Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

10/4/2010
04:54 PM
Eric Cole
Eric Cole
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Understanding The Mindset Of The Evil Insider

Technology is typically going to serve as the basis for insider threat attacks. One of the major key technology areas is information extraction, and it must be clearly understood so an organization can try to stay one step ahead of the malicious insider.

Technology is typically going to serve as the basis for insider threat attacks. One of the major key technology areas is information extraction, and it must be clearly understood so an organization can try to stay one step ahead of the malicious insider.In today's high tech world there are many ways in which an employee can extract sensitive information from an organization. Some of the major technologies used to extract sensitive information include removable media, wireless exfiltration, and laptops. Removable media has grown significantly in recent years by decreasing in size and increasing in storage space. Removable media includes all technology, from USB thumb drives to iPods. USB thumb drives can contain anywhere from 256 MB to 128 GB of storage space. When you think about it, that is an incredible amount of storage for something the size of a car key. Needless to say, with this type of technology a malicious insider could exfiltrate a ton of sensitive information in a matter of minutes.

Another technology phenomenon that has taken the world by storm are MP3 players, such as the Apple iPod. While these devices are intended to be used for music and other media, these also can act as a portable storage device. When you plug an iPod into a computer, it is recognized by the computer as an external storage device. The user then has the ability to drag any type of file or folder onto the device. This is a huge security risk because most organizations don't even consider this threat. It is important for organizations to analyze the risk of removable media vs. the benefit of removable media before allowing these devices into the work place. In addition, these devices can also have autorun features, which would allow malicious code to run as a background task, infecting the system, without the user even realizing it.

Another way in which data can be exfiltrated from an organization is through wireless devices. Wireless exfilitration can occur through authorized, rogue, or ad-hoc wireless access points (APs). Many times authorized APs are configured incorrectly, allowing unauthorized users to gain access. Also, when reset some wireless APs automatically return to their default states, which, for obvious reasons, is an enormous threat to security.

Organizations should constantly review their wireless APs configurations to ensure they are secure. In some cases they may have a rogue wireless AP. A wireless AP can be purchased from any technology store for around $50. This same AP can then be plugged in and configured within a matter of minutes. It is important that organizations have an inventory of all APs and regularly scan for rogue APs. Programs such as Netstumbler and Kismet can be used to view all APs in an area and to also ensure they have some form of encryption. While Netstumbler will not tell you if the APs are securely configured, it will allow an organization to ensure there are no unknown APs connected to the network.

Exfiltration can also occur through ad-hoc wireless. By default with most configurations of Windows operating systems, when you turn on your wireless card, ad-hoc wireless is also turned on by default. With wireless ad-hoc or host-to-host wireless, your computer is advertising itself as an open connection that someone can connect to. If someone were to connect to this connection, then he most likely will not have Internet access, but potentially could access any files or programs that are on that computer. This presents an enormous security risk and should be disabled.

The next area of information extraction we will examine is the use of laptops. While I agree that laptops play a critical role in the IT arsenal of any organization, we have to be aware of the threats they pose and put measures in place to carefully control them. Laptops are no longer just used for travel, but are used in many cases as employees' desktop systems. For this reason laptops contain a ton of sensitive information and, if not properly safeguarded, can cause serious harm to an organization.

Organizations also must educate employees on the problem that I like to call being a "digital pack rat." Organizations must educate employees on the need to remove obsolete data from their laptops. Many times when employees are traveling for business, they will load their laptops with sensitive information. They do this in case they have to reference it while on the road or airplane. This is a serious security concern, especially when you consider how easy it is for a laptop to be stolen. It is important that organizations utilize security measures, such as encryption and passwords, on laptops to protect their sensitive information.

These are a few of the many ways that information can be exfilitrated from an organization. In order for an organization to protect their sensitive information, they must understand how an insider can exfilitrate it. Dr. Eric Cole, Ph.D., is a security expert with more than 15 years of hands-on experience. Cole has experience in information technology with a focus on perimeter defense, secure network design, vulnerability discovery, penetration testing, and intrusion detection systems. He is the author of several books, including Hackers Beware, Hiding in Plain Site, Network Security Bible, and Insider Threat. He is the inventor of more than 20 patents, and is a researcher, writer, and speaker. Cole is a member of the Commission on Cyber Security for the 44th President and several executive advisory boards, and is CTO of the Americas for McAfee. Cole is involved with the SANS Technology Institute (STI) and SANS working with students, teaching, and maintaining and developing courseware. He is a SANS fellow, instructor, and course author. Dr. Cole has 20 years of hands-on experience in information technology with a focus on building out dynamic defense solutions that protect organizations from advanced threats. He has a Master's degree in computer science from NYIT and a Doctorate from Pace University, with a ... View Full Bio

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
New 'Nanodegree' Program Provides Hands-On Cybersecurity Training
Nicole Ferraro, Contributing Writer,  8/3/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15058
PUBLISHED: 2020-08-07
Lindy 42633 4-Port USB 2.0 Gigabit Network Server 2.078.000 devices allow an attacker on the same network to elevate privileges because the administrative password can be discovered by sniffing unencrypted UDP traffic.
CVE-2020-15059
PUBLISHED: 2020-08-07
Lindy 42633 4-Port USB 2.0 Gigabit Network Server 2.078.000 devices allow an attacker on the same network to bypass authentication via a web-administration request that lacks a password parameter.
CVE-2020-15060
PUBLISHED: 2020-08-07
Lindy 42633 4-Port USB 2.0 Gigabit Network Server 2.078.000 devices allow an attacker on the same network to conduct persistent XSS attacks by leveraging administrative privileges to set a crafted server name.
CVE-2020-15061
PUBLISHED: 2020-08-07
Lindy 42633 4-Port USB 2.0 Gigabit Network Server 2.078.000 devices allow an attacker on the same network to denial-of-service the device via long input values.
CVE-2020-15062
PUBLISHED: 2020-08-07
DIGITUS DA-70254 4-Port Gigabit Network Hub 2.073.000.E0008 devices allow an attacker on the same network to elevate privileges because the administrative password can be discovered by sniffing unencrypted UDP traffic.