Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


08:52 PM
Eric Cole
Eric Cole
Connect Directly

Different Flavors Of The Insider Threat

There are different categories of insider threats, based on the level of access the employee has. There are four types: pure insider, insider associate, insider affiliate, and outside affiliate. Each of these categories also has different motives. Understanding each is a key to building proper preventive and detective defenses.

There are different categories of insider threats, based on the level of access the employee has. There are four types: pure insider, insider associate, insider affiliate, and outside affiliate. Each of these categories also has different motives. Understanding each is a key to building proper preventive and detective defenses.A pure insider is an employee with all the rights and access associated with being employed by the company. With pure insiders, the key areas to focus in on to detect or prevent damage are access, behavior, and money. Typically, pure insiders have keys or a badge to get access to the facility, a logon to get access to the network, and can walk around the building unescorted. They can cause the most damage because they already have most of the access they need. Pure insiders can be further classified as an elevated pure insider. An elevated pure insider is an insider who has additional privileged access. This usually includes system administrators who have root or administrator access on the network. These people were given the additional access to do their jobs; however, in many cases, they are given more access than what they need.

The second factor that comes into play is behavior. In many cases, when someone commits an insider attack, there have usually been personal behavior patterns that were predictive of such behavior. Usually they openly talked bad about the company or management. They tended to be unhappy and angry at work and might even have stated that one of these days they were going to get back at the company.

A third driving factor with the pure insider is money. Many of the people who perform these attacks have financial issues. A normal employee would not commit insider threat. However, an employee who is under a high level of stress and is having financial issues may jump at the opportunity to eliminate their problems.

The insider associate is someone with limited authorized access. Contractors, guards, and cleaning and plant services all fit under this category. They are not employees of the company and do not need full access, but they need limited access. Limited access usually takes the form of having physical access to the facility but not access to the network. Organizations commonly think that because sensitive information is locked away in an office means it is protected. What many people forget is that others have access to that office for various reasons such as cleaning or maintenance. It is imperative that all sensitive data be properly secured.

Employees must be educated about security issues in order to prevent these types of insider threats. Employees should be taught to properly secure sensitive data and to log out of critical systems before walking away from them.

The insider affiliate is a spouse, friend, or even client of an employee who uses the employee's credentials to gain access. This can be as simple as a friend coming to visit you, so you get them a badge for the building. When you take a phone call they go to use the restroom and on the way back they wander around looking at what is on people's computers and on their desks. The more damaging insider affiliate is someone who directly acts as an employee using the employee's credentials.

The most common is remote access. Your spouse wants to sit on the couch and surf the Web and wants to borrow your laptop. You give them your user ID and password so they can log on and access the Internet. While the intent was for the spouse to only access the Internet, what other information does the spouse now have access to?

While this can cause some problems, it can usually be controlled. Organizations should have clearly written policies and procedures, they should be explained to all employees, and require that the employee signs off that they understand them. Then, any deviation from the policy can be taken as a deliberate action on the part of an employee.

The final category of insider threat is the outside affiliate. Outside affiliates are non-trusted outsiders who use open access to gain access to an organization's resources. A great example of this is an outsider gaining unauthorized access to wireless access points. It is imperative that organizations secure all wireless access points just as they must secure the front door after daily business hours. Although the outside affiliate seems obvious, it is often overlooked by many companies. Protecting against the outside affiliate requires proper access controls in place for all types of access, including virtual and physical access.

Dr. Eric Cole, Ph.D., is a security expert with more than 15 years of hands-on experience. Cole has experience in information technology with a focus on perimeter defense, secure network design, vulnerability discovery, penetration testing, and intrusion detection systems. He is the author of several books, including Hackers Beware, Hiding in Plain Site, Network Security Bible, and Insider Threat. He is the inventor of more than 20 patents, and is a researcher, writer, and speaker. Cole is a member of the Commission on Cyber Security for the 44th President and several executive advisory boards, and is CTO of the Americas for McAfee. Cole is involved with the SANS Technology Institute (STI) and SANS working with students, teaching, and maintaining and developing courseware. He is a SANS fellow, instructor, and course author. Dr. Cole has 20 years of hands-on experience in information technology with a focus on building out dynamic defense solutions that protect organizations from advanced threats. He has a Master's degree in computer science from NYIT and a Doctorate from Pace University, with a ... View Full Bio

Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
HackerOne Drops Mobile Voting App Vendor Voatz
Dark Reading Staff 3/30/2020
Limited-Time Free Offers to Secure the Enterprise Amid COVID-19
Curtis Franklin Jr., Senior Editor at Dark Reading,  3/31/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
State of Cybersecurity Incident Response
State of Cybersecurity Incident Response
Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-04-04
Dell EMC Isilon OneFS versions 8.2.2 and earlier contain a denial of service vulnerability. SmartConnect had an error condition that may be triggered to loop, using CPU and potentially preventing other SmartConnect DNS responses.
PUBLISHED: 2020-04-04
Dell Latitude 7202 Rugged Tablet BIOS versions prior to A28 contain a UAF vulnerability in EFI_BOOT_SERVICES in system management mode. A local unauthenticated attacker may exploit this vulnerability by overwriting the EFI_BOOT_SERVICES structure to execute arbitrary code in system management mode.
PUBLISHED: 2020-04-03
A security restriction bypass vulnerability has been discovered in Revive Adserver version < 5.0.5 by HackerOne user hoangn144. Revive Adserver, like many other applications, requires the logged in user to type the current password in order to change the e-mail address or the password. It was how...
PUBLISHED: 2020-04-03
An Open Redirect vulnerability was discovered in Revive Adserver version < 5.0.5 and reported by HackerOne user hoangn144. A remote attacker could trick logged-in users to open a specifically crafted link and have them redirected to any destination.The CSRF protection of the “/...
PUBLISHED: 2020-04-03
Flaw in input validation in npm package utils-extend version 1.0.8 and earlier may allow prototype pollution attack that may result in remote code execution or denial of service of applications using utils-extend.