Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

8/16/2010
07:47 PM
50%
50%

Inside Verizon's Insider Threat Data

Verizon Business' latest Data Breach Investigations Report shows insiders as a growing threat -- but increase comes from a selective data set

For security firms that argue malicious insiders are a greater threat than outside attackers, the latest Verizon Data Breach Investigations Report seems like vindication: The proportion of incidents with an insider agent doubled to 48 percent, while attacks with an external hacker dropped to 70 percent. Incidents involving data theft from the outside still account for the majority of attacks -- with insiders catching up.

The driving factor behind the increase in insider attacks was not the economic downturn -- an oft-argued opinion -- but rather the inclusion of a new data set in Verizon's database, says Alex Hutton, principal of research and intelligence for Verizon Business. The U.S. Secret Service joined much of its caseload data to Verizon's database, adding a large number of incidents where the victim had a better idea of the identity of the attacker and believed the person could be prosecuted. Both factors tend to favor incidents with an insider component. "With the Secret Service [cases], we got exposed to a whole new set of data," Hutton says of the report.

Overall, Verizon still sees external attackers as the major threat, however. When an outsider steals data, he absconds with a massive number of records. In 2009, breaches caused by outside criminals accounted for about 139 million stolen records, while insiders accounted for only 2.6 million records. "A record that has been exposed is 70 times more likely to have been exposed by an external source than in internal source," Hutton says.

Verizon doesn't refute the threat of insiders -- just the assertion that insiders pose the greatest risk. Companies should have defenses that work against insiders, outsiders, and partners, Hutton says. Identity and access management are essential controls that companies need to block -- or at least, slow down -- attackers.

"We are not dismissing the insider threat at all," he says. "We are asking people to prioritize their records. If you are the CIO and in charge of security, you should certainly have controls."

Typically, executives, network administrators, and finance staff are the most problematic insiders: They tend to have higher privileges within the company and are less likely to be subject to oversight. While Verizon's report found that half of all IT security incidents were caused by regular workers, privileged employees usually are the ones to target the company's most sensitive data. In many cases, those breaches are not considered IT security issues.

Software developers are another class of privileged employee who companies have not typically scrutinized. At the recent Defcon hacking convention, security firm Fortify Software touted a specialized ruleset for its code-analysis product that aims to catch malicious code inserted into programs by developers. "Developers have access to a lot of sensitive information in the company," says Matias Madou, principal security researcher for Fortify.

In 2008, a financial firm readying a round of layoff for its internal developers approached Fortify for a way to make sure unwelcome surprises were not left behind, Madou says. So Fortify started working on an add-on ruleset that catches time-sensitive destructive code as well as backdoors. "There is a lot of malicious code put in by insiders," he says. "Some of these pieces of code can be dormant for a long time."

Verizon's report ranks software developers as the sixth biggest insider threat (lower than the help-desk staff), with only 3 percent of incidents involving a developer.

One lesson learned from the Verizon report: Check your logs. According to the report, 90 percent of the time, companies had logs available from the time of the incident, but only managed to discover breaches in five percent of cases. "We have little doubt ... that if the organizations we've studied had tuned their systems to alert on abnormalities like this and actually looked into them when alarms went off, that five percent [of discovered breaches] would be a lot higher," Verizon stated in the report.

Finding evidence of an attack is easier when you know there has been a breach, but Verizon points to three flags in log files that indicate an attack has happened: a large increase in logged data, entries in the log that are abnormally long, or an abrupt decrease in log data. Rather than searching for exact signatures in the logs -- the proverbial needle in a haystack -- look for the major characteristics, the company advises.

"It cannot be a pleasant experience to learn that the six months of log data you've been collecting contained all the necessary indicators of a breach," Verizon says in the report, adding, "the value of monitoring -- perhaps we should say 'mining' -- logs cannot be overstated. The signs are there. We just need to get better at recognizing them."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
US Turning Up the Heat on North Korea's Cyber Threat Operations
Jai Vijayan, Contributing Writer,  9/16/2019
MITRE Releases 2019 List of Top 25 Software Weaknesses
Kelly Sheridan, Staff Editor, Dark Reading,  9/17/2019
7 Ways VPNs Can Turn from Ally to Threat
Curtis Franklin Jr., Senior Editor at Dark Reading,  9/21/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16695
PUBLISHED: 2019-09-22
phpIPAM 1.4 allows SQL injection via the app/admin/custom-fields/filter.php table parameter when action=add is used.
CVE-2019-16696
PUBLISHED: 2019-09-22
phpIPAM 1.4 allows SQL injection via the app/admin/custom-fields/edit.php table parameter when action=add is used.
CVE-2018-21018
PUBLISHED: 2019-09-22
Mastodon before 2.6.3 mishandles timeouts of incompletely established sessions.
CVE-2019-16692
PUBLISHED: 2019-09-22
phpIPAM 1.4 allows SQL injection via the app/admin/custom-fields/filter-result.php table parameter when action=add is used.
CVE-2019-16693
PUBLISHED: 2019-09-22
phpIPAM 1.4 allows SQL injection via the app/admin/custom-fields/order.php table parameter when action=add is used.