Excerpted from "Rotten Apples: How To Detect And Stop Malicious Insiders In Your Organization," a new, downloadable report posted today on the Dark Reading Insider Threat Tech Center.
In our last Dark Reading Insider Threat Tech Center report, "Well-Meaning Employees -- And How To Stop Them," we discussed the most common breaches that originate from within the organization -- those that are caused by well-meaning employees who innocently or unknowingly violate security policies in an effort to get their jobs done. Now it's time to discuss the most unusual -- but perhaps the most dangerous -- insider threat: the employee who knowingly breaks security policy to achieve a selfish or malicious end.
Deliberate insider threats fall into three main areas:
- theft for financial gain;
- system or data sabotage, usually to "get revenge" or gain attention; and
- theft to gain a competitive advantage, sometimes called corporate espionage.
Theft for financial gain is one of the most common malicious threats today, particularly given the poor economic climate, and usually involves an insider abusing access privileges to steal personal data or customer lists that can be sold to criminals. This type of theft is usually carried out by a nontechnical end user who has everyday access to sensitive information.
Sabotage, on the other hand, is most often committed by savvy IT staffers who know how to damage the company's data. And theft for competitive advantage may involve stealing sensitive data, such as customer lists, or intellectual property, such as plans or designs.
What's amazing about all of these malicious insider attacks is that the majority of the breaches occur within a few weeks of the day that an employee resigns or is terminated.
According to most experts, enterprises in 2009 will be hit with an increase in all three major categories of insider threats. Sadly, though, most companies don't have anyone focusing on the insider threat -- malicious or otherwise -- even though the security industry has been talking about it for years.
What can you put into place to help prevent the insider threat from breaching your enterprise in 2009? Several best practices exist, but they all have one common bond: You must actually look at the reports your systems generate! Many insider attacks go unnoticed because attackers develop tools and innovations while no one else is watching.
There's a lot to be said about security awareness training, too. Some companies don't believe in it, while others don't do it well, but in my practice as a security consultant I have seen training lead to some incredible cultural changes within organizations -- and significantly reduce the risk of an insider attack. In the case of malicious insiders, the education is not targeted at the user -- who clearly doesn't care about security policy and is bent on breaking it -- but on the insider's potential colleagues, who might recognize the warning signs that a co-worker is about to be bad and need to know what to do about it.
When I discuss insider threat technology with clients, I teach them this mantra: "If you can't prevent it, you must detect it." Simply put, if you identify a risk, then you should attempt to prevent it. But if you can't prevent it, then implement a detection technology that can at least help you determine how and when it happened. Many organizations focus too heavily on policy and don't implement the technology required to enforce it.
Detection, in fact, plays a critical role in all risk controls; network and operating system logging is vital. According to CERT, 68 percent of theft for competitive advantage takes place within three weeks of an employee leaving his/her job. Logging can help detect this activity. Disgruntled employees often act out of the norm by creating unknown accounts, setting up backdoor connections, and other behaviors that proper logging can detect.
Aside from logging, there are several other technologies you can use to help detect and mitigate the threat of malicious insider attacks. To find out more about them, download the full report from the Dark Reading Insider Threat Tech Center.
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message