Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

9/22/2010
08:52 PM
Eric Cole
Eric Cole
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Different Flavors Of The Insider Threat

There are different categories of insider threats, based on the level of access the employee has. There are four types: pure insider, insider associate, insider affiliate, and outside affiliate. Each of these categories also has different motives. Understanding each is a key to building proper preventive and detective defenses.

There are different categories of insider threats, based on the level of access the employee has. There are four types: pure insider, insider associate, insider affiliate, and outside affiliate. Each of these categories also has different motives. Understanding each is a key to building proper preventive and detective defenses.A pure insider is an employee with all the rights and access associated with being employed by the company. With pure insiders, the key areas to focus in on to detect or prevent damage are access, behavior, and money. Typically, pure insiders have keys or a badge to get access to the facility, a logon to get access to the network, and can walk around the building unescorted. They can cause the most damage because they already have most of the access they need. Pure insiders can be further classified as an elevated pure insider. An elevated pure insider is an insider who has additional privileged access. This usually includes system administrators who have root or administrator access on the network. These people were given the additional access to do their jobs; however, in many cases, they are given more access than what they need.

The second factor that comes into play is behavior. In many cases, when someone commits an insider attack, there have usually been personal behavior patterns that were predictive of such behavior. Usually they openly talked bad about the company or management. They tended to be unhappy and angry at work and might even have stated that one of these days they were going to get back at the company.

A third driving factor with the pure insider is money. Many of the people who perform these attacks have financial issues. A normal employee would not commit insider threat. However, an employee who is under a high level of stress and is having financial issues may jump at the opportunity to eliminate their problems.

The insider associate is someone with limited authorized access. Contractors, guards, and cleaning and plant services all fit under this category. They are not employees of the company and do not need full access, but they need limited access. Limited access usually takes the form of having physical access to the facility but not access to the network. Organizations commonly think that because sensitive information is locked away in an office means it is protected. What many people forget is that others have access to that office for various reasons such as cleaning or maintenance. It is imperative that all sensitive data be properly secured.

Employees must be educated about security issues in order to prevent these types of insider threats. Employees should be taught to properly secure sensitive data and to log out of critical systems before walking away from them.

The insider affiliate is a spouse, friend, or even client of an employee who uses the employee's credentials to gain access. This can be as simple as a friend coming to visit you, so you get them a badge for the building. When you take a phone call they go to use the restroom and on the way back they wander around looking at what is on people's computers and on their desks. The more damaging insider affiliate is someone who directly acts as an employee using the employee's credentials.

The most common is remote access. Your spouse wants to sit on the couch and surf the Web and wants to borrow your laptop. You give them your user ID and password so they can log on and access the Internet. While the intent was for the spouse to only access the Internet, what other information does the spouse now have access to?

While this can cause some problems, it can usually be controlled. Organizations should have clearly written policies and procedures, they should be explained to all employees, and require that the employee signs off that they understand them. Then, any deviation from the policy can be taken as a deliberate action on the part of an employee.

The final category of insider threat is the outside affiliate. Outside affiliates are non-trusted outsiders who use open access to gain access to an organization's resources. A great example of this is an outsider gaining unauthorized access to wireless access points. It is imperative that organizations secure all wireless access points just as they must secure the front door after daily business hours. Although the outside affiliate seems obvious, it is often overlooked by many companies. Protecting against the outside affiliate requires proper access controls in place for all types of access, including virtual and physical access.

Dr. Eric Cole, Ph.D., is a security expert with more than 15 years of hands-on experience. Cole has experience in information technology with a focus on perimeter defense, secure network design, vulnerability discovery, penetration testing, and intrusion detection systems. He is the author of several books, including Hackers Beware, Hiding in Plain Site, Network Security Bible, and Insider Threat. He is the inventor of more than 20 patents, and is a researcher, writer, and speaker. Cole is a member of the Commission on Cyber Security for the 44th President and several executive advisory boards, and is CTO of the Americas for McAfee. Cole is involved with the SANS Technology Institute (STI) and SANS working with students, teaching, and maintaining and developing courseware. He is a SANS fellow, instructor, and course author. Dr. Cole has 20 years of hands-on experience in information technology with a focus on building out dynamic defense solutions that protect organizations from advanced threats. He has a Master's degree in computer science from NYIT and a Doctorate from Pace University, with a ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
State of Cybersecurity Incident Response
State of Cybersecurity Incident Response
Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-8015
PUBLISHED: 2020-04-02
A UNIX Symbolic Link (Symlink) Following vulnerability in the packaging of exim in openSUSE Factory allows local attackers to escalate from user mail to root. This issue affects: openSUSE Factory exim versions prior to 4.93.0.4-3.1.
CVE-2020-1927
PUBLISHED: 2020-04-02
In Apache HTTP Server 2.4.0 to 2.4.41, redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an an unexpected URL within the request URL.
CVE-2020-8144
PUBLISHED: 2020-04-01
The UniFi Video Server v3.9.3 and prior (for Windows 7/8/10 x64) web interface Firmware Update functionality, under certain circumstances, does not validate firmware download destinations to ensure they are within the intended destination directory tree. It accepts a request with a URL to firmware u...
CVE-2020-8145
PUBLISHED: 2020-04-01
The UniFi Video Server (Windows) web interface configuration restore functionality at the “backup� and “wizard� endpoints does not implement sufficient privilege checks. Low privileged users, belonging to the PUBLIC_GROUP ...
CVE-2020-8146
PUBLISHED: 2020-04-01
In UniFi Video v3.10.1 (for Windows 7/8/10 x64) there is a Local Privileges Escalation to SYSTEM from arbitrary file deletion and DLL hijack vulnerabilities. The issue was fixed by adjusting the .tsExport folder when the controller is running on Windows and adjusting the SafeDllSearchMode in the win...