Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

10/4/2010
04:54 PM
Eric Cole
Eric Cole
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Understanding The Mindset Of The Evil Insider

Technology is typically going to serve as the basis for insider threat attacks. One of the major key technology areas is information extraction, and it must be clearly understood so an organization can try to stay one step ahead of the malicious insider.

Technology is typically going to serve as the basis for insider threat attacks. One of the major key technology areas is information extraction, and it must be clearly understood so an organization can try to stay one step ahead of the malicious insider.In today's high tech world there are many ways in which an employee can extract sensitive information from an organization. Some of the major technologies used to extract sensitive information include removable media, wireless exfiltration, and laptops. Removable media has grown significantly in recent years by decreasing in size and increasing in storage space. Removable media includes all technology, from USB thumb drives to iPods. USB thumb drives can contain anywhere from 256 MB to 128 GB of storage space. When you think about it, that is an incredible amount of storage for something the size of a car key. Needless to say, with this type of technology a malicious insider could exfiltrate a ton of sensitive information in a matter of minutes.

Another technology phenomenon that has taken the world by storm are MP3 players, such as the Apple iPod. While these devices are intended to be used for music and other media, these also can act as a portable storage device. When you plug an iPod into a computer, it is recognized by the computer as an external storage device. The user then has the ability to drag any type of file or folder onto the device. This is a huge security risk because most organizations don't even consider this threat. It is important for organizations to analyze the risk of removable media vs. the benefit of removable media before allowing these devices into the work place. In addition, these devices can also have autorun features, which would allow malicious code to run as a background task, infecting the system, without the user even realizing it.

Another way in which data can be exfiltrated from an organization is through wireless devices. Wireless exfilitration can occur through authorized, rogue, or ad-hoc wireless access points (APs). Many times authorized APs are configured incorrectly, allowing unauthorized users to gain access. Also, when reset some wireless APs automatically return to their default states, which, for obvious reasons, is an enormous threat to security.

Organizations should constantly review their wireless APs configurations to ensure they are secure. In some cases they may have a rogue wireless AP. A wireless AP can be purchased from any technology store for around $50. This same AP can then be plugged in and configured within a matter of minutes. It is important that organizations have an inventory of all APs and regularly scan for rogue APs. Programs such as Netstumbler and Kismet can be used to view all APs in an area and to also ensure they have some form of encryption. While Netstumbler will not tell you if the APs are securely configured, it will allow an organization to ensure there are no unknown APs connected to the network.

Exfiltration can also occur through ad-hoc wireless. By default with most configurations of Windows operating systems, when you turn on your wireless card, ad-hoc wireless is also turned on by default. With wireless ad-hoc or host-to-host wireless, your computer is advertising itself as an open connection that someone can connect to. If someone were to connect to this connection, then he most likely will not have Internet access, but potentially could access any files or programs that are on that computer. This presents an enormous security risk and should be disabled.

The next area of information extraction we will examine is the use of laptops. While I agree that laptops play a critical role in the IT arsenal of any organization, we have to be aware of the threats they pose and put measures in place to carefully control them. Laptops are no longer just used for travel, but are used in many cases as employees' desktop systems. For this reason laptops contain a ton of sensitive information and, if not properly safeguarded, can cause serious harm to an organization.

Organizations also must educate employees on the problem that I like to call being a "digital pack rat." Organizations must educate employees on the need to remove obsolete data from their laptops. Many times when employees are traveling for business, they will load their laptops with sensitive information. They do this in case they have to reference it while on the road or airplane. This is a serious security concern, especially when you consider how easy it is for a laptop to be stolen. It is important that organizations utilize security measures, such as encryption and passwords, on laptops to protect their sensitive information.

These are a few of the many ways that information can be exfilitrated from an organization. In order for an organization to protect their sensitive information, they must understand how an insider can exfilitrate it. Dr. Eric Cole, Ph.D., is a security expert with more than 15 years of hands-on experience. Cole has experience in information technology with a focus on perimeter defense, secure network design, vulnerability discovery, penetration testing, and intrusion detection systems. He is the author of several books, including Hackers Beware, Hiding in Plain Site, Network Security Bible, and Insider Threat. He is the inventor of more than 20 patents, and is a researcher, writer, and speaker. Cole is a member of the Commission on Cyber Security for the 44th President and several executive advisory boards, and is CTO of the Americas for McAfee. Cole is involved with the SANS Technology Institute (STI) and SANS working with students, teaching, and maintaining and developing courseware. He is a SANS fellow, instructor, and course author. Dr. Cole has 20 years of hands-on experience in information technology with a focus on building out dynamic defense solutions that protect organizations from advanced threats. He has a Master's degree in computer science from NYIT and a Doctorate from Pace University, with a ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Sodinokibi Ransomware: Where Attackers' Money Goes
Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
7 SMB Security Tips That Will Keep Your Company Safe
Steve Zurier, Contributing Writer,  10/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: The old using of sock puppets for Shoulder Surfing technique. 
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-17513
PUBLISHED: 2019-10-18
An issue was discovered in Ratpack before 1.7.5. Due to a misuse of the Netty library class DefaultHttpHeaders, there is no validation that headers lack HTTP control characters. Thus, if untrusted data is used to construct HTTP headers with Ratpack, HTTP Response Splitting can occur.
CVE-2019-8216
PUBLISHED: 2019-10-17
Adobe Acrobat and Reader versions , 2019.012.20040 and earlier, 2017.011.30148 and earlier, 2017.011.30148 and earlier, 2015.006.30503 and earlier, and 2015.006.30503 and earlier have an out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure .
CVE-2019-8217
PUBLISHED: 2019-10-17
Adobe Acrobat and Reader versions , 2019.012.20040 and earlier, 2017.011.30148 and earlier, 2017.011.30148 and earlier, 2015.006.30503 and earlier, and 2015.006.30503 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .
CVE-2019-8218
PUBLISHED: 2019-10-17
Adobe Acrobat and Reader versions , 2019.012.20040 and earlier, 2017.011.30148 and earlier, 2017.011.30148 and earlier, 2015.006.30503 and earlier, and 2015.006.30503 and earlier have an out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure .
CVE-2019-8219
PUBLISHED: 2019-10-17
Adobe Acrobat and Reader versions , 2019.012.20040 and earlier, 2017.011.30148 and earlier, 2017.011.30148 and earlier, 2015.006.30503 and earlier, and 2015.006.30503 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .