Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

11/9/2009
09:39 AM
Eric Cole
Eric Cole
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Insider Threat Reality Check

Organizations tend to think once they hire an employee or a contractor, that person is now part of a trusted group of people. Although an organization might give an employee additional access that an ordinary person would not have, why should it trust that person?

Organizations tend to think once they hire an employee or a contractor, that person is now part of a trusted group of people. Although an organization might give an employee additional access that an ordinary person would not have, why should it trust that person?Many organizations don't perform background and/or reference checks, and as long as the hiring manager likes the candidates, they will hire them. But some people might not be who you think they are, and not properly validating them can be an expensive, if not fatal, mistake. Because many organizations hire complete strangers, who are really unknown entities, and give them access to sensitive data, the insider threat is something that all organizations must now worry about.

If a competitor or similar entity wants to cause damage to your organization, steal critical secrets, or put you out of business, then all it has to do is find a job opening, prep someone to ace the interview, have that person get hired -- and they are in.

The fact that this is easy to do should scare you. Many companies have jobs open for several weeks, and it could take a couple of weeks to set up an interview. That gives a competitor focused on your company a four-week period to prep someone to ace an interview. This is what foreign governments do when they plant a spy against another country. They know a key criterion for that person is passing the polygraph, so they will put that person through intensive training in order to do so.

This points out an organization's key disadvantage: The attacker knows what process you are going to follow to hire someone, and all it has to do is prep someone to ace that part of the process.

I often hear people say all of that is hype and cannot happen to them. This is synonymous to thinking bad things only happen to others -- until they happen to you, of course, and then you have a different view of the world.

Public attacks, like defacing a Web site, are hard for a company to deny. On the other hand, insider threats are occurring all the time, but since they are happening within a company, they are a private attack and are easier to conceal.

Because these attacks are perpetrated by trusted insiders, you need to understand the damage they can cause, how to build proper measures to prevent the attack, how to minimize the damage, and, at a minimum, how to detect the attacks in a timely manner.

Many of the measures companies deploy today are ineffective against the insider. When companies talk about security and securing their enterprises, they are concerned with the external attack, forgetting about the damage that an insider can cause. Many people debate about what percent of attacks come from insiders versus outsiders. But both can cause damage to your company and put you out of business, so who cares what the percent is?

Both have to be addressed and dealt with. I would argue that since the insider already has access, the amount of damage he can cause is much greater than an external attacker, while the chances of getting caught are much lower. If an attacker comes in from the outside, then he has access only to systems that are publicly accessible, and he has to break through security devices. If an attacker comes from the inside, then she has full access and minimal, if any, security devices to deal with. As our digital economy continues to grow and the stakes increase, anyone who wants serious access to an organization is not going to waste his time with an external attack -- he is going to go right for the trusted insider.

Meanwhile, everyone is jumping on the bandwagon. The U.S. Secret Service conducted a series of studies on the insider; conferences are popping up on the subject. Why? Because billions of dollars are being lost and something has to be done to stop the bleeding. You will never be able to completely remove the insider threat because companies need to be able to function. You can't fire all of your employees to prevent an insider attack. The key is to strike a balance between what access people need and what access people have.

Dr. Eric Cole, Ph.D., is a security expert with more than 15 years of hands-on experience. Cole has experience in information technology with a focus on perimeter defense, secure network design, vulnerability discovery, penetration testing, and intrusion detection systems. He is the author of several books, including Hackers Beware, Hiding in Plain Site, Network Security Bible, and Insider Threat. He is the inventor of more than 20 patents, and is a researcher, writer, and speaker. Cole is a member of the Commission on Cyber Security for the 44th President and several executive advisory boards, and is CTO of the Americas for McAfee. Cole is involved with the SANS Technology Institute (STI) and SANS working with students, teaching, and maintaining and developing courseware. He is a SANS fellow, instructor, and course author. Dr. Cole has 20 years of hands-on experience in information technology with a focus on building out dynamic defense solutions that protect organizations from advanced threats. He has a Master's degree in computer science from NYIT and a Doctorate from Pace University, with a ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Sodinokibi Ransomware: Where Attackers' Money Goes
Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
How to Think Like a Hacker
Dr. Giovanni Vigna, Chief Technology Officer at Lastline,  10/10/2019
7 SMB Security Tips That Will Keep Your Company Safe
Steve Zurier, Contributing Writer,  10/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: The old using of sock puppets for Shoulder Surfing technique. 
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-17672
PUBLISHED: 2019-10-17
WordPress before 5.2.4 is vulnerable to a stored XSS attack to inject JavaScript into STYLE elements.
CVE-2019-17673
PUBLISHED: 2019-10-17
WordPress before 5.2.4 is vulnerable to poisoning of the cache of JSON GET requests because certain requests lack a Vary: Origin header.
CVE-2019-17674
PUBLISHED: 2019-10-17
WordPress before 5.2.4 is vulnerable to stored XSS (cross-site scripting) via the Customizer.
CVE-2019-17675
PUBLISHED: 2019-10-17
WordPress before 5.2.4 does not properly consider type confusion during validation of the referer in the admin pages, possibly leading to CSRF.
CVE-2019-17676
PUBLISHED: 2019-10-17
app/system/admin/admin/index.class.php in MetInfo 7.0.0beta allows a CSRF attack to add a user account via a doSaveSetup action to admin/index.php, as demonstrated by an admin/?n=admin&c=index&a=doSaveSetup URI.