Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

11/9/2009
09:39 AM
Eric Cole
Eric Cole
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Insider Threat Reality Check

Organizations tend to think once they hire an employee or a contractor, that person is now part of a trusted group of people. Although an organization might give an employee additional access that an ordinary person would not have, why should it trust that person?

Organizations tend to think once they hire an employee or a contractor, that person is now part of a trusted group of people. Although an organization might give an employee additional access that an ordinary person would not have, why should it trust that person?Many organizations don't perform background and/or reference checks, and as long as the hiring manager likes the candidates, they will hire them. But some people might not be who you think they are, and not properly validating them can be an expensive, if not fatal, mistake. Because many organizations hire complete strangers, who are really unknown entities, and give them access to sensitive data, the insider threat is something that all organizations must now worry about.

If a competitor or similar entity wants to cause damage to your organization, steal critical secrets, or put you out of business, then all it has to do is find a job opening, prep someone to ace the interview, have that person get hired -- and they are in.

The fact that this is easy to do should scare you. Many companies have jobs open for several weeks, and it could take a couple of weeks to set up an interview. That gives a competitor focused on your company a four-week period to prep someone to ace an interview. This is what foreign governments do when they plant a spy against another country. They know a key criterion for that person is passing the polygraph, so they will put that person through intensive training in order to do so.

This points out an organization's key disadvantage: The attacker knows what process you are going to follow to hire someone, and all it has to do is prep someone to ace that part of the process.

I often hear people say all of that is hype and cannot happen to them. This is synonymous to thinking bad things only happen to others -- until they happen to you, of course, and then you have a different view of the world.

Public attacks, like defacing a Web site, are hard for a company to deny. On the other hand, insider threats are occurring all the time, but since they are happening within a company, they are a private attack and are easier to conceal.

Because these attacks are perpetrated by trusted insiders, you need to understand the damage they can cause, how to build proper measures to prevent the attack, how to minimize the damage, and, at a minimum, how to detect the attacks in a timely manner.

Many of the measures companies deploy today are ineffective against the insider. When companies talk about security and securing their enterprises, they are concerned with the external attack, forgetting about the damage that an insider can cause. Many people debate about what percent of attacks come from insiders versus outsiders. But both can cause damage to your company and put you out of business, so who cares what the percent is?

Both have to be addressed and dealt with. I would argue that since the insider already has access, the amount of damage he can cause is much greater than an external attacker, while the chances of getting caught are much lower. If an attacker comes in from the outside, then he has access only to systems that are publicly accessible, and he has to break through security devices. If an attacker comes from the inside, then she has full access and minimal, if any, security devices to deal with. As our digital economy continues to grow and the stakes increase, anyone who wants serious access to an organization is not going to waste his time with an external attack -- he is going to go right for the trusted insider.

Meanwhile, everyone is jumping on the bandwagon. The U.S. Secret Service conducted a series of studies on the insider; conferences are popping up on the subject. Why? Because billions of dollars are being lost and something has to be done to stop the bleeding. You will never be able to completely remove the insider threat because companies need to be able to function. You can't fire all of your employees to prevent an insider attack. The key is to strike a balance between what access people need and what access people have.

Dr. Eric Cole, Ph.D., is a security expert with more than 15 years of hands-on experience. Cole has experience in information technology with a focus on perimeter defense, secure network design, vulnerability discovery, penetration testing, and intrusion detection systems. He is the author of several books, including Hackers Beware, Hiding in Plain Site, Network Security Bible, and Insider Threat. He is the inventor of more than 20 patents, and is a researcher, writer, and speaker. Cole is a member of the Commission on Cyber Security for the 44th President and several executive advisory boards, and is CTO of the Americas for McAfee. Cole is involved with the SANS Technology Institute (STI) and SANS working with students, teaching, and maintaining and developing courseware. He is a SANS fellow, instructor, and course author. Dr. Cole has 20 years of hands-on experience in information technology with a focus on building out dynamic defense solutions that protect organizations from advanced threats. He has a Master's degree in computer science from NYIT and a Doctorate from Pace University, with a ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-21392
PUBLISHED: 2021-04-12
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.28.0 requests to user provided domains were not restricted to external IP addresses when transitional IPv6 addre...
CVE-2021-21393
PUBLISHED: 2021-04-12
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.28.0 Synapse is missing input validation of some parameters on the endpoints used to confirm third-party identif...
CVE-2021-29429
PUBLISHED: 2021-04-12
In Gradle before version 7.0, files created with open permissions in the system temporary directory can allow an attacker to access information downloaded by Gradle. Some builds could be vulnerable to a local information disclosure. Remote files accessed through TextResourceFactory are downloaded in...
CVE-2021-21394
PUBLISHED: 2021-04-12
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.28.0 Synapse is missing input validation of some parameters on the endpoints used to confirm third-party identif...
CVE-2021-22497
PUBLISHED: 2021-04-12
Advanced Authentication versions prior to 6.3 SP4 have a potential broken authentication due to improper session management issue.