Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


09:39 AM
Eric Cole
Eric Cole
Connect Directly

Insider Threat Reality Check

Organizations tend to think once they hire an employee or a contractor, that person is now part of a trusted group of people. Although an organization might give an employee additional access that an ordinary person would not have, why should it trust that person?

Organizations tend to think once they hire an employee or a contractor, that person is now part of a trusted group of people. Although an organization might give an employee additional access that an ordinary person would not have, why should it trust that person?Many organizations don't perform background and/or reference checks, and as long as the hiring manager likes the candidates, they will hire them. But some people might not be who you think they are, and not properly validating them can be an expensive, if not fatal, mistake. Because many organizations hire complete strangers, who are really unknown entities, and give them access to sensitive data, the insider threat is something that all organizations must now worry about.

If a competitor or similar entity wants to cause damage to your organization, steal critical secrets, or put you out of business, then all it has to do is find a job opening, prep someone to ace the interview, have that person get hired -- and they are in.

The fact that this is easy to do should scare you. Many companies have jobs open for several weeks, and it could take a couple of weeks to set up an interview. That gives a competitor focused on your company a four-week period to prep someone to ace an interview. This is what foreign governments do when they plant a spy against another country. They know a key criterion for that person is passing the polygraph, so they will put that person through intensive training in order to do so.

This points out an organization's key disadvantage: The attacker knows what process you are going to follow to hire someone, and all it has to do is prep someone to ace that part of the process.

I often hear people say all of that is hype and cannot happen to them. This is synonymous to thinking bad things only happen to others -- until they happen to you, of course, and then you have a different view of the world.

Public attacks, like defacing a Web site, are hard for a company to deny. On the other hand, insider threats are occurring all the time, but since they are happening within a company, they are a private attack and are easier to conceal.

Because these attacks are perpetrated by trusted insiders, you need to understand the damage they can cause, how to build proper measures to prevent the attack, how to minimize the damage, and, at a minimum, how to detect the attacks in a timely manner.

Many of the measures companies deploy today are ineffective against the insider. When companies talk about security and securing their enterprises, they are concerned with the external attack, forgetting about the damage that an insider can cause. Many people debate about what percent of attacks come from insiders versus outsiders. But both can cause damage to your company and put you out of business, so who cares what the percent is?

Both have to be addressed and dealt with. I would argue that since the insider already has access, the amount of damage he can cause is much greater than an external attacker, while the chances of getting caught are much lower. If an attacker comes in from the outside, then he has access only to systems that are publicly accessible, and he has to break through security devices. If an attacker comes from the inside, then she has full access and minimal, if any, security devices to deal with. As our digital economy continues to grow and the stakes increase, anyone who wants serious access to an organization is not going to waste his time with an external attack -- he is going to go right for the trusted insider.

Meanwhile, everyone is jumping on the bandwagon. The U.S. Secret Service conducted a series of studies on the insider; conferences are popping up on the subject. Why? Because billions of dollars are being lost and something has to be done to stop the bleeding. You will never be able to completely remove the insider threat because companies need to be able to function. You can't fire all of your employees to prevent an insider attack. The key is to strike a balance between what access people need and what access people have.

Dr. Eric Cole, Ph.D., is a security expert with more than 15 years of hands-on experience. Cole has experience in information technology with a focus on perimeter defense, secure network design, vulnerability discovery, penetration testing, and intrusion detection systems. He is the author of several books, including Hackers Beware, Hiding in Plain Site, Network Security Bible, and Insider Threat. He is the inventor of more than 20 patents, and is a researcher, writer, and speaker. Cole is a member of the Commission on Cyber Security for the 44th President and several executive advisory boards, and is CTO of the Americas for McAfee. Cole is involved with the SANS Technology Institute (STI) and SANS working with students, teaching, and maintaining and developing courseware. He is a SANS fellow, instructor, and course author. Dr. Cole has 20 years of hands-on experience in information technology with a focus on building out dynamic defense solutions that protect organizations from advanced threats. He has a Master's degree in computer science from NYIT and a Doctorate from Pace University, with a ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
SOC 2s & Third-Party Assessments: How to Prevent Them from Being Used in a Data Breach Lawsuit
Beth Burgin Waller, Chair, Cybersecurity & Data Privacy Practice , Woods Rogers PLC,  12/5/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-12-09
alter.c in SQLite through 3.30.1 allows attackers to trigger infinite recursion via certain types of self-referential views in conjunction with ALTER TABLE statements.
PUBLISHED: 2019-12-09
In "Xray Test Management for Jira" prior to version 3.5.5, remote authenticated attackers can cause XSS in the generic field entry point via the Generic Test Definition field of a new Generic Test issue.
PUBLISHED: 2019-12-09
In "Xray Test Management for Jira" prior to version 3.5.5, remote authenticated attackers can cause XSS in the Pre-Condition Summary entry point via the summary field of a Create Pre-Condition action for a new Test Issue.
PUBLISHED: 2019-12-09
radare2 through 4.0.0 lacks validation of the content variable in the function r_asm_pseudo_incbin at libr/asm/asm.c, ultimately leading to an arbitrary write. This allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via crafted input.
PUBLISHED: 2019-12-09
In the macho_parse_file functionality in macho/macho.c of YARA 3.11.0, command_size may be inconsistent with the real size. A specially crafted MachO file can cause an out-of-bounds memory access, resulting in Denial of Service (application crash) or potential code execution.