Vulnerabilities / Threats
12/8/2011
11:56 AM
Connect Directly
RSS
E-Mail
50%
50%
Repost This

How To Spot Malicious Insiders Before Data Theft

Psychologists identify warning signs that could tip you off that corporate data may be stolen.

According to a new research study, the majority of insider attacks are conducted by 37-year-old Caucasian men. Now, forget that data point, on which too many organizations fixate, misguiding their internal investigations.

"The problem with that is that it's just a demographic statistic, not a psychological profile. What if she is a 57-year-old African-American female?" said Harley Stock, a board-certified forensic psychologist who's managing partner of the Incident Management Group, in an interview. That's why, instead of focusing on demographics, he said that examining a suspected inside-attacker's behavior--including previous rule violations--is a far better way to investigate such cases.

Stock's warning is backed by a new, empirical study of existing research into insider attacks that he conducted with Eric Shaw, a clinical psychologist who helps companies and government agencies investigate insider cases, as well as conduct employee and organizational risk assessments. "We've tried to summarize the best available empirical research--not expert opinion," Shaw said in an interview.

Their resulting report, sponsored by Symantec, found that if companies truly want to prevent or trace insider attacks, especially involving intellectual property (IP), then they should be watching for a handful of warning signs--both when they interview employees, as well as during their employment. If those warning signs should arise, then organizations must follow them up, preferably by already having a workplace response team ready to investigate. Such teams are typically composed of human resources and information security representatives, attorneys or legal representatives from HR, as well as a forensic psychologist.

[ Torrent of attacks has made it a busy year for cybercrime investigators. Check out the 8 Most Notorious Cybercrime Busts Of 2011. ]

Warning signs will vary, but often involve employees with a grudge who are about to change jobs. "Termination, resignation, any exit planning, or rumors [of that] are grounds for an IP insider risk assessment, because it's such a strong finding that people take this stuff when they leave, even with IP agreements," Shaw said.

Watching for suspicious behavior, of course, won't help spot or prevent all inside attacks. But Shaw and Stock's own experience, as well as reviews of research into past insider attacks, has found that organizations often failed to heed obvious warnings signs--not just job changes, but also people displaying escalating levels of rule-breaking or misbehavior, signs of extreme stress, or employees with a grudge who were preparing to change jobs.

Take the case of WikiLeaks suspect Bradley Manning, who's accused of the largest breach of government documents in history. Before that alleged leak, however, Manning had exhibited numerous signs that should have led to his being denied access to top-secret information. "Manning was getting into physical fights, violating the dress code, he was clearly on people's radar, and psychologists had said, 'Don't deploy this guy.' And he was deployed anyway," said Stock.

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-1421
Published: 2014-04-22
Cross-site scripting (XSS) vulnerability in Craig Knudsen WebCalendar before 1.2.5, 1.2.6, and other versions before 1.2.7 allows remote attackers to inject arbitrary web script or HTML via the Category Name field to category.php.

CVE-2013-2105
Published: 2014-04-22
The Show In Browser (show_in_browser) gem 0.0.3 for Ruby allows local users to inject arbitrary web script or HTML via a symlink attack on /tmp/browser.html.

CVE-2013-2187
Published: 2014-04-22
Cross-site scripting (XSS) vulnerability in Apache Archiva 1.2 through 1.2.2 and 1.3 before 1.3.8 allows remote attackers to inject arbitrary web script or HTML via unspecified parameters, related to the home page.

CVE-2013-4116
Published: 2014-04-22
lib/npm.js in Node Packaged Modules (npm) before 1.3.3 allows local users to overwrite arbitrary files via a symlink attack on temporary files with predictable names that are created when unpacking archives.

CVE-2013-4472
Published: 2014-04-22
The openTempFile function in goo/gfile.cc in Xpdf and Poppler 0.24.3 and earlier, when running on a system other than Unix, allows local users to overwrite arbitrary files via a symlink attack on temporary files with predictable names.

Best of the Web