Understanding The Mindset Of The Evil Insider

Technology is typically going to serve as the basis for insider threat attacks. One of the major key technology areas is information extraction, and it must be clearly understood so an organization can try to stay one step ahead of the malicious insider.
Technology is typically going to serve as the basis for insider threat attacks. One of the major key technology areas is information extraction, and it must be clearly understood so an organization can try to stay one step ahead of the malicious insider.In today's high tech world there are many ways in which an employee can extract sensitive information from an organization. Some of the major technologies used to extract sensitive information include removable media, wireless exfiltration, and laptops. Removable media has grown significantly in recent years by decreasing in size and increasing in storage space. Removable media includes all technology, from USB thumb drives to iPods. USB thumb drives can contain anywhere from 256 MB to 128 GB of storage space. When you think about it, that is an incredible amount of storage for something the size of a car key. Needless to say, with this type of technology a malicious insider could exfiltrate a ton of sensitive information in a matter of minutes.

Another technology phenomenon that has taken the world by storm are MP3 players, such as the Apple iPod. While these devices are intended to be used for music and other media, these also can act as a portable storage device. When you plug an iPod into a computer, it is recognized by the computer as an external storage device. The user then has the ability to drag any type of file or folder onto the device. This is a huge security risk because most organizations don't even consider this threat. It is important for organizations to analyze the risk of removable media vs. the benefit of removable media before allowing these devices into the work place. In addition, these devices can also have autorun features, which would allow malicious code to run as a background task, infecting the system, without the user even realizing it.

Another way in which data can be exfiltrated from an organization is through wireless devices. Wireless exfilitration can occur through authorized, rogue, or ad-hoc wireless access points (APs). Many times authorized APs are configured incorrectly, allowing unauthorized users to gain access. Also, when reset some wireless APs automatically return to their default states, which, for obvious reasons, is an enormous threat to security.

Organizations should constantly review their wireless APs configurations to ensure they are secure. In some cases they may have a rogue wireless AP. A wireless AP can be purchased from any technology store for around $50. This same AP can then be plugged in and configured within a matter of minutes. It is important that organizations have an inventory of all APs and regularly scan for rogue APs. Programs such as Netstumbler and Kismet can be used to view all APs in an area and to also ensure they have some form of encryption. While Netstumbler will not tell you if the APs are securely configured, it will allow an organization to ensure there are no unknown APs connected to the network.

Exfiltration can also occur through ad-hoc wireless. By default with most configurations of Windows operating systems, when you turn on your wireless card, ad-hoc wireless is also turned on by default. With wireless ad-hoc or host-to-host wireless, your computer is advertising itself as an open connection that someone can connect to. If someone were to connect to this connection, then he most likely will not have Internet access, but potentially could access any files or programs that are on that computer. This presents an enormous security risk and should be disabled.

The next area of information extraction we will examine is the use of laptops. While I agree that laptops play a critical role in the IT arsenal of any organization, we have to be aware of the threats they pose and put measures in place to carefully control them. Laptops are no longer just used for travel, but are used in many cases as employees' desktop systems. For this reason laptops contain a ton of sensitive information and, if not properly safeguarded, can cause serious harm to an organization.

Organizations also must educate employees on the problem that I like to call being a "digital pack rat." Organizations must educate employees on the need to remove obsolete data from their laptops. Many times when employees are traveling for business, they will load their laptops with sensitive information. They do this in case they have to reference it while on the road or airplane. This is a serious security concern, especially when you consider how easy it is for a laptop to be stolen. It is important that organizations utilize security measures, such as encryption and passwords, on laptops to protect their sensitive information.

These are a few of the many ways that information can be exfilitrated from an organization. In order for an organization to protect their sensitive information, they must understand how an insider can exfilitrate it. Dr. Eric Cole, Ph.D., is a security expert with more than 15 years of hands-on experience. Cole has experience in information technology with a focus on perimeter defense, secure network design, vulnerability discovery, penetration testing, and intrusion detection systems. He is the author of several books, including Hackers Beware, Hiding in Plain Site, Network Security Bible, and Insider Threat. He is the inventor of more than 20 patents, and is a researcher, writer, and speaker. Cole is a member of the Commission on Cyber Security for the 44th President and several executive advisory boards, and is CTO of the Americas for McAfee. Cole is involved with the SANS Technology Institute (STI) and SANS working with students, teaching, and maintaining and developing courseware. He is a SANS fellow, instructor, and course author.