Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

11/9/2009
09:39 AM
Eric Cole
Eric Cole
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Insider Threat Reality Check

Organizations tend to think once they hire an employee or a contractor, that person is now part of a trusted group of people. Although an organization might give an employee additional access that an ordinary person would not have, why should it trust that person?

Organizations tend to think once they hire an employee or a contractor, that person is now part of a trusted group of people. Although an organization might give an employee additional access that an ordinary person would not have, why should it trust that person?Many organizations don't perform background and/or reference checks, and as long as the hiring manager likes the candidates, they will hire them. But some people might not be who you think they are, and not properly validating them can be an expensive, if not fatal, mistake. Because many organizations hire complete strangers, who are really unknown entities, and give them access to sensitive data, the insider threat is something that all organizations must now worry about.

If a competitor or similar entity wants to cause damage to your organization, steal critical secrets, or put you out of business, then all it has to do is find a job opening, prep someone to ace the interview, have that person get hired -- and they are in.

The fact that this is easy to do should scare you. Many companies have jobs open for several weeks, and it could take a couple of weeks to set up an interview. That gives a competitor focused on your company a four-week period to prep someone to ace an interview. This is what foreign governments do when they plant a spy against another country. They know a key criterion for that person is passing the polygraph, so they will put that person through intensive training in order to do so.

This points out an organization's key disadvantage: The attacker knows what process you are going to follow to hire someone, and all it has to do is prep someone to ace that part of the process.

I often hear people say all of that is hype and cannot happen to them. This is synonymous to thinking bad things only happen to others -- until they happen to you, of course, and then you have a different view of the world.

Public attacks, like defacing a Web site, are hard for a company to deny. On the other hand, insider threats are occurring all the time, but since they are happening within a company, they are a private attack and are easier to conceal.

Because these attacks are perpetrated by trusted insiders, you need to understand the damage they can cause, how to build proper measures to prevent the attack, how to minimize the damage, and, at a minimum, how to detect the attacks in a timely manner.

Many of the measures companies deploy today are ineffective against the insider. When companies talk about security and securing their enterprises, they are concerned with the external attack, forgetting about the damage that an insider can cause. Many people debate about what percent of attacks come from insiders versus outsiders. But both can cause damage to your company and put you out of business, so who cares what the percent is?

Both have to be addressed and dealt with. I would argue that since the insider already has access, the amount of damage he can cause is much greater than an external attacker, while the chances of getting caught are much lower. If an attacker comes in from the outside, then he has access only to systems that are publicly accessible, and he has to break through security devices. If an attacker comes from the inside, then she has full access and minimal, if any, security devices to deal with. As our digital economy continues to grow and the stakes increase, anyone who wants serious access to an organization is not going to waste his time with an external attack -- he is going to go right for the trusted insider.

Meanwhile, everyone is jumping on the bandwagon. The U.S. Secret Service conducted a series of studies on the insider; conferences are popping up on the subject. Why? Because billions of dollars are being lost and something has to be done to stop the bleeding. You will never be able to completely remove the insider threat because companies need to be able to function. You can't fire all of your employees to prevent an insider attack. The key is to strike a balance between what access people need and what access people have.

Dr. Eric Cole, Ph.D., is a security expert with more than 15 years of hands-on experience. Cole has experience in information technology with a focus on perimeter defense, secure network design, vulnerability discovery, penetration testing, and intrusion detection systems. He is the author of several books, including Hackers Beware, Hiding in Plain Site, Network Security Bible, and Insider Threat. He is the inventor of more than 20 patents, and is a researcher, writer, and speaker. Cole is a member of the Commission on Cyber Security for the 44th President and several executive advisory boards, and is CTO of the Americas for McAfee. Cole is involved with the SANS Technology Institute (STI) and SANS working with students, teaching, and maintaining and developing courseware. He is a SANS fellow, instructor, and course author. Dr. Cole has 20 years of hands-on experience in information technology with a focus on building out dynamic defense solutions that protect organizations from advanced threats. He has a Master's degree in computer science from NYIT and a Doctorate from Pace University, with a ... View Full Bio

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/2/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-9498
PUBLISHED: 2020-07-02
Apache Guacamole 1.1.0 and older may mishandle pointers involved inprocessing data received via RDP static virtual channels. If a userconnects to a malicious or compromised RDP server, a series ofspecially-crafted PDUs could result in memory corruption, possiblyallowing arbitrary code to be executed...
CVE-2020-3282
PUBLISHED: 2020-07-02
A vulnerability in the web-based management interface of Cisco Unified Communications Manager, Cisco Unified Communications Manager Session Management Edition, Cisco Unified Communications Manager IM & Presence Service, and Cisco Unity Connection could allow an unauthenticated, remote attack...
CVE-2020-5909
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface (UI) to fetch the agent installer, the server TLS certificate is not verified.
CVE-2020-5910
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the Neural Autonomic Transport System (NATS) messaging services in use by the NGINX Controller do not require any form of authentication, so any successful connection would be authorized.
CVE-2020-5911
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller installer starts the download of Kubernetes packages from an HTTP URL On Debian/Ubuntu system.