Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

4/13/2017
06:15 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

95% of Organizations Have Employees Seeking to Bypass Security Controls

Use of TOR, private VPNs on the rise in enterprises, Dtex report shows.

The insider threat issue is well-understood and something that countless surveys have shown poses almost as big a risk to enterprise data security as external attackers.

A report from Dtex this week offers a slightly different look at the problem by highlighting some of the clues that organizations should be looking for to detect and stop insiders engaged in malicious or negligent behaviors.

The Dtex report is based on an analysis of risk assessments conducted by a sample of its customer base. A stunning 95% of the assessments showed employees to be engaged in activities designed to bypass security and web-browsing restrictions at their organizations.

Examples included the use of anonymous web browsers such as TOR, anonymous VPN services, and vulnerability-testing tools such as Metasploit. The use of anonymous VPN services within organizations in fact doubled between 2015 and 2016, according to Dtex.

An overwhelming amount of data from customer assessments has shown that the use of such tools and services by employees is almost always a precursor to data theft or other malicious behavior. “Enterprises usually don’t expect to find such a high volume of employees actively trying to bypass security controls,” says Rajan Koo, senior vice president of customer engineering at Dtex.

Employees using private VPNs and Tor on an enterprise network are typically trying to hide their actions and do something that will not be detected by the organization’s security controls, he says. “Security bypass is the first step towards data theft or other destructive behavior,” Koo says.

For example, if a user threat assessment uncovers an employee using a TOR browser on the network, administrators should treat that as a red flag that the employee is engaging in prohibited or even potentially illegal behavior. Similarly, there’s a high chance that an employee who spends hours researching ways to get around security systems is trying to evade the controls within their own organizations.

“When an employee spends time researching how to bypass security controls, we often find that they are trying to exfiltrate data without being blocked by their DLP or without raising any flags on the network,” Koo says. Or they could be trying to save time by using their favorite tools that are being blocked by corporate security, he says.

Organizations should also not ignore the use of personal email accounts such as Gmail and Yahoo on corporate endpoint devices, Dtex noted in its report. About 87% of the companies, whose data Dtex analyzed, reported employees using personal web-based email on corporate devices though many of them had explicit measures in place to block such email use.

While the use of personal email by itself is not a red flag, organizations should not ignore the fact that personal email can be used to enable data theft, the report noted.

Ordinary emails, file attachments, and calendar entries are some of the more obvious ways that an employee with malicious intent can use to steal data. Users can also simply use email drafts to save and transfer corporate data out of the network without leaving an obvious trail, Dtex said.

More than half of the companies in the Dtex report also encountered potential data theft issues from people who were about to leave the organization. Leavers, for instance, tend to show higher than normal file aggregation activity in the two weeks before their scheduled departure. The kind of data at risk from such activity includes proprietary plans, client lists and even IP.

As numerous other surveys have shown, Dtex’s analysis of data too showed that malicious insiders are by far not the only insider threat. Fifty-nine percent of the organizations in the report, for instance, reported employees put them at risk via inappropriate Internet usage, such as viewing pornography or gambling at work.

“Insider breaches are a growing threat to virtually all organizations including mainframe users,” says John Crossno, product manager of Compuware’s security solutions group, which recently released a tool designed to mitigate the threat.

The increasing number of incidents where employees fall prey to phishing and other social engineering attacks and hand over authorized user credentials to attackers have made even otherwise secure mainframe environments vulnerable, he says. He points to the massive data breach at the U.S. Office of Personnel Management in 2015 as one example of how attackers are able to gain access to critical mainframe systems by acquiring the valid credentials to do it.

In the mainframe environment, “enterprises have traditionally relied on insufficient methods to identify threats including disparate logs and [system-level] data gathered by security products to piece together user behavior,” he says. What is needed is a much more comprehensive approach to monitor and analyze mainframe application user behavior to detect insider breaches.

“The best way to detect threats before they cause damage is by collecting and analyzing data from various sources which provide a baseline for behaviors and stressors most closely linked to insider threats,” says Thomas Read, vice president of security analytics at Haystax Technology, in recent comments to Dark Reading.

Often, organizations focus their insider threat mitigation efforts on the end point but do little to understand the likelihood of an insider going rogue or causing a data breach because of a lack of training.

Harold Martin – the contractor for the NSA found with stolen classified files – had a history of bad behaviors that were never flagged by insider threat controls,” he says as one example. “He also had access to the information as part of his job, and walked off the NSA site with the files. Network controls never would have detected this.”

Related stories:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
tarasazs
50%
50%
tarasazs,
User Rank: Apprentice
4/18/2017 | 4:43:32 PM
Is it really that easy?
I really liked the article and a round of applause for that, but as an employee myself, I have seen many of my colleagues using anonymous tools to hide their online activities and when inquired the same about their usage of these things in office even when they are restricted, they rationalised it by saying that we suspect that our online communications could be stored and that is why we do it. Not a very legit excuse, I think. 
OferA070
50%
50%
OferA070,
User Rank: Apprentice
4/16/2017 | 10:49:16 AM
BYoD trend
Very intresting article!

I believe that part of this is the result of BYOD policies in enterprise networks and the inability to control them properly. Enterpirses should reach a balance between security and productivity, not by allowing people to use their own devices without any supervision. 
DonnaG556
100%
0%
DonnaG556,
User Rank: Apprentice
4/14/2017 | 5:15:55 AM
SEO Package Reviews
Great post.I agree with the statement The best way to detect threats before they cause damage is by collecting and analyzing data from various sources which provide a baseline for behaviors and stressors most closely linked to insider threats.Find out more details at SEO Package Reviews
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/21/2020
Cybersecurity Bounces Back, but Talent Still Absent
Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
Meet the Computer Scientist Who Helped Push for Paper Ballots
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/16/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Latest Comment: Exactly
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-11856
PUBLISHED: 2020-09-22
Arbitrary code execution vulnerability on Micro Focus Operation Bridge Reporter, affecting version 10.40 and earlier. The vulnerability could allow remote attackers to execute arbitrary code on affected installations of OBR.
CVE-2020-16202
PUBLISHED: 2020-09-22
WebAccess Node (All versions prior to 9.0.1) has incorrect permissions set for resources used by specific services, which may allow code execution with system privileges.
CVE-2020-24333
PUBLISHED: 2020-09-22
A vulnerability in Arista’s CloudVision Portal (CVP) prior to 2020.2 allows users with “read-only� or greater access rights to the Configlet Management module to download files not intended for access, located on the CVP server, by accessing ...
CVE-2020-4619
PUBLISHED: 2020-09-22
IBM Data Risk Manager (iDNA) 2.0.6 stores user credentials in plain in clear text which can be read by an authenticated user. IBM X-Force ID: 184976.
CVE-2020-4620
PUBLISHED: 2020-09-22
IBM Data Risk Manager (iDNA) 2.0.6 could allow a remote authenticated attacker to upload arbitrary files, caused by the improper validation of file extensions. By sending a specially-crafted HTTP request, a remote attacker could exploit this vulnerability to upload a malicious file, which could allo...