Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


04:54 PM
Eric Cole
Eric Cole
Connect Directly

Understanding The Mindset Of The Evil Insider

Technology is typically going to serve as the basis for insider threat attacks. One of the major key technology areas is information extraction, and it must be clearly understood so an organization can try to stay one step ahead of the malicious insider.

Technology is typically going to serve as the basis for insider threat attacks. One of the major key technology areas is information extraction, and it must be clearly understood so an organization can try to stay one step ahead of the malicious insider.In today's high tech world there are many ways in which an employee can extract sensitive information from an organization. Some of the major technologies used to extract sensitive information include removable media, wireless exfiltration, and laptops. Removable media has grown significantly in recent years by decreasing in size and increasing in storage space. Removable media includes all technology, from USB thumb drives to iPods. USB thumb drives can contain anywhere from 256 MB to 128 GB of storage space. When you think about it, that is an incredible amount of storage for something the size of a car key. Needless to say, with this type of technology a malicious insider could exfiltrate a ton of sensitive information in a matter of minutes.

Another technology phenomenon that has taken the world by storm are MP3 players, such as the Apple iPod. While these devices are intended to be used for music and other media, these also can act as a portable storage device. When you plug an iPod into a computer, it is recognized by the computer as an external storage device. The user then has the ability to drag any type of file or folder onto the device. This is a huge security risk because most organizations don't even consider this threat. It is important for organizations to analyze the risk of removable media vs. the benefit of removable media before allowing these devices into the work place. In addition, these devices can also have autorun features, which would allow malicious code to run as a background task, infecting the system, without the user even realizing it.

Another way in which data can be exfiltrated from an organization is through wireless devices. Wireless exfilitration can occur through authorized, rogue, or ad-hoc wireless access points (APs). Many times authorized APs are configured incorrectly, allowing unauthorized users to gain access. Also, when reset some wireless APs automatically return to their default states, which, for obvious reasons, is an enormous threat to security.

Organizations should constantly review their wireless APs configurations to ensure they are secure. In some cases they may have a rogue wireless AP. A wireless AP can be purchased from any technology store for around $50. This same AP can then be plugged in and configured within a matter of minutes. It is important that organizations have an inventory of all APs and regularly scan for rogue APs. Programs such as Netstumbler and Kismet can be used to view all APs in an area and to also ensure they have some form of encryption. While Netstumbler will not tell you if the APs are securely configured, it will allow an organization to ensure there are no unknown APs connected to the network.

Exfiltration can also occur through ad-hoc wireless. By default with most configurations of Windows operating systems, when you turn on your wireless card, ad-hoc wireless is also turned on by default. With wireless ad-hoc or host-to-host wireless, your computer is advertising itself as an open connection that someone can connect to. If someone were to connect to this connection, then he most likely will not have Internet access, but potentially could access any files or programs that are on that computer. This presents an enormous security risk and should be disabled.

The next area of information extraction we will examine is the use of laptops. While I agree that laptops play a critical role in the IT arsenal of any organization, we have to be aware of the threats they pose and put measures in place to carefully control them. Laptops are no longer just used for travel, but are used in many cases as employees' desktop systems. For this reason laptops contain a ton of sensitive information and, if not properly safeguarded, can cause serious harm to an organization.

Organizations also must educate employees on the problem that I like to call being a "digital pack rat." Organizations must educate employees on the need to remove obsolete data from their laptops. Many times when employees are traveling for business, they will load their laptops with sensitive information. They do this in case they have to reference it while on the road or airplane. This is a serious security concern, especially when you consider how easy it is for a laptop to be stolen. It is important that organizations utilize security measures, such as encryption and passwords, on laptops to protect their sensitive information.

These are a few of the many ways that information can be exfilitrated from an organization. In order for an organization to protect their sensitive information, they must understand how an insider can exfilitrate it. Dr. Eric Cole, Ph.D., is a security expert with more than 15 years of hands-on experience. Cole has experience in information technology with a focus on perimeter defense, secure network design, vulnerability discovery, penetration testing, and intrusion detection systems. He is the author of several books, including Hackers Beware, Hiding in Plain Site, Network Security Bible, and Insider Threat. He is the inventor of more than 20 patents, and is a researcher, writer, and speaker. Cole is a member of the Commission on Cyber Security for the 44th President and several executive advisory boards, and is CTO of the Americas for McAfee. Cole is involved with the SANS Technology Institute (STI) and SANS working with students, teaching, and maintaining and developing courseware. He is a SANS fellow, instructor, and course author. Dr. Cole has 20 years of hands-on experience in information technology with a focus on building out dynamic defense solutions that protect organizations from advanced threats. He has a Master's degree in computer science from NYIT and a Doctorate from Pace University, with a ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "The security team seem to be taking SiegeWare seriously" 
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-12-05
A Cross-Site Scripting (XSS) vulnerability exists in LDAP Account Manager (LAM) Pro 3.6 in the filter parameter to cmd.php in an export and exporter_id action. and the filteruid parameter to list.php.
PUBLISHED: 2019-12-05
A Cross-Site Scripting (XSS) vulnerability exists in LDAP Account Manager (LAM) Pro 3.6 in the export, add_value_form, and dn parameters to cmd.php.
PUBLISHED: 2019-12-05
A local code execution issue exists in Apache Struts2 when processing malformed XSLT files, which could let a malicious user upload and execute arbitrary files.
PUBLISHED: 2019-12-05
A poorly-behaved client could use keepalive requests to monopolize Puma's reactor and create a denial of service attack. If more keepalive connections to Puma are opened than there are threads available, additional connections will wait permanently if the attacker sends requests frequently enough.
PUBLISHED: 2019-12-05
The Strapi framework before 3.0.0-beta.17.8 is vulnerable to Remote Code Execution in the Install and Uninstall Plugin components of the Admin panel, because it does not sanitize the plugin name, and attackers can inject arbitrary shell commands to be executed by the execa function.