, which allows remote attackers to execute arbitrary code via the comment_state parameter.

CVE-2014-3619
Published: 2015-03-27
The __socket_proto_state_machine function in GlusterFS 3.5 allows remote attackers to cause a denial of service (infinite loop) via a "00000000" fragment header.

CVE-2014-8121
Published: 2015-03-27
DB_LOOKUP in nss_files/files-XXX.c in the Name Service Switch (NSS) in GNU C Library (aka glibc or libc6) 2.21 and earlier does not properly check if a file is open, which allows remote attackers to cause a denial of service (infinite loop) by performing a look-up while the database is iterated over...

CVE-2014-9712
Published: 2015-03-27
Websense TRITON V-Series appliances before 7.8.3 Hotfix 03 and 7.8.4 before Hotfix 01 allows remote administrators to read arbitrary files and obtain passwords via a crafted path.

CVE-2015-0658
Published: 2015-03-27
The DHCP implementation in the PowerOn Auto Provisioning (POAP) feature in Cisco NX-OS does not properly restrict the initialization process, which allows remote attackers to execute arbitrary commands as root by sending crafted response packets on the local network, aka Bug ID CSCur14589.

Dark Reading Radio
Archived Dark Reading Radio
Good hackers--aka security researchers--are worried about the possible legal and professional ramifications of President Obama's new proposed crackdown on cyber criminals.