Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

5/22/2009
12:25 PM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Tech Insight: How To Protect Your Organization From Malicious Insiders

New report offers insights on how to keep the bad apples from spoiling your company's whole barrel of data

A Special Analysis For Dark Reading

Excerpted from "Rotten Apples: How To Detect And Stop Malicious Insiders In Your Organization," a new, downloadable report posted today on the Dark Reading Insider Threat Tech Center.

In our last Dark Reading Insider Threat Tech Center report, "Well-Meaning Employees -- And How To Stop Them," we discussed the most common breaches that originate from within the organization -- those that are caused by well-meaning employees who innocently or unknowingly violate security policies in an effort to get their jobs done. Now it's time to discuss the most unusual -- but perhaps the most dangerous -- insider threat: the employee who knowingly breaks security policy to achieve a selfish or malicious end.

Deliberate insider threats fall into three main areas:

  • theft for financial gain;
  • system or data sabotage, usually to "get revenge" or gain attention; and
  • theft to gain a competitive advantage, sometimes called corporate espionage.

Theft for financial gain is one of the most common malicious threats today, particularly given the poor economic climate, and usually involves an insider abusing access privileges to steal personal data or customer lists that can be sold to criminals. This type of theft is usually carried out by a nontechnical end user who has everyday access to sensitive information.

Sabotage, on the other hand, is most often committed by savvy IT staffers who know how to damage the company's data. And theft for competitive advantage may involve stealing sensitive data, such as customer lists, or intellectual property, such as plans or designs.

What's amazing about all of these malicious insider attacks is that the majority of the breaches occur within a few weeks of the day that an employee resigns or is terminated.

According to most experts, enterprises in 2009 will be hit with an increase in all three major categories of insider threats. Sadly, though, most companies don't have anyone focusing on the insider threat -- malicious or otherwise -- even though the security industry has been talking about it for years.

What can you put into place to help prevent the insider threat from breaching your enterprise in 2009? Several best practices exist, but they all have one common bond: You must actually look at the reports your systems generate! Many insider attacks go unnoticed because attackers develop tools and innovations while no one else is watching.

There's a lot to be said about security awareness training, too. Some companies don't believe in it, while others don't do it well, but in my practice as a security consultant I have seen training lead to some incredible cultural changes within organizations -- and significantly reduce the risk of an insider attack. In the case of malicious insiders, the education is not targeted at the user -- who clearly doesn't care about security policy and is bent on breaking it -- but on the insider's potential colleagues, who might recognize the warning signs that a co-worker is about to be bad and need to know what to do about it.

When I discuss insider threat technology with clients, I teach them this mantra: "If you can't prevent it, you must detect it." Simply put, if you identify a risk, then you should attempt to prevent it. But if you can't prevent it, then implement a detection technology that can at least help you determine how and when it happened. Many organizations focus too heavily on policy and don't implement the technology required to enforce it.

Detection, in fact, plays a critical role in all risk controls; network and operating system logging is vital. According to CERT, 68 percent of theft for competitive advantage takes place within three weeks of an employee leaving his/her job. Logging can help detect this activity. Disgruntled employees often act out of the norm by creating unknown accounts, setting up backdoor connections, and other behaviors that proper logging can detect.

Aside from logging, there are several other technologies you can use to help detect and mitigate the threat of malicious insider attacks. To find out more about them, download the full report from the Dark Reading Insider Threat Tech Center.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message Michael A. Davis has been privileged to help shape and educate the globalcommunity on the evolution of IT security. His portfolio of clients includes international corporations such as AT&T, Sears, and Exelon as well as the U.S. Department of Defense. Davis's early embrace of ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Florida Town Pays $600K to Ransomware Operators
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/20/2019
Pledges to Not Pay Ransomware Hit Reality
Robert Lemos, Contributing Writer,  6/21/2019
AWS CISO Talks Risk Reduction, Development, Recruitment
Kelly Sheridan, Staff Editor, Dark Reading,  6/25/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-1619
PUBLISHED: 2019-06-27
A vulnerability in the web-based management interface of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to bypass authentication and execute arbitrary actions with administrative privileges on an affected device. The vulnerability is due to improper session ...
CVE-2019-1620
PUBLISHED: 2019-06-27
A vulnerability in the web-based management interface of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to upload arbitrary files on an affected device. The vulnerability is due to incorrect permission settings in affected DCNM software. An attacker could ex...
CVE-2019-1621
PUBLISHED: 2019-06-27
A vulnerability in the web-based management interface of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to gain access to sensitive files on an affected device. The vulnerability is due to incorrect permissions settings on affected DCNM software. An attacker...
CVE-2019-1622
PUBLISHED: 2019-06-27
A vulnerability in the web-based management interface of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to retrieve sensitive information from an affected device. The vulnerability is due to improper access controls for certain URLs on affected DCNM software...
CVE-2019-10133
PUBLISHED: 2019-06-26
A flaw was found in Moodle before 3.7, 3.6.4, 3.5.6, 3.4.9 and 3.1.18. The form to upload cohorts contained a redirect field, which was not restricted to internal URLs.