Vulnerabilities / Threats
11:56 AM

How To Spot Malicious Insiders Before Data Theft

Psychologists identify warning signs that could tip you off that corporate data may be stolen.

According to a new research study, the majority of insider attacks are conducted by 37-year-old Caucasian men. Now, forget that data point, on which too many organizations fixate, misguiding their internal investigations.

"The problem with that is that it's just a demographic statistic, not a psychological profile. What if she is a 57-year-old African-American female?" said Harley Stock, a board-certified forensic psychologist who's managing partner of the Incident Management Group, in an interview. That's why, instead of focusing on demographics, he said that examining a suspected inside-attacker's behavior--including previous rule violations--is a far better way to investigate such cases.

Stock's warning is backed by a new, empirical study of existing research into insider attacks that he conducted with Eric Shaw, a clinical psychologist who helps companies and government agencies investigate insider cases, as well as conduct employee and organizational risk assessments. "We've tried to summarize the best available empirical research--not expert opinion," Shaw said in an interview.

Their resulting report, sponsored by Symantec, found that if companies truly want to prevent or trace insider attacks, especially involving intellectual property (IP), then they should be watching for a handful of warning signs--both when they interview employees, as well as during their employment. If those warning signs should arise, then organizations must follow them up, preferably by already having a workplace response team ready to investigate. Such teams are typically composed of human resources and information security representatives, attorneys or legal representatives from HR, as well as a forensic psychologist.

[ Torrent of attacks has made it a busy year for cybercrime investigators. Check out the 8 Most Notorious Cybercrime Busts Of 2011. ]

Warning signs will vary, but often involve employees with a grudge who are about to change jobs. "Termination, resignation, any exit planning, or rumors [of that] are grounds for an IP insider risk assessment, because it's such a strong finding that people take this stuff when they leave, even with IP agreements," Shaw said.

Watching for suspicious behavior, of course, won't help spot or prevent all inside attacks. But Shaw and Stock's own experience, as well as reviews of research into past insider attacks, has found that organizations often failed to heed obvious warnings signs--not just job changes, but also people displaying escalating levels of rule-breaking or misbehavior, signs of extreme stress, or employees with a grudge who were preparing to change jobs.

Take the case of WikiLeaks suspect Bradley Manning, who's accused of the largest breach of government documents in history. Before that alleged leak, however, Manning had exhibited numerous signs that should have led to his being denied access to top-secret information. "Manning was getting into physical fights, violating the dress code, he was clearly on people's radar, and psychologists had said, 'Don't deploy this guy.' And he was deployed anyway," said Stock.

1 of 2
Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Current Issue
E-Commerce Security: What Every Enterprise Needs to Know
The mainstream use of EMV smartcards in the US has experts predicting an increase in online fraud. Organizations will need to look at new tools and processes for building better breach detection and response capabilities.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio