Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

1/13/2015
10:30 AM
Kaushik Narayan
Kaushik Narayan
Commentary
100%
0%

Insider Threats in the Cloud: 6 Harrowing Tales

The cloud has vastly expanded the scope of rogue insiders. Read on to discover the latest threat actors and scenarios.

The most widely advertised risks to data in the cloud typically focus on vulnerability to external attackers, but in private conversations security teams frequently voice concern over threats from within their own organizations.

When you think of insider threats, you probably worry about headline-grabbing incidents in which whistle-blowers expose data to the media, as in the case of Edward Snowden. The reality is that these highly visible yet rare cases are only the tip of the iceberg. The bulk of insider threats are either well-intentioned but careless employees or rogue insiders in pursuit of personal gain. These cases fly under the radar: While only 17% of security professionals were aware of an insider threat within their organization in the past year, usage data from Skyhigh’s latest Cloud Adoption and Risk Report revealed anomalous activity highly indicative of insider threat in 85% of organizations.

The cloud has vastly expanded the scope of insider threat. The sheer number of cloud applications (over 8,000) and immature auditing and governance controls relative to on-premises applications result in lack of visibility and governance. Read on, if you dare, for harrowing tales of insider threats -- cloud edition.

The salesperson jumps ship
In one of the most common insider threat scenarios, a sales representative leaves the company for a competitor, taking sales leads with him. Concern over defectors leaving with data is prevalent in organizations of all industries and sizes, especially in competitive markets. Stealing leads is difficult to detect, not only because it occurs on sanctioned corporate services, but also because it adversely affects business.

Cloud services have made this type of event unrecognizable from the classic theft of a physical stack of leads, à la Glenngarry Glenn Ross. Salesforce makes a huge number of leads accessible to employees at the click of a button. The challenge for enterprises that can easily have thousands of Salesforce users logging in each day is identifying unusual, anomalous activity against a background of typical everyday activity.

When admins go rogue
Employees at all levels of an organization rely on cloud services to do their jobs, including the C-suite. Privileged users, however, have unique authority: administrative access to data housed in a cloud service.

A large technology company I spoke with voiced concern over internal administrators for their CRM software. These admins were responsible for managing users’ permissions and security policies. At the same time, they personally had access to business data stored in the cloud service, constituting a security liability. Another example: an administrator for a cloud-based storage service can access executive-only financial projections and conduct insider trading with the confidential information.

Danger from within 
Insider threat is typically discussed in the context of enterprise employees, but cloud-service-provider employees present another vector for the exfiltration of data from within. Take, for example, a cloud service used internally by Human Resources. An employee of the cloud service provider has access to sensitive corporate data hosted in that service. Depending on the user agreement, the cloud service provider may not even be liable for lost data. This scenario illustrates how enterprise cloud use must involve a level of protection in security controls against both external and internal threats.

The virtual globetrotter
Cloud services enable worldwide collaboration, but the same trait allows data to wander where it shouldn’t. In a famous episode of unprecedented audacity, a developer at an unnamed company outsourced his own job to a Chinese counterpart. He paid a worker in China to complete his assignments and kept the margin. Legality aside, the creatively devious workflow obviously exposed his employer to an array of security concerns, as corporate data was openly shared with a third-party.

Shady services stand out
Some cloud services flat-out mean trouble for businesses. Violating company cloud usage policies constitutes another type of insider threat, and can range in severity from illicit Facebook use to illegal file sharing. On the more drastic side of the spectrum is the employee who uploads data to a development site such as CodeHaus, which claims ownership of uploaded intellectual property in its user agreement terms. The infamous worst user in the world used 182 high-risk cloud services at work, uploading 9.3GB to code-sharing site SourceForge and 3GB to file-sharing site ZippyShare. Sending data to these services may have legal ramifications and may even hurt the business if sensitive intellectual property is leaked.

Paved with good intentions
Not all insider threats come from malicious perpetrators. The wealth of consumer applications in the enterprise makes it possible for employees to inadvertently leak data to outsiders with just one click. One hapless worker at a financial services organization accidentally uploaded sensitive customer data to Facebook -- definitely worse than your average case of “oversharing” on social media. Employees accidentally commit security missteps in the process of doing their jobs. At a hospital, one team set out to foster collaboration and improve patient outcomes by storing patient medical records in a consumer-grade file sharing service. When the service suffered a breach, HIPAA regulations forced the hospital to notify patients and exposed it to a lawsuit.

Kaushik Narayan is a Co-Founder and CTO at Skyhigh Networks, a cloud security company, where he is responsible for Skyhigh's technology vision and software architecture. He brings over 18 years of experience driving technology and architecture strategy for enterprise-class ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
1/16/2015 | 8:28:34 AM
Re: Talk about outsourcing
Yes, cloud services offer a new type of attack vertical. Especially when depending on the type of service, (IaaS, PaaS, SaaS), you have different constraints as to what safeguards you are allowed to place on the data as there are different data governance policies.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
1/14/2015 | 9:25:55 AM
Re: Talk about outsourcing
Some of these insider personas are definitely familiar-- or a version of a familiar rogue actor. Enterprise apps like Salesforce definitely expose companies to risks that were not on the radar even a few years ago. It's scary. And the problem is not going to get easier.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
1/14/2015 | 9:15:21 AM
Tech Savvy
I think its important to note that many people are not technology savvy. Negligent employees are a more common risk and its because without any awareness training in security they are looking for the easiest way to perform their job function. However, easiest rarely coincides with most secure and this is why it is imperative that security policies are well communicated and enforced within an organization as well as regular security awareness training.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
1/14/2015 | 9:09:01 AM
Re: Talk about outsourcing
@Marilyn.

Yes it's wild how a security short coming that apparent can be overlooked! Or, even worse, acknowledged and simply did it anyway. I would be interested to see how prevalent this is as this is not the first time I've heard of this occurence. India is another area that unknown outsourcing is common.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
1/13/2015 | 1:09:07 PM
Talk about outsourcing
What a sweet deal for the virtual globetrotter. Well at least until he got caught. Details are quite revealing. According to ABCNews, the developer sent his company login key through Fedex to a third-part contractor in China, who did the work while globetrotter spent the day on social media and ebay. All the while getting "excellent remarks" in performance reviews.
Stop Defending Everything
Kevin Kurzawa, Senior Information Security Auditor,  2/12/2020
Small Business Security: 5 Tips on How and Where to Start
Mike Puglia, Chief Strategy Officer at Kaseya,  2/13/2020
5 Common Errors That Allow Attackers to Go Undetected
Matt Middleton-Leal, General Manager and Chief Security Strategist, Netwrix,  2/12/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-20477
PUBLISHED: 2020-02-19
PyYAML 5.1 through 5.1.2 has insufficient restrictions on the load and load_all functions because of a class deserialization issue, e.g., Popen is a class in the subprocess module. NOTE: this issue exists because of an incomplete fix for CVE-2017-18342.
CVE-2019-20478
PUBLISHED: 2020-02-19
In ruamel.yaml through 0.16.7, the load method allows remote code execution if the application calls this method with an untrusted argument. In other words, this issue affects developers who are unaware of the need to use methods such as safe_load in these use cases.
CVE-2011-2054
PUBLISHED: 2020-02-19
A vulnerability in the Cisco ASA that could allow a remote attacker to successfully authenticate using the Cisco AnyConnect VPN client if the Secondary Authentication type is LDAP and the password is left blank, providing the primary credentials are correct. The vulnerabilities is due to improper in...
CVE-2015-0749
PUBLISHED: 2020-02-19
A vulnerability in Cisco Unified Communications Manager could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack on the affected software. The vulnerabilities is due to improper input validation of certain parameters passed to the affected software. An attacker ...
CVE-2015-9543
PUBLISHED: 2020-02-19
An issue was discovered in OpenStack Nova before 18.2.4, 19.x before 19.1.0, and 20.x before 20.1.0. It can leak consoleauth tokens into log files. An attacker with read access to the service's logs may obtain tokens used for console access. All Nova setups using novncproxy are affected. This is rel...