Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

5/22/2009
12:25 PM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Tech Insight: How To Protect Your Organization From Malicious Insiders

New report offers insights on how to keep the bad apples from spoiling your company's whole barrel of data

A Special Analysis For Dark Reading

Excerpted from "Rotten Apples: How To Detect And Stop Malicious Insiders In Your Organization," a new, downloadable report posted today on the Dark Reading Insider Threat Tech Center.

In our last Dark Reading Insider Threat Tech Center report, "Well-Meaning Employees -- And How To Stop Them," we discussed the most common breaches that originate from within the organization -- those that are caused by well-meaning employees who innocently or unknowingly violate security policies in an effort to get their jobs done. Now it's time to discuss the most unusual -- but perhaps the most dangerous -- insider threat: the employee who knowingly breaks security policy to achieve a selfish or malicious end.

Deliberate insider threats fall into three main areas:

  • theft for financial gain;
  • system or data sabotage, usually to "get revenge" or gain attention; and
  • theft to gain a competitive advantage, sometimes called corporate espionage.

Theft for financial gain is one of the most common malicious threats today, particularly given the poor economic climate, and usually involves an insider abusing access privileges to steal personal data or customer lists that can be sold to criminals. This type of theft is usually carried out by a nontechnical end user who has everyday access to sensitive information.

Sabotage, on the other hand, is most often committed by savvy IT staffers who know how to damage the company's data. And theft for competitive advantage may involve stealing sensitive data, such as customer lists, or intellectual property, such as plans or designs.

What's amazing about all of these malicious insider attacks is that the majority of the breaches occur within a few weeks of the day that an employee resigns or is terminated.

According to most experts, enterprises in 2009 will be hit with an increase in all three major categories of insider threats. Sadly, though, most companies don't have anyone focusing on the insider threat -- malicious or otherwise -- even though the security industry has been talking about it for years.

What can you put into place to help prevent the insider threat from breaching your enterprise in 2009? Several best practices exist, but they all have one common bond: You must actually look at the reports your systems generate! Many insider attacks go unnoticed because attackers develop tools and innovations while no one else is watching.

There's a lot to be said about security awareness training, too. Some companies don't believe in it, while others don't do it well, but in my practice as a security consultant I have seen training lead to some incredible cultural changes within organizations -- and significantly reduce the risk of an insider attack. In the case of malicious insiders, the education is not targeted at the user -- who clearly doesn't care about security policy and is bent on breaking it -- but on the insider's potential colleagues, who might recognize the warning signs that a co-worker is about to be bad and need to know what to do about it.

When I discuss insider threat technology with clients, I teach them this mantra: "If you can't prevent it, you must detect it." Simply put, if you identify a risk, then you should attempt to prevent it. But if you can't prevent it, then implement a detection technology that can at least help you determine how and when it happened. Many organizations focus too heavily on policy and don't implement the technology required to enforce it.

Detection, in fact, plays a critical role in all risk controls; network and operating system logging is vital. According to CERT, 68 percent of theft for competitive advantage takes place within three weeks of an employee leaving his/her job. Logging can help detect this activity. Disgruntled employees often act out of the norm by creating unknown accounts, setting up backdoor connections, and other behaviors that proper logging can detect.

Aside from logging, there are several other technologies you can use to help detect and mitigate the threat of malicious insider attacks. To find out more about them, download the full report from the Dark Reading Insider Threat Tech Center.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message Michael A. Davis has been privileged to help shape and educate the globalcommunity on the evolution of IT security. His portfolio of clients includes international corporations such as AT&T, Sears, and Exelon as well as the U.S. Department of Defense. Davis's early embrace of ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
US Turning Up the Heat on North Korea's Cyber Threat Operations
Jai Vijayan, Contributing Writer,  9/16/2019
MITRE Releases 2019 List of Top 25 Software Weaknesses
Kelly Sheridan, Staff Editor, Dark Reading,  9/17/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "He's too shy to invite me out face to face!"
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-15138
PUBLISHED: 2019-09-20
The html-pdf package 2.2.0 for Node.js has an arbitrary file read vulnerability via an HTML file that uses XMLHttpRequest to access a file:/// URL.
CVE-2019-6145
PUBLISHED: 2019-09-20
Forcepoint VPN Client for Windows versions lower than 6.6.1 have an unquoted search path vulnerability. This enables local privilege escalation to SYSTEM user. By default, only local administrators can write executables to the vulnerable directories. Forcepoint thanks Peleg Hadar of SafeBreach Labs ...
CVE-2019-6649
PUBLISHED: 2019-09-20
F5 BIG-IP 15.0.0, 14.1.0-14.1.0.6, 14.0.0-14.0.0.5, 13.0.0-13.1.1.5, 12.1.0-12.1.4.1, 11.6.0-11.6.4, and 11.5.1-11.5.9 and Enterprise Manager 3.1.1 may expose sensitive information and allow the system configuration to be modified when using non-default ConfigSync settings.
CVE-2019-6650
PUBLISHED: 2019-09-20
F5 BIG-IP ASM 15.0.0, 14.1.0-14.1.0.6, 14.0.0-14.0.0.5, 13.0.0-13.1.1.5, 12.1.0-12.1.4.1, 11.6.0-11.6.4, and 11.5.1-11.5.9 may expose sensitive information and allow the system configuration to be modified when using non-default settings.
CVE-2014-10396
PUBLISHED: 2019-09-20
The epic theme through 2014-09-07 for WordPress allows arbitrary file downloads via the file parameter to includes/download.php.