Vulnerabilities / Threats
12/8/2011
11:56 AM
50%
50%

How To Spot Malicious Insiders Before Data Theft

Psychologists identify warning signs that could tip you off that corporate data may be stolen.

According to a new research study, the majority of insider attacks are conducted by 37-year-old Caucasian men. Now, forget that data point, on which too many organizations fixate, misguiding their internal investigations.

"The problem with that is that it's just a demographic statistic, not a psychological profile. What if she is a 57-year-old African-American female?" said Harley Stock, a board-certified forensic psychologist who's managing partner of the Incident Management Group, in an interview. That's why, instead of focusing on demographics, he said that examining a suspected inside-attacker's behavior--including previous rule violations--is a far better way to investigate such cases.

Stock's warning is backed by a new, empirical study of existing research into insider attacks that he conducted with Eric Shaw, a clinical psychologist who helps companies and government agencies investigate insider cases, as well as conduct employee and organizational risk assessments. "We've tried to summarize the best available empirical research--not expert opinion," Shaw said in an interview.

Their resulting report, sponsored by Symantec, found that if companies truly want to prevent or trace insider attacks, especially involving intellectual property (IP), then they should be watching for a handful of warning signs--both when they interview employees, as well as during their employment. If those warning signs should arise, then organizations must follow them up, preferably by already having a workplace response team ready to investigate. Such teams are typically composed of human resources and information security representatives, attorneys or legal representatives from HR, as well as a forensic psychologist.

[ Torrent of attacks has made it a busy year for cybercrime investigators. Check out the 8 Most Notorious Cybercrime Busts Of 2011. ]

Warning signs will vary, but often involve employees with a grudge who are about to change jobs. "Termination, resignation, any exit planning, or rumors [of that] are grounds for an IP insider risk assessment, because it's such a strong finding that people take this stuff when they leave, even with IP agreements," Shaw said.

Watching for suspicious behavior, of course, won't help spot or prevent all inside attacks. But Shaw and Stock's own experience, as well as reviews of research into past insider attacks, has found that organizations often failed to heed obvious warnings signs--not just job changes, but also people displaying escalating levels of rule-breaking or misbehavior, signs of extreme stress, or employees with a grudge who were preparing to change jobs.

Take the case of WikiLeaks suspect Bradley Manning, who's accused of the largest breach of government documents in history. Before that alleged leak, however, Manning had exhibited numerous signs that should have led to his being denied access to top-secret information. "Manning was getting into physical fights, violating the dress code, he was clearly on people's radar, and psychologists had said, 'Don't deploy this guy.' And he was deployed anyway," said Stock.

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-7912
Published: 2015-07-29
The get_option function in dhcp.c in dhcpcd before 6.2.0, as used in dhcpcd 5.x in Android before 5.1 and other products, does not validate the relationship between length fields and the amount of data, which allows remote DHCP servers to execute arbitrary code or cause a denial of service (memory c...

CVE-2014-7913
Published: 2015-07-29
The print_option function in dhcp-common.c in dhcpcd through 6.9.1, as used in dhcp.c in dhcpcd 5.x in Android before 5.1 and other products, misinterprets the return value of the snprintf function, which allows remote DHCP servers to execute arbitrary code or cause a denial of service (memory corru...

CVE-2015-2977
Published: 2015-07-29
Webservice-DIC yoyaku_v41 allows remote attackers to create arbitrary files, and consequently execute arbitrary code, via unspecified vectors.

CVE-2015-2978
Published: 2015-07-29
Webservice-DIC yoyaku_v41 allows remote attackers to bypass authentication and complete a conference-room reservation via unspecified vectors, as demonstrated by an "unintentional reservation."

CVE-2015-2979
Published: 2015-07-29
Webservice-DIC yoyaku_v41 allows remote attackers to execute arbitrary OS commands via unspecified vectors.

Dark Reading Radio
Archived Dark Reading Radio
What’s the future of the venerable firewall? We’ve invited two security industry leaders to make their case: Join us and bring your questions and opinions!