New report offers insights on how to keep the bad apples from spoiling your company's whole barrel of data

Michael A. Davis, CTO of CounterTack

May 22, 2009

4 Min Read

A Special Analysis For Dark Reading

Excerpted from "Rotten Apples: How To Detect And Stop Malicious Insiders In Your Organization," a new, downloadable report posted today on the Dark Reading Insider Threat Tech Center.

In our last Dark Reading Insider Threat Tech Center report, "Well-Meaning Employees -- And How To Stop Them," we discussed the most common breaches that originate from within the organization -- those that are caused by well-meaning employees who innocently or unknowingly violate security policies in an effort to get their jobs done. Now it's time to discuss the most unusual -- but perhaps the most dangerous -- insider threat: the employee who knowingly breaks security policy to achieve a selfish or malicious end.

Deliberate insider threats fall into three main areas:

  • theft for financial gain;

  • system or data sabotage, usually to "get revenge" or gain attention; and

  • theft to gain a competitive advantage, sometimes called corporate espionage.

Theft for financial gain is one of the most common malicious threats today, particularly given the poor economic climate, and usually involves an insider abusing access privileges to steal personal data or customer lists that can be sold to criminals. This type of theft is usually carried out by a nontechnical end user who has everyday access to sensitive information.

Sabotage, on the other hand, is most often committed by savvy IT staffers who know how to damage the company's data. And theft for competitive advantage may involve stealing sensitive data, such as customer lists, or intellectual property, such as plans or designs.

What's amazing about all of these malicious insider attacks is that the majority of the breaches occur within a few weeks of the day that an employee resigns or is terminated.

According to most experts, enterprises in 2009 will be hit with an increase in all three major categories of insider threats. Sadly, though, most companies don't have anyone focusing on the insider threat -- malicious or otherwise -- even though the security industry has been talking about it for years.

What can you put into place to help prevent the insider threat from breaching your enterprise in 2009? Several best practices exist, but they all have one common bond: You must actually look at the reports your systems generate! Many insider attacks go unnoticed because attackers develop tools and innovations while no one else is watching.

There's a lot to be said about security awareness training, too. Some companies don't believe in it, while others don't do it well, but in my practice as a security consultant I have seen training lead to some incredible cultural changes within organizations -- and significantly reduce the risk of an insider attack. In the case of malicious insiders, the education is not targeted at the user -- who clearly doesn't care about security policy and is bent on breaking it -- but on the insider's potential colleagues, who might recognize the warning signs that a co-worker is about to be bad and need to know what to do about it.

When I discuss insider threat technology with clients, I teach them this mantra: "If you can't prevent it, you must detect it." Simply put, if you identify a risk, then you should attempt to prevent it. But if you can't prevent it, then implement a detection technology that can at least help you determine how and when it happened. Many organizations focus too heavily on policy and don't implement the technology required to enforce it.

Detection, in fact, plays a critical role in all risk controls; network and operating system logging is vital. According to CERT, 68 percent of theft for competitive advantage takes place within three weeks of an employee leaving his/her job. Logging can help detect this activity. Disgruntled employees often act out of the norm by creating unknown accounts, setting up backdoor connections, and other behaviors that proper logging can detect.

Aside from logging, there are several other technologies you can use to help detect and mitigate the threat of malicious insider attacks. To find out more about them, download the full report from the Dark Reading Insider Threat Tech Center.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message

About the Author(s)

Michael A. Davis

Michael A. Davis

CTO of CounterTack

Michael A. Davis has been privileged to help shape and educate the globalcommunity on the evolution of IT security. His portfolio of clients includes international corporations such as AT&T, Sears, and Exelon as well as the U.S. Department of Defense. Davis's early embrace of entrepreneurship earned him a spot on BusinessWeek's "Top 25 Under 25"
list, recognizing his launch of IT security consulting firm Savid Technologies, one of the fastest-growing companies of its decade. He has a passion for educating others and, as a contributing author for the *Hacking Exposed* books, has become a keynote speaker at dozens of conferences and symposiums worldwide.

Davis serves as CTO of CounterTack, provider of an endpoint security platform delivering real-time cyberthreat detection and forensics. He joined the company because he recognized that the battle is moving to the endpoint and that conventional IT security technologies can't protect enterprises. Rather, he saw a need to deliver to the community continuous attack monitoring backed by automated threat analysis.

Davis brings a solid background in IT threat assessment and protection to his latest posting, having been Senior Manager Global Threats for McAfee prior to launching Savid, which was acquired by External IT. Aside from his work advancing cybersecurity, Davis writes for industry publications including InformationWeek and Dark Reading. Additionally, he has been a partner in a number of diverse entrepreneurial startups; held a leadership position at 3Com; managed two Internet service providers; and recently served as President/CEO of the InClaro Group, a firm providing information security advisory and consulting services based on a unique risk assessment methodology.

See more from Michael A. Davis
Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.
Subscribe

You May Also Like

More Insights
Webinars
More Webinars
Events
More Events

Editor's Choice

The letters EDR/XDR amid binary code
Application Security
Evil XDR: Researcher Turns Palo Alto Software Into Perfect MalwareEvil XDR: Researcher Turns Palo Alto Software Into Perfect Malware
byNate Nelson, Contributing Writer
Apr 19, 2024
4 Min Read
A computer screen showing GPT-4
Threat Intelligence
GPT-4 Can Exploit Most Vulns Just by Reading Threat AdvisoriesGPT-4 Can Exploit Most Vulns Just by Reading Threat Advisories
byNate Nelson, Contributing Writer
Apr 18, 2024
4 Min Read
An ICS control panel
ICS/OT Security
ICS Network Controllers Open to Remote Exploit, No Patches AvailableICS Network Controllers Open to Remote Exploit, No Patches Available
byDark Reading Staff
Apr 18, 2024
2 Min Read
Reports
More Reports
White Papers
More Whitepapers
Events
More Events