Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Security Management

10/8/2018
09:35 AM
Alan
 Zeichick
Alan Zeichick
Alan Zeichick
50%
50%

Rotten Fruit: 4 Insider Threats to Watch Out For

When it comes to insider threats, it's best not to trust anyone. However, different employees pose different types of threats to the network. Here are the four types of 'rotten fruit' to look out for in your business.

That woman who sits across the hall from you? Don't trust her. The young man in the cubicle near the IT department's break room? Don't trust him. The gray-haired woman who runs the quarterly sales meetings? Don't trust. That really, really tall bald guy in HR? Don't trust.

Even though they are employees or contractors, you should not trust. In fact, because they are employees or contractors, you must not trust.

There are three main types of dangerous insiders -- well, four, as we'll get into in a moment.

But first, insiders have an advantage over external hackers and bad actors: They are authorized to be inside your building, on your network. They don't need to spoof an email address -- @yourcompany.com -- because they have one, quite legitimately. They were given a Single Sign-On (SSO) account and maybe a VPN account to access the network from home.

They know the WiFi passwords because they were given those passwords. Official badges or keys let them into the building nights and weekends.

In other words, insiders have overcome one huge technological barrier facing external attackers: gaining that initial foothold, either over the network or through physical access.

Insiders have another advantage, as their presence and actions won't be noticed or questioned, as long as they don't do anything significantly unusual or overtly threatening.

Insiders represent a genuine risk. According to the well-respected Verizon Data Breach Investigations Report 2018:

The majority of data breaches that we have seen during this period involve some form of "insider" component. As a result of the level of access often afforded to insiders and with the luxury of the time that they have to extract data, the average volume of data taken per breach still remains unacceptably high.

Verizon reports that in some sectors, such as healthcare, government and education, naughty insiders represent a huge proportion of causal actors in data breaches. In fact, more than half --56% -- of healthcare incidents involved an insider, sometimes working alone, sometimes with an external partner.

"The Healthcare industry has the dubious distinction of being the only vertical that has a greater insider threat (when looking at breaches) than it does an external threat," according to Verizon. Ouch.

Let's talk about the three (or is it four?) types of insiders. As with external hackers, each type of insider has a different motivation and poses its own risk... and you may want to have separate plans for detecting and remediating the damage caused by each group.

Really bad apples: These are insiders that actively wish to do harm to the business or organization. Maybe they're angry about not getting a promotion and want revenge by sabotaging information systems. Maybe they've decided to make money by selling data to a competitor or foreign government, or by doing some insider trading before the latest earning release. Maybe they're being blackmailed. Who knows?

The bad apples have motivation, and possibly have specific objectives, such as exfiltrating design documents or accessing financials. They may have expert assistance, as well as access to sophisticated tools. You'll need to access tools like intrusion detection and prevention systems (IDPS), watch for data theft by monitoring everything from USB ports to email accounts and lock down networks against unauthorized devices. Log analysis is key. Good luck.

Well-meaning but overzealous oranges: These are employees who believe they can work more efficiently -- and help the business -- by taking some shortcuts. It's easier to set up a Dropbox or Google Drive storage account on their own than to ask for permission, they think -- even though there's a corporate policy against it. They set up remote access to their work PC from home, even though that’s not allowed. They share logins and passwords to secure systems with coworkers, because it’s faster than asking permission.

The easy answer here is training, but the reality is, they won't care what you have to say. These folks are so well-meaning that nothing will deter them from breaching your systems and subverting your policies. The harder solutions involve blocking access to unauthorized software or cloud services, as well as making it easy to provision new authorized access to approved systems. Take down the barriers to productivity, and those employees won't go around those barriers.

Careless pineapples: Call them stupid, but I'd prefer to call them untrained: We're talking about employees who don't use two-factor authentication (2FA) on their smartphones, who forget to secure a database stored on Amazon Web Services or Microsoft Azure, who download customer account information to their laptops -- which are then left in a taxi -- who assign the wrong privileges to an application, or who fail to test a web application against cross-site scripting (XSS) attacks before making the application live.

The only way to control careless pineapples is to use the same methods that the military uses for launching missiles: Strong controls. Require two employees' sign-off to push new code out to a live web server. Mandate the use of 2FA on all accounts and mobile devices, and force the use of strong passwords. Check the security defaults for IaaS/PaaS services, and conduct regular audits of those services. Don't allow new code to be checked into the repository without passing all the Open Web Application Security Project (OWASP) tests. It's not enough to have strong security policies -- those policies must be enforced.

False fruit: It may be difficult to detect when something bad is being done by an employee -- or when that employee's technology has been breached, and it's actually an external actor using that Android phone, MacBook Pro or cloud service. Just because someone has a valid login and password, and is calling in from a device or using an application protected by 2FA, doesn't mean that's truly your employee. It could be a stolen device, data captured by a keylogger or a clever hack.

The only solution: trust nobody.

Related posts:

Alan Zeichick is principal analyst at Camden Associates, a technology consultancy in Phoenix, Arizona, specializing in enterprise networking, cybersecurity, and software development. Follow him @zeichick.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/2/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-9498
PUBLISHED: 2020-07-02
Apache Guacamole 1.1.0 and older may mishandle pointers involved inprocessing data received via RDP static virtual channels. If a userconnects to a malicious or compromised RDP server, a series ofspecially-crafted PDUs could result in memory corruption, possiblyallowing arbitrary code to be executed...
CVE-2020-3282
PUBLISHED: 2020-07-02
A vulnerability in the web-based management interface of Cisco Unified Communications Manager, Cisco Unified Communications Manager Session Management Edition, Cisco Unified Communications Manager IM & Presence Service, and Cisco Unity Connection could allow an unauthenticated, remote attack...
CVE-2020-5909
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface (UI) to fetch the agent installer, the server TLS certificate is not verified.
CVE-2020-5910
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the Neural Autonomic Transport System (NATS) messaging services in use by the NGINX Controller do not require any form of authentication, so any successful connection would be authorized.
CVE-2020-5911
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller installer starts the download of Kubernetes packages from an HTTP URL On Debian/Ubuntu system.