Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

9/22/2010
08:52 PM
Eric Cole
Eric Cole
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Different Flavors Of The Insider Threat

There are different categories of insider threats, based on the level of access the employee has. There are four types: pure insider, insider associate, insider affiliate, and outside affiliate. Each of these categories also has different motives. Understanding each is a key to building proper preventive and detective defenses.

There are different categories of insider threats, based on the level of access the employee has. There are four types: pure insider, insider associate, insider affiliate, and outside affiliate. Each of these categories also has different motives. Understanding each is a key to building proper preventive and detective defenses.A pure insider is an employee with all the rights and access associated with being employed by the company. With pure insiders, the key areas to focus in on to detect or prevent damage are access, behavior, and money. Typically, pure insiders have keys or a badge to get access to the facility, a logon to get access to the network, and can walk around the building unescorted. They can cause the most damage because they already have most of the access they need. Pure insiders can be further classified as an elevated pure insider. An elevated pure insider is an insider who has additional privileged access. This usually includes system administrators who have root or administrator access on the network. These people were given the additional access to do their jobs; however, in many cases, they are given more access than what they need.

The second factor that comes into play is behavior. In many cases, when someone commits an insider attack, there have usually been personal behavior patterns that were predictive of such behavior. Usually they openly talked bad about the company or management. They tended to be unhappy and angry at work and might even have stated that one of these days they were going to get back at the company.

A third driving factor with the pure insider is money. Many of the people who perform these attacks have financial issues. A normal employee would not commit insider threat. However, an employee who is under a high level of stress and is having financial issues may jump at the opportunity to eliminate their problems.

The insider associate is someone with limited authorized access. Contractors, guards, and cleaning and plant services all fit under this category. They are not employees of the company and do not need full access, but they need limited access. Limited access usually takes the form of having physical access to the facility but not access to the network. Organizations commonly think that because sensitive information is locked away in an office means it is protected. What many people forget is that others have access to that office for various reasons such as cleaning or maintenance. It is imperative that all sensitive data be properly secured.

Employees must be educated about security issues in order to prevent these types of insider threats. Employees should be taught to properly secure sensitive data and to log out of critical systems before walking away from them.

The insider affiliate is a spouse, friend, or even client of an employee who uses the employee's credentials to gain access. This can be as simple as a friend coming to visit you, so you get them a badge for the building. When you take a phone call they go to use the restroom and on the way back they wander around looking at what is on people's computers and on their desks. The more damaging insider affiliate is someone who directly acts as an employee using the employee's credentials.

The most common is remote access. Your spouse wants to sit on the couch and surf the Web and wants to borrow your laptop. You give them your user ID and password so they can log on and access the Internet. While the intent was for the spouse to only access the Internet, what other information does the spouse now have access to?

While this can cause some problems, it can usually be controlled. Organizations should have clearly written policies and procedures, they should be explained to all employees, and require that the employee signs off that they understand them. Then, any deviation from the policy can be taken as a deliberate action on the part of an employee.

The final category of insider threat is the outside affiliate. Outside affiliates are non-trusted outsiders who use open access to gain access to an organization's resources. A great example of this is an outsider gaining unauthorized access to wireless access points. It is imperative that organizations secure all wireless access points just as they must secure the front door after daily business hours. Although the outside affiliate seems obvious, it is often overlooked by many companies. Protecting against the outside affiliate requires proper access controls in place for all types of access, including virtual and physical access.

Dr. Eric Cole, Ph.D., is a security expert with more than 15 years of hands-on experience. Cole has experience in information technology with a focus on perimeter defense, secure network design, vulnerability discovery, penetration testing, and intrusion detection systems. He is the author of several books, including Hackers Beware, Hiding in Plain Site, Network Security Bible, and Insider Threat. He is the inventor of more than 20 patents, and is a researcher, writer, and speaker. Cole is a member of the Commission on Cyber Security for the 44th President and several executive advisory boards, and is CTO of the Americas for McAfee. Cole is involved with the SANS Technology Institute (STI) and SANS working with students, teaching, and maintaining and developing courseware. He is a SANS fellow, instructor, and course author. Dr. Cole has 20 years of hands-on experience in information technology with a focus on building out dynamic defense solutions that protect organizations from advanced threats. He has a Master's degree in computer science from NYIT and a Doctorate from Pace University, with a ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "I feel safe, but I can't understand a word he's saying."
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
State of Cybersecurity Incident Response
State of Cybersecurity Incident Response
Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-11111
PUBLISHED: 2020-03-31
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.activemq.* (aka activemq-jms, activemq-core, activemq-pool, and activemq-pool-jms).
CVE-2020-11112
PUBLISHED: 2020-03-31
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.proxy.provider.remoting.RmiProvider (aka apache/commons-proxy).
CVE-2020-11113
PUBLISHED: 2020-03-31
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.openjpa.ee.WASRegistryManagedRuntime (aka openjpa).
CVE-2020-10374
PUBLISHED: 2020-03-30
A webserver component in Paessler PRTG Network Monitor 19.2.50 to PRTG 20.1.56 allows unauthenticated remote command execution via a crafted POST request or the what parameter of the screenshot function in the Contact Support form.
CVE-2020-11104
PUBLISHED: 2020-03-30
An issue was discovered in USC iLab cereal through 1.3.0. Serialization of an (initialized) C/C++ long double variable into a BinaryArchive or PortableBinaryArchive leaks several bytes of stack or heap memory, from which sensitive information (such as memory layout or private keys) can be gleaned if...